We interviewed 365 people from 10 organisations during 2022. results discussed in this paper were drawn from a subset of the full 150 question interviews.
We discuss results across the following areas:
- Perceived value of cyber security
- Awareness levels
- Perceptions of risk levels
- Email behaviour
- Cyber security training
- Keeping up-to-date
- Perceptions of cyber security skill levels
- Working from home
- Social media usage
- Discussing cyber security in the workplace
- Cyber culture assessment
We see several important issues worthy of note from our results. First, all organisations in our sample are providing some form of mandatory cyber security-related training. Unfortunately, while most staff are completing the training, it is not doing the job. We argue that one-off, or once-a-year, ‘tick-the-box’ compliance-oriented training is not enough. As we saw, while 90% of staff reported having completed their training, few remembered the content of that training. Related to this was the reported high desirability of phishing training.
The second issue we think worthy of note is that while staff seem to say they think cyber security is important to them and to their organisations, they also think it is not always easy to learn and apply cyber security principles and practices.
Third, we are surprised, and alarmed, by the consistently low levels of reported internal cyber-related discussions taking place between managers and staff. Respondents reported ratings of 3.9 out of 10 when asked to rate how often their manager discussed cyber security with them. If cyber security was truly as important to people as they reported, we believe it would be on “the agenda”, figuratively and literally.
In terms of password management, we noted the reported poor password management, and the dangerous behaviours of sending phishing emails into the work environment.
