How to use knowledge to foster a cybersecurity awareness culture

What is cybersecurity awareness?

Awareness is a big term in the cybersecurity world, but what is it that we are actually talking about? To be aware is to hold knowledge and understanding around a situation or fact. So, when we say we want to increase cybersecurity awareness what we are actually saying is we want the organisation and its employees to become more informed about current risks, and what needs to be done to protect the organisation from these risks.

The cybersecurity landscape can be very dynamic in nature. Many aspects do remain stable but regular changes to risk occur through developments in technology, shifts in employee perceptions, modifications in offender tactics and even through natural employee attrition. It is these adaptations to risk that make the maintenance of cybersecurity awareness so challenging.

How to improve and maintain cybersecurity awareness

Awareness is centred around knowledge, and this knowledge needs to be current. It is not good to be aware of old risks, or old solutions to risks.

It has been suggested that there are three critical aspects related to maintaining employee awareness

1. Current and consistent awareness and training programmes;
2. A knowledge-sharing culture;
3. Motivation for collaboration.

Organisations must establish a culture whereby knowledge is learned, shared and used in an open and supportive environment.

But what actually is knowledge? If you do a quick internet search on the different types of knowledge it is hard to not become perplexed by the varying ways in which knowledge is described and categorised.

Organisations need to be given a more parsimonious view of knowledge and the different ways in which it can flow in, out and around their business.

A simplistic view of knowledge

1. Knowledge can be implicit or explicit: The former enduring in the mind and the latter outwardly communicated e.g., in the policy.
2. Knowledge can either be declarative or procedural/tacit: The former focused on knowledge that can be articulated, and the latter is only learned through the experience of doing/observing.

How does knowledge relate to a cybersecurity awareness culture?

For an awareness culture to succeed, knowledge needs to be actively shared. It is not enough to deliver an annual awareness training course and assume your organisation is “aware” all year around.

For knowledge sharing to be successful it requires two trading actions, the donation of information to others as well as the harvesting of required information others may possess.

Knowledge sharing is therefore not about the creation of subject matter experts but about providing all employees with an equal voice helping evolve universal wisdom.

1. Implicit knowledge: It’s self-contained, but it can be described if requested. The sharing of knowledge held in the mind of your employees should be encouraged through collaborative meetings and online portals. People should be provided with a way to fill gaps in the knowledge of others reducing situations of knowledge hoarding.

2. Explicit knowledge: The knowledge held in security policy and awareness programmes needs to be easily digestible in order for it to be effectively shared. It also needs to be continually optimised and updated for example through a feedback process utilising the knowledge of employees to inform its usability.

3. Declarative knowledge: Declarative knowledge can be articulated, at the moment largely through awareness training. However, a knowledge-sharing culture should encourage this knowledge to continue its journey post-training by sharing new learnings with others who perhaps have not attended training recently.

4. Procedural/tacit knowledge: Procedural/tacit knowledge cannot be easily explained, it needs to be learned through experience and observation. For example, riding a bike started with declarative instructions but the actual activity is so complex that it cannot be actioned without gaining personal experience. If employees are not given the opportunity to practice knowledge learned in training or observe it in others if working from home, those more complex tasks will unlikely form into a habit.

The key message from this?

SHARE — LISTEN — SHOW — OBSERVE

Employees need to be motivated to continually share knowledge with others and where knowledge is explicitly held it needs to be regularly reviewed by listening to the knowledge employees possess. If knowledge can be articulated it should be encouraged, and where it can only be learned through observation or experiences the relevant opportunities must be provided for employees to build more complex knowledge.

There are many potential barriers to knowledge sharing including competition amongst employees e.g., promotions, bonuses. Employees are unaware of the wealth of knowledge they possess, as well as the deficiencies in the knowledge they need to fill.

Organisations should therefore provide the tools and opportunities required to motivate knowledge sharing and make it easy for knowledge to flow naturally through their business if cybersecurity awareness is to be truly achieved.

To see how the OutThink Cybersecurity Human Risk Management platform raises awareness, drives more secure behaviours and increases motivation across the organisation, watch a product overview video or book a demo.