Accompanying the technical solution that is developed in SOTER to enhance digital customer onboarding, the project is designing a suite of training materials to enhance the overall information security, data privacy, and cybersecurity practice within the critical financial services sector.
As described in a previous blog, the project develops its training materials combining qualitative and quantitative academic research on cybersecurity competences with socio-pedagogically founded best practices on how to train employees to develop them. The output will be a systematic training modules compilation which contains the most relevant cybersecurity competences for employees in the financial sector.
Our approach to cybersecurity competence training
Preliminary analyses showed that one of the most promising ways of enhancing employee’s cybersecurity behaviour could be competence training, as only raising cybersecurity awareness does not seem to result in consistently measurable behavioural change. Many existing cybersecurity training approaches, however technically profound, lack a sound pedagogical foundation and a genuine understanding of human behaviour. SOTER is going to fill that gap by introducing a holistic training approach that is pedagogically, as well as socially-theoretically, sound and which applies methods suitable for behavioural change.
As we are going to train competences, we first need to establish a socially-theoretically founded meaning of competence in regard to cybersecurity. A continental-European definition of competence in Empirical Educational Research and Personnel Development has been adopted since it is interdisciplinary and covers nearly all aspects we deem necessary for effective training actions. Within this context, competence is defined as the general capability of individuals to act and solve problems independently in a given situation based on their capabilities, knowledge, skills, proficiency and attitudes. While many definitions in Empirical Educational Research attribute the realisation of competence merely to the individual, we want to add a genuine social-theoretical perspective.
As research regarding the performance of competences has shown, competences can only be realised in and through the consent of the social system in which the individual is situationally located. Individuals not only need the ability to act competent, but they also need agency to do so. Furthermore, they must be motivated to perform their competences in a given situation, too.
In combination with the overall definition of cybersecurity developed in the SOTER project, the following definition of cybersecurity competence arises:
“Cybersecurity competence is the capability, willingness and agency of persons to solve cybersecurity problems individually or in cooperation with others based on their knowledge, skills, attitudes and proficiency in a way that the organisational integrity (technical, social, legal, ethical) and the physical, mental, material, social, ethical and legal integrity of the individuals involved is measurably safeguarded.”
This definition has several implications on how cybersecurity competence trainings should be conducted. It does not only tell us what to train in a structured way (that would be cybersecurity competences to safeguard organizational and individual integrity in the digital realm), it also gives us guidance on how to train. Thus, our training methods should focus on fostering cybersecurity knowledge, skills and proficiency as well as enhancing the willingness and agency of trainees to solve cybersecurity problems individually or together with others. To reach that goal, training methods must go beyond mere knowledge-building. According to the definition of competence we are applying, knowledge is only one of five dimensions of performable competence to be trained.
Cybersecurity competence trainings must provide employees with the necessary knowledge about potentially problematic cybersecurity situations and subsequently convey the appropriate behaviour to address these situations. Building on that knowledge, the corresponding job-function-oriented skills must be acquired and practised until employees reach proficiency in performing these skills. In addition, attitudes of employees to foster their motivation and sense of agency have to be built up. Thanks to our trainings, employees should experience growing levels of proficiency in tackling critical cybersecurity situations in a context that enables high levels of individual agency for them to perform their competences.
However, solely training employees in a way that motivates them to act and to feel empowered to act is not enough to ensure they can realise their cybersecurity competences within their organisational context. To that end, the overarching organisational structures must support and cultivate the realisation of competences.
Organisations often cultivate structures that work well for some intended goals but result in unintended consequences for others. For example, in banks, certain quantity-oriented performance measures like customer contact counts motivate employees to work more efficiently, but at the same time, these measures may be counteracting secure cyber behaviour because employees are encouraged to prioritise quantity over security.
For cybersecurity competence trainings to work effectively, these conflicting structures need to be identified and tackled. This conflict may be resolved by conducting trainings for employees as well as for management. Management also needs to acquire knowledge and skills to direct organisational structures in a way that secure behaviour by their employees is enabled as best as possible and that their employees feel safe to make use of their cybersecurity competences.
This is why the SOTER Cybersecurity Competence Training solution is applied at the employee level as well as at the management level. Thus, it does not only build up cybersecurity competence within single individuals, but it also builds up a cybersecurity competence friendly environment throughout the whole organisation.