Improving cyber security self-efficacy for remote working

Tiếng Việt

Improving cyber security self-efficacy for remote working

How can organisations motivate their employees to comply with IT security measures when working remotely?

Remote working – whether from home, at a client site or on a business trip – often means increased cyber security risks for organisations, as their ability to monitor and control data is reduced.

Some organisations ask their employees to follow a myriad of security configurations such as secure passwords, antivirus software, or VPNs to mimic a secure environment normally provided at a workplace.

thumbnail-improving-cyber-security-self-efficacy-for-remote-working

Remote working – whether from home, at a client site or on a business trip – often means increased cyber security risks for organisations.

Others allow their staff to use their own IT equipment and internet network, and this is when the individual’s security risk awareness and protective skills (often referred to as self-efficacy) are critical.

RMIT University School of Business & Management Senior Lecturer Dr Pham Cong Hiep and PhD student Nguyen Nhat Minh suggest three practical ways that companies can use to improve cyber security self-efficacy among employees.

1. Make cyber security training more engaging

Training programs are one of the most basic methods to convey knowledge and skills to employees. However, a recent survey by RMIT researchers found that employees across organisations want to see cyber security training revamped.

“Rules and regulations should be conveyed in a smart and creative way in order to excite people and get them to voluntarily comply,” Mr Minh said.

"Traditional slide-based training programs are often difficult for participants to fully understand the serious consequences of violating security rules or practices.”

To solve this, Dr Hiep advised businesses to help employees grasp the practical implications of applying security measures by encouraging them to visualise the consequences of security breaches.

“Simulation and game-like scenarios can be useful tools in this regard. Recent developments in game technology can make training become more interesting to users, through the application of game elements such as gaming badges, points, levels, leader boards, prizes, and engaging storylines,” Dr Hiep said.

news-2-improving-cyber-security-self-efficacy-for-remote-working

RMIT Senior Lecturer Dr Pham Cong Hiep suggested using simulation and game-like scenarios to make cyber security training more engaging.

2. Use social media to communicate cyber security messages

Companies often use emails as the main channel to communicate security issues and expect employees to pay attention and take precautions. However, research has found that many employees do not read security updates via email.

Mr Minh explained that "contents transmitted via email can be quite long and complex. As a result, it is difficult to create any interaction or personal awareness of the security risks. It is also not effective in attracting users’ attention in emergency cases”.

Dr Hiep proposed social media as an alternative channel for organisations to consider when designing cyber security knowledge sharing systems.

“Given the prevalence of mobile devices with social media applications, they can be used to deliver important and urgent security updates to employees any time,” he said. “Moreover, information conveyed by social media tools is often more intuitive and visual, which can easily capture attention.”

According to Dr Hiep, social media can also enable interactive group discussions, thus encouraging incident sharing among colleagues. He found too that people took security advice and warnings more seriously when they came from their peers rather than the IT department.

However, he warned organisations to be aware of the security risks of using social media, since “confidential corporate information is disclosed on potentially open and unsecure channels”.

news-3-improving-cyber-security-self-efficacy-for-remote-working

Social media can be an alternative channel for organisations to consider when designing cyber security knowledge sharing systems.

3. Employ local security experts

In cases where the IT department cannot provide timely and relevant advice on general or security issues, Mr Minh said help can come from fellow employees with the right expertise.

These inhouse security ‘experts’ are non-IT staff with proven security knowledge and experience of specific work domains, willing to be consulted by others. Since each department may impose different privacy policies, designated experts in each department might be better placed to assist their colleagues at the right time.

Some organisations might not conduct formal IT security orientation for new staff members, but may like to consider appointing inhouse experts to provide their new colleagues with specific job-related security knowledge and requirements.

“Sharing knowledge between colleagues is a supplementary approach to enhance the security knowledge of employees, helping them feel more competent in dealing with unknown security issues”, Dr Hiep commented.

Story: Ngoc Hoang

Media Release

08 October 2020