In defence of humans

When considering how to incentivise employees, we are often drawn to a conversation we had with a client a while back. They commented that, when it came to the topic of employee training, the company wanted  employees to be ‘cyber security superheroes’ rather than treating them like the weak link. It was a refreshing change in tone.

Professor Robert Rosenthal wrote an  intriguing book called Human Kind; a Hopeful History, which looks at self-fulfilling prophecies. During a chapter of this book, there is reference to a study carried out by Rosenthal who asked the pupils of a Californian school (1) to take part in what was dressed up as an IQ test.

Instead of providing the teacher and students with the results, his team put them aside and flipped a coin to decide which students would be identified to their teachers as ‘high potential’. Sure enough, teachers gave the ‘high potential’ students more attention and praise, changing the self-image of these children. The genuine scores of these students improved dramatically as a result.

More interestingly, the largest improvement was seen in children from backgrounds where teachers incorrectly held low expectations. This effect has been labelled the Pygmalion effect after the Greek myth (2).

There is an effect in the opposite direction known as the Golem effect (3), whereby people who are told negative things about themselves begin to believe them. Naturally, there is a very limited study of this, given the ethical considerations on subjecting people to this kind of treatment.

This can most probably be applied to various situations, including in the workplace. It seems logical that employees and their performance will be tested in a similar manner, which includes the attitude towards matters of cyber security. If people are told that they are the ones likely to make an error, it potentially becomes something of a self-fulfilling prophecy. If they are told that they are able to help stop these breaches, then we could expect to see improved performance.

Naturally, there are limitations on the power of positive thinking alone and believing you have the ability to do something is generally not a substitute for actually being able to do so. Anyone who has ever sung karaoke can attest to this!

Starting to change the narrative around cyber security and how communication is delivered in order to make employees feel like they are not the problem is key. Relevant and considered training and being armed with the right tools is still just as important, but creating an environment where they are empowered to make positive change is key. It would be interesting to know how much more effective employees would be if they were treated more like ‘cyber security superheroes’ than cyber security villains.


(1) Humankind, Rutger Bregman p256


(3) Humankind, Rutger Bregman p257