This article was first published at Inside IT (in German) as part of Switch's #Security column. The column appears six times a year. Experts from Switch independently express their opinions on topics relating to politics, technology and awareness of IT security.
People create Security
Establishing a culture of security is the declared goal for many CISOs, but how can this be achieved in practice? The first advanced training course to impart interdisciplinary knowledge in the areas of cyber security, behavioural psychology, adult education and communication will start in January 2025. The CAS Cyber Risk Awareness at the ZHAW puts people at the centre of security - and there are good reasons for this.
Technical knowledge is firmly anchored in the IT security industry. Experts are very familiar with the complex systems and diverse threat scenarios. However, there is often a lack of an equally important aspect: dealing effectively with people and organisations. This is astonishing, as 68% of security breaches are caused by people who have no malicious intent but have, for example, fallen victim to a social engineering attack or made a mistake. This fact emphasises the urgency of taking the human factor more seriously in cyber security.
The ENISA Threat Landscape Report 2023 confirms this finding. One of the main conclusions is that social engineering campaigns in various forms pose a significant threat to internet users. What is particularly worrying is that with the rise of generative artificial intelligence (GenAI), this threat continues to grow. Criminal organisations are increasingly using sophisticated methods to manipulate people in a targeted manner.
These developments clearly show that technical solutions alone are not enough. It is essential to understand and specifically address the human factor. This is the only way to protect organisations against increasingly complex threats.
People at the centre of cyber security
Organisations are faced with the challenge of making their employees aware of cyber risks and enabling them to behave securely in the digital space. IT security is no longer the sole domain of technical departments. All employees, from management to interns, play a crucial role in protecting against cyber attacks.
It is becoming increasingly clear that the "human factor" in information security is not only a potential risk, but also a resource that needs to be strengthened. This is where the new continuing education programme at the ZHAW School of Management and Law comes in. The CAS Cyber Risk Awareness (in German) aims to promote a security-oriented corporate culture by teaching participants in a practical way how they can positively influence behaviour in their organisation. The teaching language of the CAS Cyber Risk Awareness is German.
Human-centred security is interdisciplinary
Until now, most further education courses in information security have had a more technical focus, which is why we have designed a new CAS with Professor Nico Ebert from the ZHAW that closes this gap and focuses on human-centred security.
The CAS Cyber Risk Awareness provides targeted knowledge on how organisations can strengthen their security culture by initiating behavioural changes among their employees. The Cyber Risk Awareness Framework, which is derived from the St. Gallen Management Model, serves as the basis for the curriculum.
The course is divided into several modules that systematically build on each other. The first module deals with the design of awareness measures. Here, participants learn how to create an awareness of cyber risks in their organisation and how to design security processes in such a way that they are manageable for people. The second module focuses on the practical implementation of these measures. Specific tools and methods are taught to positively influence employee behaviour and ensure that security guidelines are not only understood but also implemented.
Changing behaviour is complex
Convincing people to change their behaviour, especially in the context of cyber security, is a complex task. People perceive risks differently and their actions are often influenced by habits, unconscious attitudes and other factors.
Let's take the different factors that influence reporting behaviour in organisations as an example: Factors such as time, the user-friendliness of reporting systems and the fear of personal consequences for reporting one's own error play a major role in whether or not employees report safety-related incidents. If they also feel that their reports are not taken seriously or do not lead to any changes, their willingness to report future incidents decreases.
This blog article uses influence diagrams to visualise why it takes more than a one-off request to report security incidents. Reporting behaviour - as this example shows - depends on many factors, and to establish a desired target behaviour, a basic understanding of behavioural psychology is crucial.
Promoting a safety-orientated corporate culture
A security culture is the declared goal for many CISOs. The CAS Cyber Risk Awareness is designed to provide the necessary tools to successfully pursue this path. Practical knowledge enables participants to develop, evaluate and continuously improve customised awareness concepts with well-founded measures. Targeted sensitisation and training of all employees creates the basis for a resilient organisation.
Further information
https://www.zhaw.ch/de/sml/weiterbildung/detail/kurs/cas-cyber-risk-awareness/ (in German)
Info webinar CAS Cyber Risk Awareness
On Tuesday, 1 October, 12:00 - 13:00, we will present the new CAS Cyber Risk Awareness and answer your questions.
To register for the webinar: https://www.zhaw.ch/de/sml/weiterbildung/event/event-news/infoveranstaltung-cas-cyber-risk-awareness/ (in German)
Cyber Security
