Publication: The nature of society: Are certain cultures less predisposed to cyberthreats than others?

An examination using the example of Germany

Author: Jochen Werne

Published: Werne, Jochen (2019, December 1). The nature of society: Are certain cultures less predisposed to cyberthreats than others? An examination using the example of Germany. In the Cyber Security: A Peer-Reviewed Journal, Volume 3, Issue 2.

ABSTRACT

Successful ransomware attacks and thefts of data and passwords have unequivocally demonstrated that technical defensive measures are to be considered as merely basic moves in the protection against cyberattacks, and that security concepts, if to be effective, must take ever greater account of the human factor. Several examples prove that attack vectors which belong to the area of ‘social engineering’ are menacingly successful. Employees of enterprises, especially SMEs, frequently underestimate their importance when assessing security risks and the defence against them. As a consequence of these findings, a company-wide risk management should respect cultural and psychological peculiarities. Another promising approach are AI-based concepts, both as a technical defence against cyberthreats and in respect of processes specific to the company, as well as culture-specific characteristics of its employees. Both approaches are based on understanding human behaviour in its sociocultural context. Within the scope of this paper, this cultural aspect of cyber security is examined with regard to whether certain cultures may be less predisposed to cyberthreats than others. This is analysed using the example of Germany and also considers the question whether more or less authoritarian company cultures play a role in this context. How can phenomena such as German angst and similar cultural peculiarities be adequately taken into account? The remarks are mainly targeted at an audience which is concerned with organisational and technical countermeasures again cyberthreats. They focus on the importance of incorporating findings from psychology and social sciences when designing and realising such measures.

Author’s Biography

Jochen Werne is the Chief Development and Chief Visionary Officer (CDO/CVO) and executive committee member of PROSEGUR Cash Services Germany Ltd. Prior to that he was director and authorised officer of the Bankhaus August Lenz & Co. AG. Jochen is also member of the Federal Ministry of Education and Research Initiative ‘Learning Systems’ — a platform for artificial intelligence, member of the expert board of Management Circle, as well as a member of one of the most important think tanks worldwide: Chatham House, the Royal Institute of International Affairs. Jochen is a keynote speaker at various banking, innovation and executive conferences as well as an author and co-author of several textbooks and professional articles.

ABOUT Cyber Security: A Peer-Reviewed Journal

Cyber Security is the major peer-reviewed journal publishing in-depth articles and case studies written by and for cyber security professionals.  It showcases the latest thinking and best practices in cyber security, cyber resilience, cyber crime and cyber warfare, drawing on practical experience in national critical infrastructure, government, corporate, finance, military and not-for-profit sectors.

Each quarterly 100-page issue analyses significant current and emerging cyber security threats and the latest strategies, techniques and technologies available to detect, manage and react to them, helping to uncover potential weaknesses in your current systems which could be open to attack. Its detailed articles and case studies – all of which are peer-reviewed by an Editorial Board of leading cyber security experts – provide in-depth, actionable advice and ‘lessons learned’ from fellow professionals, showing how cyber security programmes have been specified, designed, implemented, tested and updated in their organisations, as well as how data breaches and exercises have been managed in practice.

Cyber Security does not publish advertorial or advertising but rather in-depth articles on key topics including:

  • Cyber security risk assessments, platforms and frameworks
  • Building cyber response programmes
  • Protective measures
  • Threat surface analysis and detection
  • Incident response and mitigation
  • Training ‘red’ teams
  • Crisis and reputation management
  • Recovering from a data breach
  • Employee and customer awareness, education and training
  • Workforce analysis and programmes
  • Reporting to senior executives and getting sufficient funding
  • Scenario planning, penetration testing and cyber security exercises
  • Reducing insurance premiums
  • Cyber security in the supply chain
  • Insider threats
  • Cloud security risk
  • Cyber warfare, cyber terrorism and state-sponsored attacks
  • Safe disposal of sensitive data
  • Cyber security investigations and digital/analogue forensics
  • Hackers’ techniques and motivations
  • Security architectures and network assurance
  • Internet fraud techniques
  • Encryption, cryptology and data protection 
  • User behaviour analytics

Video: Full ec4u digital thoughts Conference Keynote: What’s next? Expeditions into the digital realm

Jochen Werne, Director Marketing & Business Development at Bankhaus August Lenz, explains in his keynote address how we can shape the future from the innovations and topics of the past and why digitization must be thought of not only technologically but also culturally.

ec4u Digital Thoughts Conference Keynote

Jochen Werne, Direktor Marketing & Business Development beim Bankhaus August Lenz, erläutert in seiner Keynote, wie wir aus den Innovationen und Themen der Vergangenheit in der Gegenwart die Zukunft gestalten können und warum Digitalisierung nicht nur technologisch, sondern auch kulturell gedacht werden muss.

Keynote announcement: International Banking Innovation Forum, Vienna

Banking Professionals are faced with many new challenges as PSD2 & Instant Payments in Europe at center stage which are driving automation and Innovations. It will be a great pleasure representing Bankhaus August Lenz with a keynote on the importance of the combination of all aspects of HUMAN, DIGITAL & CULTURE to create valuable business models for future banking. Looking forward joining other Top Industry Experts to tackle these topics with them.

The Cultural Dimension of Cyber Threats

Country-specific aspects of cybercrime.

The number of cyber attacks on businesses, governments and individuals is increasing worldwide. The human being in his cultural environment is an important element. Different cultures seem to be associated with different susceptibilities.

by JOCHEN WERNE – Original published in German on January 18, 2019 at Der Bank-Blog – Translation with DeepL.com



In its annual management report “The Situation of IT Security in Germany 2018”, the Federal Office for Information Security records a threatening scenario: The number of cyber attacks on the federal government, German industry and private individuals is increasing at an alarming rate. Germany, in particular, is being massively targeted by criminal hackers.

One thing is certain: almost 90 percent of all cyber attacks have a criminal background. Approximately ten percent of all cyber attacks are caused by state cyber warriors. The goal of criminals is either personal data (account connections, credit card numbers, passwords, etc.) or capturing the computer for new attacks via bot network or to extort ransom money for the renewed release of the computer. The ransomware “Wannacry” is an equally prominent and frightening example of this. If state systems become the target of hackers, this usually results in sabotage, espionage and the spying out of trade secrets. The BSI discovered 800 million malicious programs for computer systems last year. In the previous year, the figure was 600 million – around 400,000 malware variants are added daily.

Cyber Security and the Human-Cultural Factor

The view must be directed to an important dimension of the human factor: The influence of different cultures on the handling of technology and in particular on the behaviour of individuals in the context of cyber security. Cultural peculiarities influence preferences, prejudices and behaviours. In his renowned book “The Culture Code”, anthropologist and marketing expert Dr. Clotaire Rapaille explores how members of different nationalities have developed very different codes for the image of products, companies or countries.

These findings come from client assignments in which Dr Rapaille conducted extensive interviews with focus groups to identify cultural preferences, prejudices, idiosyncrasies and behaviors. In more in-depth analyses, a piece of generalized psycho-cultural characteristics is then derived from representatives of the countries studied.

Country-specific aspects of cybercrime

Questions arise as to what protective concepts and guidelines might look like that take this background into account appropriately? And what role do cultural and country-specific aspects play here, such as the famous “German Angst” and corporate cultural aspects, such as the comparison of a classical hierarchical system versus Holacracy models, which have become increasingly en vogue in times of digital transformation?

Some concise examples from the findings of Dr. Rapaille: Americans define themselves strongly through their work. In this culture, professional activity largely determines the image of one’s own identity. The importance of money in this culture is proof of diligence and success.

The author sees completely different meanings in European countries. In France, for example, work and money are regarded more as “necessary means to an end” – those who can afford it expect at least a certain amount of entertainment and comfort from their job there. According to Dr. Rapaille, quality and technical perfection play an important and in some cases even absolute role in Germany or Japan, while US-Americans, according to his analyses, in many cases content themselves with “It just works” and are even sceptical about excessive perfection.

The author recognizes the Germans’ tendency towards perfectionism, which is partly exaggerated from a foreign point of view, as decisive for the quality of “German Engineering” and the global economic success of the Germans in this field. Dr. Rapaille is convinced that US culture, on the other hand, is characterized by a widespread refusal to grow up, which in turn leads to a great competitive advantage in the field of innovation.

Conclusions for more cyber security

This raises the question what are the appropriate protection concepts in an increasingly complex threat situation. A classic approach is the definition and enforcement of policies, both on a technical and organizational level, which are intended to guarantee compliance with security measures. The more hierarchically and authoritatively a corporate culture is aligned, the more restrictive the corresponding guidelines usually become.

However, the approach of establishing security primarily through bans and restrictions on user freedoms has proven to be double-edged in practice. The more the possibilities of an individual user are restricted, the more this encourages the tendency to escape the corset of safety-related rules.

A typical consequence is the “Bring Your Own Device” (BYOD) problem with which many company IT departments have been confronted for years – if the functions and authorizations of their work equipment are too limited, users bring private end devices with them to the workplace. These are then often not integrated at all into the protection and security concepts of the company. If the BYOD escape route is also suppressed, such measures often result in a refusal attitude à la “The desired is not possible with the means available – if the IT department wants it that way, then this task cannot be solved”.

Flat hierarchies and personal responsibility as a solution?

Is the better way, then, in holacracy models, in flat hierarchies, or in “loose reins” in terms of security and a strengthening of employees’ personal responsibility?

For the reasons derived in the preceding sections, this approach is by no means a guarantee for higher IT and information security. A healthy middle course could lie in adequate risk management. Technical and organisational security measures take into account the hazard level of specific data and applications. Sensitive areas and particularly sensitive data are subject to more stringent security measures, business areas or processes with less sensitivity are also protected, but assign employees a higher degree of personal responsibility. All protective measures take into account the above-mentioned psychological and cultural-historical findings.