Not everybody thinks the same way, Jemma Davis tells Martin Cooper MBCS. Learning this lesson, she says, might help organisations unlock their employees’ full potential as an army of truly engaged cyber security defenders.
It’s easy to believe that everybody thinks the same way you do and that their brains process information similarly too. The truth, of course, is quite different — no two people are the same.
When it comes to designing, building and deploying cyber security awareness training, this can be an important consideration.
At one end of the spectrum different people might have different tastes and preferences about layout, aesthetics and learning styles. Uncatered for and unimpressed, they might give the training a poor score in the inevitable post-event satisfaction survey, but leave having absorbed the necessary lessons.
Move to the other end of the spectrum and people from neurodiverse communities might find training design and implementation a barrier to learning — and this might leave their employer open to a cyber attack.
Why don’t you introduce yourself and tell us about Culture Gem?
I’m Jemma Davis, Cyber Behaviour and Culture Transformation Consultant and CEO, and Founder of Culture Gem, the first fully accessible compliance and security awareness eLearning platform focused on promoting inclusivity and adaptable learning paths for every user. I focus on empowering individuals to navigate the digital world safely and helping companies enhance their defences by fostering a shift in security culture and behaviour.
I’ve always been interested in how cyber security views people — they’re either the weakest link or the first line of defence. What’s your take?
People are a business' most valuable asset. Regardless of whether they are staff or customers, people are a cog in the defence machine, but only if you invest in their development and understanding of cyber threats. I learned to cross the road with SuperTed and Spotty, others may have learned with Darth Vader, and some with hand-holding hedgehogs, but we all remember how we learned.
We need to invest in knowledge sharing about how to stay safe online. We need to help people understand their personal risks, to build stronger habits, and to understand the importance of protecting their work.
Why should security managers consider expanding their awareness campaigns to support neurodiverse communities?
With 15-20% of the UK population being neurodivergent, businesses must proactively accommodate diverse learning and accessibility needs. If a fifth of your workforce required wheelchair ramps, you wouldn’t wait to be asked; you’d install them because it’s both legally required and morally right.
Some may argue that they can only provide the adjustments if they know about the need, and that is what the law says you must do, but your staff do not have to tell you if they have additional needs, health conditions, or disabilities. That information is classed as special category data under UK GDPR, and should be protected to within an inch of its life.
The use of accessibility controls are often prescribed, along with a diagnosis, but many people are awaiting assessments or have learned to mask their needs in order to fit in. This means the theory that everyone knows what they need is absolutely wrong. We only know what we know, and until we know what options there are, we battle the world built for the masses.
Security managers may already be aware of the Web Content Accessibility Guidelines (WCAG), an international standard which sets out the accessibility requirements for content hosted on the web, and many security awareness training solutions claim to meet this.
WCAG says content should be generated in a way that works with accessibility tools and software, amongst other things. The guidelines aren’t overly complex to implement in theory but doing so might, from a security perspective, extend an organisation's attack surface.
As a result, ‘unnecessary’ features in software like screen reading, sticky keys, or browser extensions will often be disabled in order to reduce attack surface and protect the organisation; this means WCAG compliant tools can’t be used in an accessible way, and formal requests will need to be placed to enable access. This, of course, forces employees to disclose additional needs, health conditions, or a disability, which they aren’t required to do by law.
So, implementing universal accessibility standards pre-emptively could alleviate these legal and ethical dilemmas.
‘Diverse teams make diverse products’ is a cornerstones of diversity in IT. Is it true in defending organisations? Is a diverse workforce a more secure one?
We all interact with the world differently, based on a multitude of factors. I may look at an email, and due to my profession, spot a phish a mile off — yet tomorrow, when tired or stressed, I might not spot it. In fact, I know of people working in senior positions within a very influential national security body who, in a momentary lapse, have clicked a phish. We can all fall foul of a cyber attack; it’s what we do in the moment that counts.
How do you design specifically for different communities — for example, people with dyslexia or ADHD?
If you consider your organisation's cyber security awareness programme, it’ll likely be annual mandatory training, a few reactive emails, and maybe a campaign during October’s awareness month. The problem is, we all are engaged and motivated differently, and we digest things in different ways.
Culture Gem carried out years of research and trial and error development work to understand the different ways people learn, and what barriers they may have to digesting or engaging with material. I think it’s very easy to assume your brain works the same way as mine until you start digging deeper. A lot of accessibility requirements are almost 'prescribed', meaning you only know what you need when someone tells you. Before this, you might not even know you have a challenge; for example, one of the product development team was having a few issues completing their tasks part way through an apprenticeship. They mentioned these difficulties to their assessor, who flagged it to the college, who then arranged for an assessment. This assessment resulted in a dyslexia diagnosis at the age of 38, where they were told they should use a yellow filter. Without access to this diagnosis, they’d have never known what colour was best or even why they were struggling.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
The press of just the past 6 months suggests that the number of autistic adults may be twice as high as documented, which I assume is due to changes in the understanding of the diagnosis. Access to assessments remains a bit of a postcode lottery, and I’ve heard more than a handful of horror stories about the diagnosis process, meaning not all of us have the luxury of knowing what we need — so it was really important to me to put the choice into the hands of the employee, and for them to learn through preference. One of the things we get praised for is that employees get to learn something about their own preference of colours, narrators, speeds and content styles, and line managers gain an understanding of how to best communicate with each member of their team.
Gamification is very popular… does it work universally?
In my opinion, gamification only works if that’s how your brain best engages, and it most definitely isn’t the thing that will solve all the problems in corporate learning. Though having it as an option could work, our research found that people often find gamification in compliance learning too stimulating, meaning they struggle to digest the information or understand how to carry out the required action. It’s hard to understand what it’s like to exist in someone else's brain, so it’s hard for any of us to understand the additional barrier you place in someone’s way by adding something you like into the mix, such as gamification.
The other challenge with gamification is that it doesn’t work long term, because when we reach the goal, beat the boss, get the golden ticket, we’ve done it. We’ve had the dopamine rush, and we move on to find more dopamine. I will play a video game to its entirety, and aim to gain a perfect score, but I won't ever play that game again. I chuck it in a drawer and play the next one. My assumption is that to make gamification engaging long term, you’d need to keep evolving the game, and as most of us know, learning content is often rolled out year after year, so I can’t see it being the answer to anyone’s prayers.
What advice would you give to a security manager designing and rolling out training?
Form a focus group of people who represent the makeup of the company, and listen to their feedback! Utilise every opportunity to influence positive behaviours, and do it almost subliminally. I often use ‘Ask Angela’ as an example of this: there is a scheme in the UK where if you are in a bar or a restaurant, you can ask a member of staff for ‘Angela’ — for example, ‘is Angela working today?’. Asking for Angela lets the staff know you need help, and they will find a way of providing it for you. Ask Angela is one of the best examples of security awareness I’ve ever seen. I’m not sure how many men know about Angela, but as a woman, it is everywhere I look when I’m out and about. It’s the subliminal message that lets me know I am safe in this place. If security managers use such continual reinforcement, they can effect real change, and let everyone know what to do when they are in a place of cyber danger.
What’s next for you?
I and the rest of the Culture Gem team will continue to fight the good fight against cyber criminals. Through creativity, we hope to build an army against cyber crime, where everyone understands their personal online risk, and cares enough to protect themselves.
We continue our research into the ways of the human mind, and how to remove barriers for every worker forced to take mandatory training. We hope to inspire inclusion across all cyber initiatives.