Domain dependence causes our points of view to change in different domains – and it could be limiting cyber security awareness campaigns…
Let’s talk domains. Not web domains, but domains in life. Areas, specialisms, disciplines – call them what you want.
As humans, we tend to base our worldviews on our experiences in various domains. It’s a useful skill that, for the most part, helps us navigate through life effortlessly. But it does mean that, whenever we’re unfamiliar with a given domain, it can be difficult to recognise risk.
This phenomenon is called ‘domain dependence’ and it sometimes prompts us to adopt very different approaches to what is essentially the same thing. The term was first coined by Nassim Taleb in his book Anti-fragile, and he provides an intriguing example to demonstrate the point;
‘I had a vivid illustration of domain dependence in the driveway of a hotel in the pseudo city of Dubai. A fellow who looked like a banker had a uniformed porter carry his luggage… About fifteen minutes later I saw the banker lifting free weights at the gym, trying to replicate natural exercise using kettlebells as if he were swinging a suitcase. Domain dependence is pervasive.’
Domain dependence is indeed pervasive. And it could be limiting our cyber security awareness.
Domain dependence:an example
Consider health and safety for a moment.
The Western world takes health and safety so seriously it’s often comical. Induction programmes explain how to pick up boxes, how to walk with boxes and how to put boxes down. They explain how to sit, how to arrange workstations – they even warn us water from hot taps is likely to be hot. Why?
Because employers know just how important it is.
They understand the consequences of getting it wrong, as well as the benefits of getting it right. More to the point, employers are familiar with the numerous studies that prove health and safety training has tremendous positive benefits to business as a whole.
Proper health and safety provisions increase staff morale, raise productivity, lower absence rates, reduce insurance premiums and have significant effects on company reputation.
So we take health and safety seriously. In the health and safety domain, we’re diligent, thorough and conscientious.
In the security domain, things are very, very different.
The difference between domains
Why is it we can be so meticulous in one domain but so detached in another?
Why is it large numbers of employers still don’t see the benefits of cyber security awareness in the way they do health and safety?
Bluntly speaking, the effects of getting it wrong are similar. In actual fact, in some cases, the effects of getting it wrong are one and the same.
Suppose an employee mishandles a heavy object and suffers a permanent injury because they haven’t completed manual handling training. Such an incident might trigger an expensive and damaging legal case.
Likewise, if an employee fails to recognise a phishing email, clicks on a malicious attachment and inadvertently shuts down an entire company network, similar, if not worse, discomforts ensue. The ramifications aren’t necessarily short-term, either. Today, there’s a significant possibility of negative media coverage – which we know can trigger long-term loss of custom.
Overcoming domain dependence to improve cyber security awareness
Cyber security awareness is no longer a domain that can be ignored.
It’s no longer something that can be left to the ‘IT guys’, or placated with a once-a-year awareness week.
Cyber security awareness is something we all need to fully engage with, integrate into our day-to-day working culture and use as an enabler to drive healthy, stable and profitable business growth.
While increasing engagement isn’t easy, there are some simple steps anyone can take to do so – especially if, at present, cyber security awareness training is a tick-box exercise. The CybSafe platform, for example, uses a combination of cognitive tech and data analytics to transform awareness, behaviours and culture.
It’s also worth considering how existing areas of business excellence might be transferred elsewhere. We’ve already mentioned learning from the health and safety domain, but there are certainly other areas which could benefit cyber security awareness. What’s to stop marketing departments ‘selling’ cyber internally, for example?
In reality, we are only going to beat the cyber threat by fully engaging with areas like security awareness. A great many of us use computers when working these days, not to mention in our personal lives. Like it or not, security awareness is everybody’s responsibility.
As a parting thought, here’s something that’s worth bearing in mind.
A member of staff can cause more damage to a company through lax security than an erroneously labelled hot tap ever might.