Leveraging influence for defensive security

The good news is that you can also apply those psychological principles (such as influence) to enhance the cybersecurity culture in your organization.

In fact, here are some examples of how you can leverage some social engineering concepts in your organization:

• Social proof: You can leverage influential people in your company to promote cybersecurity best practices. A good implementation example is to provide a hands-on cybersecurity awareness workshop to those influential employees and name them Cybersecurity Advocates. This will help you motivate those influencers to enhance cybersecurity awareness across the organization and also to bring more to join your program as Cybersecurity Advocates.

Important note

Those kinds of programs work better if people are also awarded a digital badge that highlights their new Cybersecurity Advocate title.

• Scarcity: You can apply scarcity in many ways to enhance your cybersecurity programs, such as the following examples:
  • Announce that only X number of employees are eligible for the Cybersecurity Advocate title
  • Limit the number of people that can attend awareness training (which brings the feeling that they will attend an exclusive training)
  • Make users think that installing a given cybersecurity tool is not an obligation but a privilege that they need to pursue (because they are getting a license for free)

  As mentioned before, this technique is more powerful when combined with other tactics.

• Authority: One of the biggest challenges of cybersecurity campaigns is to get users involved. People are normally busy doing their day-to-day activities, and additional assignments (such as cybersecurity awareness training) are not a priority for most of them. However, you can leverage the principle of authority by asking a C-suite executive (CEO, CTO, etc.) to be the sponsor of the initiative. That sponsorship means recording a video or sending an email to the entire organization to highlight the importance and relevance of the cybersecurity initiative. Another great way to deliver this message is during a corporate event such as a Town Hall meeting. This will surely help to bring people’s attention to your cybersecurity awareness program.

Important note

Some authors suggest that the executive should also highlight the consequences of not attending the required training; however, that may bring a negative connotation to your initiative, and from experience, it is better for people to be motivated to learn rather than forced by fear.

All other principles can also be used (and mixed) to support your cybersecurity initiatives, and now, it is up to your imagination to create the perfect blend to improve your cybersecurity strategy.