December 2017 - Cybersecurity | Company Security

The Human Element of IT Security Transcript

Human behavior can undermine the development of an effective IT security culture in companies at home and abroad. In particular, cultural differences in the approach to IT security must be taken into account in order to mitigate possible risks.

© Rawpixel Ltd |

DOTMAGAZINE: How would you describe the relationship between human behavior and IT security?

ANGELA BAUDACH: Humans should be protected through IT security. We have all these technical measures in place which can help humans. However, in the end, it's always the human who decides – it's the human who acts and who clicks on links or downloads things. This is why people need to think about what they’re doing. So you have many interaction points between humans, technology, and IT security.  

DOT: When we say “different countries, different customs” – to what extent does the intercultural context play a role in a company's IT security strategy? 

BAUDACH: So it's all about how people protect themselves. For example, in Germany, we have many rules and regulations. We always have rules for how to behave in an emergency situation, for example. However, in other countries, we have fewer rules and regulations – they have different mechanisms. For example, they are using hierarchy, which means doing what the manager says or they just react in an emergency and call someone they know who can help. They do not write these rules and regulations down, and we need to consider this when we are developing and deploying security awareness programs.

DOT: Intercultural context as a starting point for the development of a customized IT security strategy. Can you give me examples? 

BAUDACH: Security strategy always includes the humans – we talked about that in the first question. In the end, it's the human who decides and we need to communicate to the humans our security measures. So we have all these technical measures, but the human does not really understand them or maybe simply does not know why he or she can't display the picture in the email. And it's something really disturbing for the employee, when he tries to work. This is why we need to communicate these measures, and we need to communicate it to all employees in big global companies. The employees are maybe from different countries, and we need to consider their different communication style in order to be successful. For example, when we are doing a post, we need to consider different colors. In Germany, for example, we have green as a color which stands for fresh, healthy, and the environment. However, in countries with jungle, green is more likely to be dangerous, and thus it creates different feelings. So we need to consider this when we are planning different security measures. 

DOT: Can you give me some concrete examples? Let’s say from your daily work?

BAUDACH: Okay. Another example of where cultural communication went differently. We did a questionnaire in order to check how the awareness of IT security is and there was one question, we asked people in Dubai, which was, “Do you know the policies?”, and everyone said, “Yes, I know the policies and I know what is written in there”. Another question was, “Do you know where to find the policies?”, and everyone said, “No, I don't know”. So that was really confusing for us, from a German point of view, because how can you know what is written in the policies, if you don't know where to find them? We went to the people and asked them, “Okay, how does it work?”. In Dubai, the hierarchy is very strong, so people get informed by their managers regarding policies and respective changes. The managers just told them, “Okay, these are the policies”, so that employees knew what the rules were and how to behave.

DOT: Do you see cultural differences in the way individuals deal with, for example, data privacy?

BAUDACH: Yes, there are many cultural differences. Germans are very careful with their private data. We are also aware that we do not spread our data everywhere. However, in other countries, people use social media in a very different way. I have many friends from Asia and I'm always fascinated with what they are posting on their social media channels. For example, they post many pictures of children or selfies, showing where you are, showing what you have, what you know, and who you know. They posted pictures of me from five years ago, so that they can say, “You know, I have a German friend” and the behavior there is very different.

DOT: What approaches are needed to sensitize employees from other cultural areas towards cyber dangers?

BAUDACH: You can use the same measures as you use in your home country. However, the point is that you need to adjust them because not all of them work as they are working at home. So the first thing to do, if you want to change the behavior of employees, you need to change their company culture. This means your measure should be tailored towards the company. You should use their logo. You should make clear from whom the message comes from, and in many cases, you need to adjust the measures. For example, in Germany, communication is very direct, but in other countries, it’s not. Communication should always be done by the people who know the culture. Therefore, it's easy to get an employee of a subsidiary who is translating the material, and who is doing the training because they know best how to communicate in this cultural context. The most important thing is that you know yourself – you know how or what is special about your own culture, and how others interpret it, and how they feel about it. Only then can you know what it is exactly that is strange for them. When I'm having all these rules and regulations, for example, I don’t need to make a book of rules out of it, but rather visualize what happens when you're clicking on a link, and not just say “don't click”. 

Angela Baudach is a security awareness consultant at DXC Technology. She supports various international customers in building their awareness programmes, starting with an investigation and advancing to the development of measures, implementation, and evaluation as an ongoing process. She thus constantly experiences the importance of intercultural aspects and how to deal with them. During her studies, Angela was already keenly interested in Security Awareness and intercultural aspects. As such, she wrote her thesis about international security awareness programmes. Within the thesis, she investigated the influence of national culture on the design of security awareness programmes with respect to different security awareness measures. Her thesis received two awards: from the Competence Center for Applied Security Technology and from Deutsche Telekom AG.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.