Risky behavior is often the key reason behind data breaches. This may include neglecting to adopt password best practices, failing to update software regularly or making an ill-judged decision to click on a phishing link.
Every organization, no matter how small, has an interest in avoiding data breaches. After all, few things can have a more destructive impact on your business. However, in order to do so, we need first to understand the underlying factors that affect people’s behavior.
Understanding Influences on Security Behaviours
When studying people’s security behaviors, it’s important to consider existing influences. These influences can be both internal and external.
Internally, factors such as past experiences, existing knowledge and skills, feelings, attitudes and self-image can all play a role. External factors look at influences from social and environmental perspectives. These could be cultural values, societal norms, a sense of belonging within your community and observing how colleagues act.
In order to improve security behavior, it’s crucial to assess and understand how these different factors influence employees. You can do this through a mixture of self-reporting and knowledge assessments and other behavioral assessments and observations.
On top of this, you also need to consider your organization’s security culture. For example, how do your employees perceive the company’s values and attitudes towards security? And, what security practices and policies are already in place?
The Role of Efficacy
Many psychological theories, including protection motivation theory (PMT) and the parallel response model (PRM), try to explain security behavior change.
PMT argues that individuals are motivated to adopt safe behavior if they believe there is a severe threat. This belief drives them to act safely in the hope of reducing the threat.
PRM builds on this theory, introducing an element of “fear” when assessing the threat. It argues that people generally react to fear in two ways: avoidance and denial or activity to counter the threat. Unfortunately, while the latter is a start, it’s not enough to change security behavior in the longer term.
A key limitation of both approaches is that they assume ‘intention’ translates to positive behavior. However, there’s no guarantee intention will always lead to positive behavioral changes.
"So should we cast aside all attempts to positively change behavior and hope employees simply 'do the right thing'?"
Both theories are based on the assumption that people make rational security decisions. However, as current figures on cyber breaches demonstrate, this just isn’t the case. Neither theory takes into account System 1 and System 2 cognitive processing. This argues that people are not always rational and often make less reflective decisions and engage in automatic behaviors.
So should we cast aside all attempts to positively change behavior and hope employees simply ‘do the right thing’? Fortunately, it’s not that simple. A key factor in changing behavior is ‘efficacy.’ Efficacy (both self-efficacy and response efficacy) refers to a person’s ability to carry out positive security behaviors.
Self Efficacy and Response Efficacy
Self-efficacy is an individual’s confidence in their ability to respond to threats successfully. This confidence is fostered through positive reinforcement and encouragement, particularly from influential people and role models. One simple way of doing this is by offering public recognition to an employee who has done something right.
Response efficacy refers to the usability and availability of the training and controls needed to respond to threats. Crucially, these tools need to be effective without negatively impacting productivity. Or, in other words, security controls should be designed to be (EAST):
- Easy to use, so little effort is needed.
- Attractive through quality content and design.
- Social by highlighting how people’s peers are using them.
- Timely by introducing controls when people are most open to adopting new behaviors; for example when people’s previous habits are disrupted, or there’s a change in routine.
The Need for Designing Behavioural Interventions
As people often make automatic instead of deliberative security decisions, it’s important to introduce tools that trigger reflective and automatic decision-making processes.
Where possible, systems should be designed with prescribed security behaviors embedded — for example, implementing multi-factor authentication on accounts as default so that employees do not have to worry about making that decision themselves. Where this is not possible, nudges and cues are a good way to steer people in the right direction. These nudges may even trigger an individual to engage when making a decision actively. Eventually, this will help condition employees to pick up better security habits.
Make People Part of the Solution
Rather than seeing people as the source of security problems, people need to be part of the solution. This is achievable by empowering them through positive encouragement and usable tools. Equally important, organizations must design and implement interventions that promote more secure behaviors.