Understanding the role of human behaviour in cybersecurity

Oz Alashe, CEO and founder of CybSafe.

As a former army officer and UK Special Forces volunteer, Oz Alashe gained a unique understanding of human behaviour. Together with his leadership expertise, he brought this knowledge into the CyberTech space and founded CybSafe, a cybersecurity company focussed on the “people component” of cybersecurity.

The progression from a military career into the CyberTech space may not first appear an obvious transition. But for Oz Alashe MBE, CEO and founder of CybSafe, his experience serving in countries around the world fostered his understanding of information security and cybersecurity.

CybSafe is a cybersecurity software company that is “laser focused” on the human aspect of cybersecurity. Its software is designed to help people make better cybersecurity decisions, influence cybersecurity behaviours and empower organisations to understand the risks they carry as a result. The company recently raised $28m in Series B funding.

Alashe is a former army officer, commissioning into the parachute regiment after attending The Royal Military Academy of Sandhurst. He served for 17 years, in a variety of places around the world, even volunteering for the UK’s Special Forces, before retiring as a Lieutenant Colonel.

“I loved every second of it,” Alashe said, “It’s a great place to learn about oneself, other people, and what it means to serve. I also came to understand that leadership is really all about service. I also got to see some incredible parts of the world, chasing unpleasant people and trying to persuade them to be slightly less unpleasant.”

During his years serving, Alashe said he spent time trying to look after information and data and finding people who didn’t want to be found. “The way in which you do so quite often involves digital standpoints; understanding how they expose themselves digitally, or maybe give away information or locations that they shouldn’t. All of that blended together means I have a really good understanding of information security and cybersecurity.”

The people pillar

When Alashe left the military, he joined an organisation set up by some friends in an early-stage company that was looking to improve capacity capability and intelligence and cyber resilience. He said it became increasingly clear that everyone is paying lip service to what he calls “the people component.”

Cybersecurity is an incredibly important issue for our society today, Alashe continued, everything we do is being increasingly digitised and interdependent, and that is not going to slow down. However, when it comes to the people component, the industry is guessing.

“We are guessing or hoping, which is even worse, that if we train people that will reduce the risk we carry. Actually, there is no evidence to suggest that training people, for example by making them complete mandatory training or even phishing simulations, actually reduces the number of incidents that an organisation has or reduces the risks they face.”

Alashe outlined the three pillars of security: people, process, and technology. “We need to do more on the people’s side. I realised no one was doing it,” he said. “More importantly, I realised I knew the people who could help do so because they have done it elsewhere.”

Alashe said that data scientists have for some time examined the mechanisms of human behaviour, and this information has been put to use in other industries. “You only have to look at wellness tech and healthtech to see how that’s being done. Smoking apps for example, are rather effective at helping people stop smoking. We’ve just gone through a long period of trying to get people to wear masks and stay away from each other. All of these things are being applied in other fields, but not in security.”

Behavioural change

The CybSafe founder said that behaviour change is a combination of restraining and driving forces. Incentivising good behaviour is a driving force and removing the reasons why people aren’t doing it in the first place, is removing the restraining force. Alashe said successful behavioural change is about doing both.

Of the three pillars of security, Alashe said that human behaviour is arguably the one that matters the most. “We can know as much as we want, but if it doesn’t influence what we actually do, it doesn’t make a difference.” Just because a decision or behaviour is the rational and sensible one, does not mean that we will engage in it. “Many of our human behaviours are not rational, we often make the mistake in thinking that the rational decision is the one that is likely to occur, but the study of behavioural science suggests otherwise.”

So how can changing human behaviour impact cyber risk? According to Alashe, understanding how people will behave and how we can influence people’s security behaviours, will help us understand how we can reduce the risk an organisation carries. Most organisations recognise that the majority of the cyber incidents and breaches that take place have some form of human interaction, and some will go as far to say they occurred due to a human mistake.

“If we could get more people to be careful before they clicked on links, for example, we can reduce risk.” This sounds simple enough, however, Alashe pointed out that most of us work in jobs where you need to click on links from people that you have never met before, so simply telling people not to click on links is not going to be helpful.

Another example is getting people to change the default passwords on their Wi-Fi routers at home, privacy settings on social media, clearing one’s desk before leaving a co-working space. “All of these things are security behaviours. And we at CybSafe have spent the last two and a half years cataloguing every single security behaviour and relating it to cyber risk. We have built the world’s most comprehensive security database,” Alashe said.

Traditionally, the industry has had somewhat of a surface level response to human behaviour, by requiring employees to complete cybersecurity training for example. Alashe said however, if an organisation can gain a deeper understanding of why people behave the way they do, they will be better placed to encourage safer behaviours. The link between people and behavioural science in CyberTech has historically not been well understood, but Alashe said this is improving. “There has been a significant increase in the number of organisations who understand that it is not just enough to provide information and try to educate, you have to change and influence behaviour.”

A culture of leadership

Alashe said his time serving in the military provided him with many lessons about human behaviour, which in turn informed the founding of CybSafe. Also fundamental to the cybersecurity software company’s creation is what Alashe learned about leadership.

“The role of a leader, regardless of where you find yourself, is to create the conditions for those who have the privilege of leading to succeed,” Alashe said. This helped form the company culture at CybSafe.

“At CybSafe, we have built a team full of remarkable people. But it’s important to us that every single person who comes here realises that we expect them to lead some of the products, the teams, or the initiatives. In my case of course, I’m leading to deliver against the vision. But the fact is, we are all leading in one way, shape or form. That is something I learnt in a previous life; I saw the power and importance of it.”

Alashe added, “We look for remarkable people. Those who come here are extremely talented, but they’re also really ambitious and driven. We want people to be masters of their own time and deciders of their own fates but be focussed on the outcomes that we are trying to achieve.”

The result of this, Alashe continued, is that CybSafe, instead of spending time controlling and micromanaging people, is able to focus on what it wants to achieve in the CyberTech space.

Copyright © 2022 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.