How user experience and behavioural science can guide smart cybersecurity

Three women work on laptops around a table

Behavioural changes will be key to create smart cybersecurity solutions. Image: Jelena Rudi, Public-Private Cyber Hackathon Exercise

Lisette Guittard
Global Head of Cyber Secure User Experience, Banco Santander
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Technological Transformation

Listen to the article

  • Cyber attacks are on the increase and have the power to disrupt critical infrastructure, businesses and governments.
  • The majority of such breaches have been due to a human element as social engineering techniques get more sophisticated.
  • Alongside technological advances, we need a more holistic approach to cybersecurity that takes into account human behaviour.

Society needs to be equipped to defend against cyber attacks. More than at any time in our history, cyber criminals, hostile nation states and other malicious actors have access to sophisticated technology that can disrupt the operations of critical infrastructure, businesses, governments and the daily lives of people throughout the world.

Some 82% of cybersecurity breaches in the last year were due to a human element. The disruptive Colonial Pipeline ransomware hack that took down the largest fuel pipeline in the US and led to shortages was the result of a compromised password and password reuse. Weeks later, JBS – the largest meat producer in the world ­– was hacked through a Qbot malware infection thought to have spread through a phishing email.

Complicating the matter, hackers are using technology developments that defenders use to protect users such as machine learning and artificial intelligence (AI) to subvert detection and social engineer.

Today’s phishing attacks are increasingly narrowly targeted and crafted to subvert traditional email detections. Attackers use AI to conduct reconnaissance from social media profiles at scale, replicate communication styles of trusted contacts and create convincing deep fake audio or video messages to use in ransomware or spear phishing attacks.

The three-dimensional environment of the metaverse could also facilitate more effective use of such social engineering methods. This means people need to be more empowered and informed than ever to identify and respond to new threats.

Social engineering a top vector with 94% of breaches starting with attacks targeting people via email.
Social engineering is a top vector for cyber breaches, according to Verizon. Image: Verizon Data Breach Investigations Report 2021

Everyone needs to be trained on cybersecurity

In considering our response, we need to focus on securing our hardware and software, but just as much attention should be paid to securing human behaviour.

We live in the digital era where the average person spends six or more hours online a day, has 10 connected devices in the home, and has at least 100 accounts online – and these numbers will continue to grow.

Governments, private sector players and educational institutions need to invest in training all citizens. The Estonian government’s cyber education model is a best-in-class reference, having reinvested in education and training programmes in partnership with academia and the private sector.

The government has focused on training all citizens from informing the elderly on cybersecurity, to teaching kindergarten pupils how to code and showing teenagers how run security checks on the devices of their parents and family members in order to empower households to take responsibility.

Private sector organizations should open cyber awareness and training materials both for customers and non-customers with the aim of benefiting all society. Santander and other private organizations have taken the lead in opening and sharing free cybersecurity training on their websites.

The World Economic Forum’s Cybersecurity Learning Hub is a good model that aggregates resources for small businesses and individuals through resources from the private sector.

Regular training, coupled with practical exercises are proven mechanisms to create a real difference. In the same way that schools run fire drills, controlled ethical phishing simulations and tests in school curriculum to spot deep fakes and social engineering techniques on messaging and social media can be beneficial.

Cities could also run controlled social engineering exercises with small businesses who opt-in.

The secure option should always be the default

A combination of cyber training, awareness and tech solutions that nudge people into the right behaviours is an essential component of holistic cybersecurity.

Every technologist’s ambition should be to make risk mitigation an unconscious ‘habit’ that’s embedded within a product. The user experience (UX) must always default to the secure option – to enable people to take basic security steps.

Have you read?

It would be good practice for mobile operating systems to default to always enabling automatic software updates. Laptops and desktops should present encryption as a default. Multifactor factor authentication (MFA) or second factor authentication (2FA) should always be the default option.

Behavioural economist Dr Richard Thaler commented in his book Nudge: “If you want to get people to do something, make it easy. Remove the obstacles.”

Gmail security is an illustrative example of the impact a tech solution can have on secure behaviours. Since 2011, when Google rolled out its 2FA feature for Gmail, they reported that less than 10% of users had it enabled on Gmail. In 2021, Google announced that it will switch on 2FA by default.

Consumer-led cybersecurity is vital

For most consumers today, security is already a top concern. Informed consumers are already beginning to demand companies and manufacturers to integrate and demonstrate commitment to security. An area where this is already beginning to happen is with internet of things devices.

Meanwhile consumer protection bodies, companies and academia are exploring the use of security and privacy labels for devices (akin to nutritional fact labels) to equip consumers with information at moment of purchase. Efforts are moving forward internationally in the UK, Finland and Singapore.


How is the Forum tackling global cybersecurity challenges?

As we move more into the metaverse, headsets and other wearable devices will become more important; users would benefit from standards on how these devices protect their data. These types of awareness initiatives help to create a more robust and secure ecosystem of conscientious users.

In short, as technology and cyber threats evolve, it’s more important than ever to invest in people. A robust cyber ecosystem must incorporate training, awareness and UX to deliver smarter cybersecurity.

Combined efforts by the public and private sectors are the best mechanism to deliver these cybersecurity initiatives and to drive greater confidence and trust online.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityEmerging Technologies
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

CrowdStrike content update causes global IT outage, and other cybersecurity news to know this month

Akshay Joshi

July 22, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum