False confidence, we all have some from time to time. Some people have it more than others. And we’ve all met that someone who is a bit of a know it all. Perhaps you may exhibit a bit of false confidence in your own life? No shame or judgement intended as it’s important to be confident about yourself and your skills especially in your area of expertise. When you know your job and use your experience to help others and achieve results, that’s fantastic!

But there are two types of confidence, reasonable confidence and false confidence and there’s a big difference between the two. To clarify this, in a recent global survey conducted by Webroot, a cybersecurity specialist, it found that may people are pretty – confident about their ability to keep themselves and their data safe online. The report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, shows this confidence is indeed worldwide. Meanwhile, individuals and businesses are continuing to fall victim to cybercrime on a significant scale. For example, cybercriminals are successfully causing businesses breaches as people are still getting phished and falling for the social engineering tactics aimed at employees. It’s still a major way criminals are getting away with it! This report can only highlight the over (false) confidence of many and the fact that we’re not as cyber-safe as we believe.

Overconfidence by the Numbers

The figures show that approximately 59% or 3 in 5 people globally believe they know enough to stay safe online.

You might say, 59%, well that doesn’t warrant the title of “false confidence,” the numbers just not that high. But would you be right? Two countries pulled the global numbers down

France – 44%

Japan – 26%

And if you look at five of the other countries, they are all the same

US – 69%

Australia – 69%

New Zealand – 69%

Germany – 69%

Italy – 69%

While the UK has the highest confidence at 75%

So, we see most countries surveyed are in fact 10% more – confident than the overall average.

8 in 10 people say they take steps to determine if an email message is malicious.

Yet 3 in 4 open emails and click links from unknown senders.

If we really know what to do to stay safe online and say we take steps to ensure we don’t open dodgy looking emails, why are so many still falling victim to a phishing email? Dr. Prashanth Rajivan, assistant professor at the University of Washington believes he has the answer. Importantly, he’s an expert in human behaviour and technology and has given us two good points to consider.

Individualism

Dr. Rajivan discovered that while Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), they also had the lowest rate of falling victim to phishing (16%). As a result of the findings, he believes that countries with a more individualistic culture, tend to rank themselves highly on their ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

What is the Dunning-Kruger Effect? It refers to a cognitive bias. A psychological phenomenon Dr. Rajivan says that may contribute to overconfidence in one’s ability to spot phishing attacks. So, it’s where people that are less skilled at a given task tend to be overconfident in their ability. In other words, a tendency to overestimate our capabilities in areas where we have no idea really.

How These Numbers Affect Businesses

Wow, interestingly Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.

The connection between overconfidence and individualism seems to be translating into a company culture that says during work hours, workers are not responsible for their own cybersecurity. Even though 63% of workers surveyed agree security tools and employee education are necessary for cyber resilience strategy and top priority for businesses.

How to Create a Cyber Aware Culture

Well how do we change the cyber aware culture? In short, a strong combination of employee training and tools.

When employees were asked what would help them feel better prepared to avoid phishing and prevent cyberattacks? The consensus worldwide, is that employers need to invest in staff training and educating. Dr. Rajivan agrees, “if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.” In order to change the culture.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Firstly, to see real change- occur in relation to phishing and online risk-taking, human behaviour needs to be re-shaped. And we know our human behaviour is the result of our past experiences, consequences and reinforcements. So, to change risk-taking trends staff require frequent and varied experiences. Also, they need appropriate feedback that rewards good behaviour”, says Dr Rajivan.

Above all, training can’t be emphasized enough, it’s just so important! As a result of consistent training click rates are reduced on phishing scams by up to 86.5% according to real-world data from customers using Webroot® Security Awareness Training. These courses provide training and easy-to-run, customizable phishing simulations.

It’s clear a little training can go a long way. So, if you want to increase cyber resilience, you have to reduce the dangerous false confidence among staff and business leaders alike. Certainly, you need look at empowering your workforce with the tools and training they need to have reasonable confidence. The knowledge learnt is then used to accurately make strong, and secure decisions regarding the do’s and don’ts of what they can safely click on.

All businesses would want to reduce the risk of a company breach, so we need to start looking at our company culture towards cybersecurity.