Human behaviour & maintaining a cyber security mindset 

Investigations into factors affecting cyber security have shown that when it comes to maintaining security in cyberspace, human behaviour tends to be the weakest link. Companies often have compliance strategies and systems for their shore personnel and vessel crews, but – as we know – being compliant is not necessarily synonymous with being secure.  This is partially due to the fact that security is situation-dependent and as such may only be maintained by taking the right action at the right time. In addition, maintaining secure conditions requires adequate resources, knowledge, motivation, and an attitude that helps promote security. Even if we provide personnel with all the right resources, will we succeed in helping personnel and crew members sustain the optimal mindset for maintaining cyber security?

1. Perceived Behavioural Control: Do the personnel and crew feel that they are able to follow instructions? Do they have the right knowledge and tools? Do they feel maintaining cyber security is a part of their role in the company? 
2. Attitude: What attitudes are there in the company towards cyber security? Is it deemed important? Company culture affects individual attitudes. 
3. Subjective norms: Some team members acting in a certain way can cause others to follow their lead. For example, if several members upgrade their computer system every second week, other team members will experience social pressure to do so regardless of whether or not it is a written rule. If the social rules seem logical to individuals, the chance is even greater that each person will follow suit. 

The instructions, attitudes and social rules lead to intentions that in daily work become actions. These actions, in turn, represent the cyber security behaviour of a company.  

What can be done to encourage the right behaviour? 

• Communication. Communicate with all employees in the company with clear and up-to-date information. 
• Cyber security culture. Include a cyber security perspective in company working culture: facilitate discussion workshops and leader development, streamline communication from a cyber security point of view. 
• Intranet or company internal channels updates. Highlight the importance of cyber security regularly on the intranet or through other internal channels. 
• Training in known real situations. Make sure that cyber security training is anchored in practical daily working tasks. 
• Memory support. Visual training is good for spreading awareness. Storytelling is a good way to support memory. Crowd-source and share cyber security-related work experiences among employees.   
• Regularity. It is not enough to remind your personnel and crew once a year about the existence of cyber security. Integrate cyber security information into daily routines to boost awareness. 
• Practical guidelines. Compile a simple list of cyber security best practices for the personnel and crew. Include instructions for exactly what to do as well as how and when to do it. 

Sources:

https://www.researchgate.net/publication/320181195_Review_Of_Behavioural_Theories_In_Security_Compliance_And_Research_Challenges 

https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf