HealthTech Magazines

Insight View of Healthcare IT Professionals

Are we missing the opportunity to empower and engage our teams and clients to spearhead our cyber security

Andreas Heckel

It’s a common misconception that cyber security is all about technology. Technology is obviously a massive part of cyber security, but alone it is not enough to protect us from modern cyber threats.

Cybercriminals regularly exploit the human element and by focusing on changing people’s behaviour, cyber resilience can be achieved.


Since decades cybersecurity is described as a people, process and technology topic. While the process and technology angle is much better understood these days, many of us are still not feeling comfortable when it comes to people and human cyber risks.

People can be internal & external team or customer and clients. We invest in training & awareness and fulfil this way our regulatory obligations. But do we achieve anything with these investments? Do we change the behaviours we want to address, and do we lower the human cyber risks with our investments?


Behaviour change is not easy and most training & awareness campaigns fail because they focus only on the symptoms while leaving the root cause (behaviours) aside.

We humans are creatures of habits and influences and changing our behaviours is sometimes hard and complex. I strongly believe that tackling this challenge is absolutely worth it.


In doing so we can empower our people to protect themselves online, offline, at home and at work and with this make this world a cyber safer place overall.


Why are we doing certain things? For example, why do people fall for a phishing attack?


To answer this question, we need to first look at the Capabilities of our people in scope. Is she/he capable and does she/he have the skills to fulfil a task? Things like creating a secure password, detect phishing indicators are to be considered for example. It becomes very obvious that such skills can be addressed with training and education.


The second element to look at is the environmental situation. Can she/he act in a secure manner? Does her work environment in the office or at home foster secure working? Does the person have to share an IT system? Is the social environment consisting of social and cultural influences on behaviour, such as social pressure from peer and management in the workplace or while working from home? That’s why people click on spear phishing attacks while put under time pressure?


The third element is about our motivation and how we take decisions. We all rely on hundreds of biases.

They help us to speed up the vast array of information we process daily but at the same time they also often lead us to undesirable behaviours such as opening an attachment we know we shouldn’t or clicking on links instinctively. For example, we tend to listen to information that confirms our preconceptions – a shortcut referred to as confirmation bias.


If you want to better understand why your teams & clients do certain things and ensure that your remediation & education investments in human cyber risks pay off, you need to start focusing on all three elements mentioned before.

We here at cybovate can help you to get an understanding (step 1), the appropriate solution design (step 2) and the recurring measurement (step 3) right at the first place ensuring that you address the behaviours you want to address with the result to lover your human cyber risk exposure.

Latest Posts