Why security awareness lacks a rogues’ gallery

When we were kids, we were quick to learn the roles of ‘goodies’ and ‘baddies’ and the need for both heroes and villains to make a good game. There was no point in being an evil character if there were no ‘good guys’ to battle against – and vice versa.

We played these games to learn the rules.  Of course, the villains appeared to have all the fun because they broke the rules, while heroes made the rules and held the moral high ground. So, are the kids of today playing ‘hackers and victims’? I doubt it. The shadowy figure of the cyber-villain has still to enter our popular culture and imagination, while attacks need to extend beyond frantic tapping on a keyboard to make the role an ‘attractive’ one. Does it matter that the most potent image we have of the hacker is a youth wearing a hoodie and living a nocturnal existence in his or her bedroom?

Well, yes it does – because it leaves a villain-shaped hole in our heads where the hacker should reside. A recent study conducted by US academics discovered that employees learning about security at work are frustrated by the lack of recognisable villain characters1. In the contemporary world of cybercrime, employees are asked to act as front-line defenders, yet they have a crime to prevent with very little information about potential attackers or their motives.

Seeing the world through the eyes of cyber criminals

We build a picture of our world by trying out different perspectives and deciding what to accept or reject. Making rules and having moral convictions is all part of this process. The rules create the framework that defines the kind of person we are but we need to be able to relate to the opposite view of the world to make a personal decision about where we stand in relation to it.  So, when it comes to building cyber security awareness in your company, it’s a good idea to get your employees to take on the role of would-be cyber criminals and working in small teams, plan an attack on your own business. Give them permission to wreak theoretical havoc and even promise to award a prize for the best ‘hack’.

The benefits of adopting the hacker’s perspective include:

  • The mixture of dare and challenge brings the kind of focus and energy to cyber security that CISOs dream of.
  • Participants discover what they don’t know, such as what data is valuable to a hacker and why, leading to questions and sharing of knowledge.
  • Vulnerabilities start to make sense – with a hacker’s perspective, users begin to understand why certain behaviours are so dangerous.
  • Once there’s a villain, heroes are born, giving the role of frontline defender new weight and moral integrity.
  • Role-play hackers are a CISO’s best friend. Planning an attack gives clarity of vision and the ‘villain’ can critique the business with a professional eye and provide clear feedback on what needs to be sharpened up.

So, whatever the age, playing hackers now and again helps to raise awareness of the serious issues around cyber security and the role we all need to play to prevent breaches.

You can register for a free webinar on 25th April: The Hacker’s Perspective: Helping Employees Identify Security Vulnerabilities https://attendee.gotowebinar.com/register/1148828402759529729 or visit www.layer8ltd.co.uk

By Sarah Janes, CEO at Layer8.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.