Republic is an endpoint agent-based software for measuring and influencing the cybersecurity knowledge, sentiments, and actions of an organisation's employees, as well as improving the cyber culture of the organisation itself.

It also acts as a hub for cyber incident reporting to ensure a smooth and simple reporting process that is exactly the same as the procedures users learn through the daily interventions.

On the individual side, the user experience is based on gamified content with personal avatars, in-game currency and level systems delivered via desktop notifications, videos, games and other stimuli with an average interaction time of less than 60 seconds per touchpoint. In-game currency can be converted into cosmetic rewards or, in collaboration with the respective organisation HR, into real rewards. It is also planned to integrate the levels as specific LinkedIn badges that users can add to their profile to showcase their cyber knowledge.

Light but continuous interactions with the software will ensure the psychological safety of each user, while collecting enough information about them to provide a unique experience for each user, aimed at delivering the most useful content in the shortest time and in the way they are most likely to respond. All data collected is anonymised and encrypted so that not even Recyber staff can see the assessment of an individual user.

However, all these interactions with individual users allow us to measure their behaviours. We then use the aggregated behavioural data of an organisation, or departments within that organisation to assumptions at an organisational or departmental level to provide actionable insights for the organisation to improve their cyber culture. This continuous data collection also allows Republic to measure and monitor changes over time.

According to IBM, 90% of cyber attacks are more or less enabled by human error. Therefore, it is very easy to call the employees the weakest link in an organisation's cybersecurity. We believe that we can change this narrative, and that they, if empowered and effectively guided, can become an exceptionally powerful line of defence for cyber security incident detection and response.

The fact is that every security incident involves a human decision in some way, such as:

• Whether or not to click on a link
• Whether or not to plug in a USB device
• Whether or not to use a strong password
• How to treat someone who has made a mistake

Each of these decisions can either improve an organisation's security posture or expose it to vulnerabilities. Unfortunately, it's a big misconception in cybersecurity that people are always objectively rational and that more training and phishing tests are the magic answer.

1: Trainings

Trainings have some value, of course, but they are flawed in that they assume that human decisions are based on knowledge alone; that if you know the right answer, you will behave in the right way. This is completely wrong! For example, it is almost universally known that obesity and tobacco products shorten life expectancy, and despite this knowledge, many people still make unhealthy choices.

As far as cyber security is concerned, people know the right answer in most cases, but they still have to overcome other internal and external factors to behave correctly. Some of these factors are time constraints, social pressure, complex processes, rapid changes, system constraints, but there are many more.

The mandatory annual training that has become the industry standard for HR or information security professionals to "tick off' the human part of the cybersecurity equation does not account for what motivates human behaviour.

They unanimously ignore the basic human need for autonomy and control, which leads to employees not taking the learning seriously, dismissing it as irrelevant and not using it as part of their own mental model for decision-making. This causes frustration, alienation, and a deterioration in sentiment towards cybersecurity in general resulting in widening the perceived gap between IT professionals and the rest of the staff. Even among the few who actually engage in these mandatory trainings, what is learned in the annual trainings quickly fades away due to the way human memory works.

2: Phishing tests

Another flawed industry standard is phishing tests, where system users are sent deceptive emails to determine how likely they are to fall victim to real attacks. In many cases, these tests are directly related to cyber training, and while measuring behaviour rather than underlying knowledge is of great value, this approach is flawed in two ways.

First, phishing tests are more a measure of how good an attacker is rather than how good an employee is at spotting them. Given enough time and resources, an attacker will almost always find a way to trick a person, and we know that even if a defender makes the right decision 99% of the time, the attacker only needs that one mistake to win the game.

But we also know that dwell time, the number of days an attacker stays in an environment before either being detected or launching an attack, is often weeks or even months, and so what an employee does after clicking on a wrong link or downloading a malicious file is much more important than the act itself.

Secondly, there are unwritten rules between people in society that manifest themselves in a set of expectations we all have of each other:

• that others will look out for our safety in their actions;
• that others will not deceive us,
• that others will not knowingly seek an unjust outcome in their relationship with them, etc.

This psychological contract exists in every relationship, including that between employee and employer.

Phishing tests are inherently deceptive. When an employee is compromised by the test, they often feel that the social contract they have with their employer has been broken. This is a well-researched psychological phenomenon and often leads to disengagement and even destructive behaviour. It turns the nature of the psychological contract on its head: if it is acceptable for the employer to deceive the employee, then it must also be the case in the other direction. In cases where failed phishing tests lead to training, employees are much less likely to engage meaningfully with the content because of a negative attitude towards the deceiver, in this case their employer.

Another highly problematic effect also occurs. Phishing tests communicate to employees that cybersecurity mistakes have negative consequences, such as unscheduled time for training or social embarrassment if they are perceived to have been compromised. As a result, staff are likely to take steps to avoid being considered at fault for behaviour they can logically associate with phishing. This is extremely damaging to incident reporting, which is often the best possible defence against cyber threats.

1. The value for the individual user:

• Less time and effort spent on mandatory training: As Republic identifies each individual's needs down to the smallest detail, time is not wasted training users on topics in which they have already demonstrated competence.
• Reduced negative attitudes towards cybersecurity: A positive outlook moves away from victim blaming and fault-centric concept of cybersecurity and helps everyone internalise their own role in defending against attacks.
• Positive rewards for interacting with Republic: Republic uses proven and unobtrusive gamification mechanisms and to reward interactions and secure decisions.
• Psychologically safe measurement and intervention: Republic helps employees feel socially safe and empowered to take an active role in cybersecurity. Every aspect is designed to promote and improve psychological safety.
• Improved individual safety at work and at home: Secure behaviour is not only a professional concern and attacks are not exclusively directed against companies. Republic's security concept starts with the individuals and helps them and their families to be cybersecure in their private lives as well.
• 2: The value for the organisation:

• Reduced likelihood of behavioural exploitation: Since most attackers engage directly with an individual by either deceiving them or exploiting their mistakes, the demonstrable reinforcement of safe behaviours has a significant impact on overall cybersecurity risk. Republic directly contributes to this risk reduction.
• Increased reporting: By actively building psychological safety into the platform, Republic increases employee vigilance, but more importantly motivates them to report the issues they identify. This also allows security personnel to close vulnerabilities they did not see before they were exploited and respond to incidents that may not be detected through technical detection measures.
• Detailed, accurate and meaningful socio-behavioural data: Based on detailed behavioural science research and expertise, the Republic platform provides data that enables decision makers to effectively identify the source of behavioural issues that lead to vulnerabilities. Although Republic is highly detailed, it simplifies feedback as needed so leaders can communicate real concerns and advocate for excellence, rather than just promoting the vague concept of a cybersecurity culture.

1. Interactions with the individual users:

Republic interacts with the individual users in a number of ways. Below are some of the examples of different interventions. The list is not exhaustive.

• Interactive video clips: At various intervals the user will get notifications from Republic. If the user does nothing, the notification will disappear. If the user chooses to interact with the notification, they will be shown a short video clip on a security situation and will be asked to choose from a list of multiple choices how they would behave in that situation. Another short clip will display the consequence of their choice and they will be awarded a number of points for their choice.
• Interventions: Republic goes a step further by continuously accessing this data and providing users with the best possible interventions when needed. These can be extremely short and timely training sessions or other media tailored to the exact needs of the individual user.
• Mini games: The users will have the opportunity play any number of cybersecurity related games. These games will be time locked to limit the amount of time a user can continuously spend on them.
• News: Republic will deliver to users global news on cybersecurity as they become relevant. Users will gain points for accessing and reading those. Customer organisations can also opt in to also communicate organisational level cybersecurity news through Republic platform.
• Alerts: In certain cases, Republic will alert users in order to reduce cybersecurity risks. For instance, when a user has been working for several hours without taking any breaks, he/she will receive a message stating, “It is harder to spot cyberattacks when you are tired – take a small break!”. Preconfigured or custom messages can also be shared through the platform when an attack against the company’s systems or networks are detected, with instructions on what actions to take.
• Signal: Republic has its own built in cyber incident reporting system that follows the exact same steps that are shown to the users during the interventions. Therefore, the real procedure for reporting of a cyber incident is exactly the same as what they will be trained to do.
• Guardians of Republic: Once they reach a certain level, users will be given the option to join the “Guardians” who are champions of cybersecurity in their respective organisations. This is options is completely voluntary basis

1. Interactions with the super-users

Republic continuously collects data from end users and evaluates it based on Recyber's behavioural taxonomy. This comprehensive framework identifies and categorises every conceivable human behaviour that can positively or negatively impact overall cybersecurity. As a result, Republic can provide extremely accurate metrics that can be used to identify problem areas against which customer-side super-users can analyse performance against five overarching themes:

1. Baseline proactive security behaviours: The behaviours performed by an individual that help minimise their own potential attack surface. These are continuous activities, regardless of context or threat. They are largely process and routine driven and are often referred to as "cyber hygiene".
2. Threat-oriented security behaviours: The behaviours of a user faced with a threat situation. They take into account personal vulnerability and the different approaches of threat actors.
3. Event response: Behaviours that are triggered when a cybersecurity event occurs. This is considered as a cycle from suspicion that an event is occurring to remediation of the problem.
4. Pro-social impact: Behaviours that influence others towards security.
5. Environment-specific behaviours: Behaviours that are determined by the context in which they occur in relation to the equipment and physical environment of the task.

   To better understand their organisation, super-users can examine organisational-level outcomes and then break them down into predefined audience segments and assess the precise impact of specific social actions on cybersecurity risk within those segments. However, to ensure the psychological safety of individual users, the data is anonymised and encrypted at the individual level so that neither the super-users nor Recyber staff can see it.

   Based on these results, Republic also provides specific recommendations for intervention actions and enables super-users to drive their organisation towards more secure behaviour.

   Thanks to the drill-down mechanism embedded in Republic, the data can be presented as simply or as complexly as the super-user requires. This can range from an abstract, high-level assessment of cyber behaviour, giving top management a general insight into the cultural mindset of their organisation, to very detailed data on the frequency and trends of specific behaviours.