Why EVERYONE is Resistant to Engaging in Security Practices and How to Fix It
It’s everyone. (It’s you too. Just read.) Security goes against our core beliefs. Security is not natural, it’s not normal, it means that we don’t trust others. However, we trust by default. Not trusting others is actually a learned behavior. Security means that you are aware that there are others out there that may choose you as their target. That’s not normal. It’s not natural. No-one wants to think they are a target.
What’s normal is that we live happily ever after, we live together as one species in harmony. We trust each other, we are good to each other, we treat others as we want to be treated. We don’t hit, hurt, harm or take from one another. We are civilized creatures.
However, there is a small percentage of predators, uncivilized beings, we call them sociopaths, psychopaths, and hard-core narcissists. They are the criminal hackers, the serial killers, the rapists. They are a minority, and we choose to think they don’t exist. Or at least we deny they would choose us. We resist security practices, because it goes against what it means to be a civilized being.
Therefore, in addition to the above, consumers (you) may be resistant to cybersecurity awareness training for several reasons:
1. Perceived inconvenience. Some may view cybersecurity training as an additional task or inconvenience, especially if they believe it interrupts their regular activities. Which is all nonsense. If you thought your bank was being targeted, would you do something about it? Of course. Beyond the perceived inconvenience, we are tired, lazy and selfish. That’s actually normal too.
2. Lack of perceived relevance. Some individuals may not see the immediate relevance of cybersecurity to their daily lives, leading them to ignore or resist training efforts. This is frustrating for your IT directors, and it is also frustrating for your government who see you, and I, as part of the problem regarding our critical infrastructure being vulnerable. Cyber security is relevant if you want to keep the lights on, have clean water, and heat your home.
3. Overwhelm. The complexity of cybersecurity topics can overwhelm consumers, making them feel incapable of understanding or implementing the necessary precautions. I blame pretty much every cyber security awareness training company out there. It’s not all about phishing simulation training. None of these companies have a clue when it comes to teaching individuals about risk. It’s not “do this, don’t do that” they have forgot what it means to be human.
4. Denial. Some people may deny the importance of cybersecurity or believe that they won’t be targeted by cyber threats, leading them to dismiss training efforts. Denial is more natural and more normal than recognizing risk. Denial is comfortable, it’s soothing, and it allows us to avoid the anxiety of “it really can happen to me”
5. Fear of technology. Individuals who are not confident in their technological abilities may feel intimidated by cybersecurity training, leading them to avoid it altogether. This, of course makes total sense. How many times have you gone in a vicious circle, a constant loop of not being able to log into an account because of two factor authentication not working or something else out of whack? Technology can be frustrating. If security is not easy, people aren’t going to do it.
6. Lack of awareness. Some consumers may simply not be aware of the risks posed by cyber threats, leading them to underestimate the importance of cybersecurity training. This is a real problem. This lack of attention to what your options are regarding anything security is common. Part of that lack of awareness stems from disbelief these things can happen to us, denial we can be targeted, and a relative “pacifist” attitude.
Addressing these barriers requires organizations to tailor their cybersecurity awareness training programs to be engaging, relevant, and accessible to all consumers. This can involve using clear language, providing real-life examples, and offering support for individuals who may struggle with technology or cybersecurity concepts. It also means getting “real”. And cyber security awareness training companies aren’t going to do that, nor are their 2 dimensional employees, and most of them don’t have the ability to get down and dirty and speak “holistically” about life and security in the same sentence.
Encouraging computer users to engage in cybersecurity awareness training involves several strategies:
1. Relevance. Highlight the relevance of cybersecurity to their personal and professional lives. Emphasize how it can protect their data, finances, and privacy.
2. Interactive Training. Offer engaging and interactive training modules that include simulations, quizzes, and real-life scenarios to make the learning experience more enjoyable and practical.
3. Incentives. Provide incentives such as certifications, badges, or rewards for completing cybersecurity training. Recognition for their efforts can motivate users to participate.
4. Customization. Tailor training content to the specific needs and interests of different user groups. For example, employees in finance may require different training than those in marketing.
5. Regular Updates. Keep the training content up-to-date with the latest cybersecurity threats and best practices. This demonstrates the importance of ongoing learning in an ever-evolving digital landscape.
6. Leadership Support. Gain support from organizational leaders and managers to promote the importance of cybersecurity training. When leadership emphasizes its importance, employees are more likely to prioritize it.
7. Accessibility. Make training accessible by offering multiple formats such as online courses, in-person workshops, and mobile-friendly materials. This accommodates different learning preferences and schedules.
8. Feedback and Support. Provide avenues for users to ask questions, seek clarification, and provide feedback on the training materials. Addressing their concerns and offering support can increase engagement.
By implementing these strategies, organizations can create a culture of cybersecurity awareness where users are motivated and empowered to protect themselves and their data online.
Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.