Behaviour change: environmental, social, and personal influences you can control

A significant obstacle when maintaining organisational cyber security is the insecure behaviours of employees and network users.

As the number of worldwide internet users is now over 5 billion (or over 64% of the global population), developing an understanding of individual behaviours when faced with a cyber attack or threat, is key and valuable to addressing cyber security and mitigating such attacks.

A National Cyber Security Association (NCSA) survey of small businesses in the US, suggested a cyber security disconnect where 77% of organisations believed their business was safe from cyber threats. Furthermore, 47% even believed a data breach would have no impact on their business. Despite this, 87% of organisations did not have a formal written security policy and 69% did not even have an informal one. And, worryingly, 18% said they would not even know if their computer network was compromised.

To address the human component of cyber security we need to understand the factors which affect human behaviour in general and cyber security behaviours specifically. In this case, we see three big factors at play when it comes to behavioural influence: your environment, social pressures, and personal influences.

Environmental influencers

Environmental influencers on security behaviours include such things as the design of the digital work environment, the actual physical structure of the workplace, employee task/workflow, economical influences, and the technology employees are asked to use on a daily basis. Let us break it down a little further:

• Design factors: Good intuitive design is fundamental and security practices should be at the forefront of your thinking when assessing, designing, or selecting your chosen application for work management and employee workflow. Nudges to encourage safe security behaviours should be designed in from the start and not shoehorned in at the end. Much of the technical effort in cyber security should be aimed at designing security tools and behavioural change programmes that are easier to use and engaging to employees. Useful design can be used to persuade people to behave more securely.
• Economic factors: Humans naturally carry out cost benefit analysis when deciding how to behave. Many of us do this subconsciously. Economic incentives influence behaviour, and these can be both positive (such as a reward) or negative (such as sanctions and fines). Research has shown that users will happily ignore the security credentials and risks of a website if economic factors are right for them. Motivators such as desire for a free product can lead to ill-advised downloads and use of insecure sites, which can then lead to cyber attacks via ransomware, malware, and phishing.

However, it must be noted, that research on sanctions for poor security behaviour highlighted that higher penalties does not translate to more secure behaviours. In fact, the more reliable changer of behaviour is a positive reinforcement, rewards, and healthy competition.

Social influencers

It may be a simple conclusion, but: we are influenced by the people around us – friends, family, colleagues, managers, and other role models. Research has shown, as a social species, other colleagues’ beliefs and behaviour strongly influence our own. Most people will conform to the “social norm” if it is widely established, respected, and followed. When we translate this to the workplace, overall organisational culture influences the individual employee’s perception of what is and is not acceptable behaviour. As a result, leadership, and board buy-in have been found to be key components of security culture change. In short, management must be seen to behave securely.

Personal influencers

When assessing workplace security behaviours, we must not be naïve enough to think that employees enter the workplace absent of security biases and built-in behaviours that have accumulated over years in the digital space. We cannot forget their preconceived experiences, perceptions, attitudes, and beliefs.

• Heuristics (mental shortcuts): People sometime rely on heuristics, or mental shortcuts that allow them to make judgments quickly and efficiently. These rule-of-thumb strategies shorten decision-making time and allow people to function without constantly stopping to think about the next course of action. While heuristics are helpful in many situations, they can also lead to biases. A key aspect of any behaviour change programme is identifying the unsafe heuristics that exist in your employees and workforce.
• Personal attitude: Each person has their own set of attitudes and beliefs that influence their behaviour, both inside and outside of cyber security practices. Attitudes can be defined as a tendency to evaluate things in a certain way. Attitudes, in turn, influence behaviour and the decision-making process. Unfortunately, personal attitude and correct behaviours are not always perfectly aligned, and this can create lead to unsafe security decisions. This can be resolved by either changing the attitude in the first place or changing the behaviour associated with said attitude. For instance, employee attitude towards an internal security policy may be one of annoyance, believing the policy slows down productivity, and it is therefore not followed. To combat this, you can either target the overall attitude of the workforce regarding the security policy and build secure behaviours from new attitudes, or you can reassess the security policy, so it better fits the attitude of your employees, without compromising the key fundamentals of your cyber security.

Behaviour change models that drive actual change

Not one singular influence, environment, social, or personal, drive behaviour change in isolation, but when used holistically – the results are clear. Successful behavioural change campaigns that drive actual change, also consider:

• Rational choice: rational choice models assume that people will interpret all information available to them, then behave in a way that will result in the greatest benefits. However, research has shown that behaviour is not always based on the processing of information and people do not always appear to make a rational choice to achieve the best outcomes. This assumes that everyone has the motivation and the cognitive capacity to make the correct decisions, taking only the facts into consideration, which can be particularly difficult when dealing with emerging threats in cyber security and evolving cyber risks that employees will not have all the information on.
• Planned behaviour: successful behavioural change campaigns assume that some behaviours are pre-planned and if a person intends to act in a certain way, then they will. Planned behaviours come because of the social and personal influencers we have discussed above.
• Protection motivation: your behavioural change programme needs to consider that people’s behaviour is influenced by their individual perception of cyber threats. How vulnerable do employees feel? Do they understand how severe a cyber breach can be? And how do they rank their ability to cope with cyber threats? A successful behaviour change campaign, contextualises the risks of cyber security to answer these questions for employees, this increasing protection motivation.
• Mass communication: Behaviour change requires a medium for mass communication. For example, traditionally, brands and organisations have used TV adverts but are now using social media and the internet. However, the focus remains the same; one simple message is delivered via multiple channels to hammer home brand awareness.
• Generational targeting: Outside of cyber security, the most successful brand campaigns also personalise messages to specific groups. For instance, a no smoking advert targeted to teenagers may focus on how smoking affects your breath and teeth, whilst a no smoking advert for parents may focus on how secondary smoke is affecting the lungs of your children. Using social influencers that appeal to different generations, distinct roles, and even different communities can be highly effective in fostering behaviour change. Too often, generic employee awareness and training do not target a particular behaviour or group but attempt to address all simultaneously. And a jack of all trades, is a master of none!

The MINDSPACE framework

The MINDSPACE framework – discussed here by the Institute for Government – can also help you to see where social, environmental, and personal influencers come into play. You can then use this information to design an effective behaviour change campaign.

We run through the MINDSPACE framework and how you can use influencers to your advantage in this graphic.

In conclusion: what does YOUR behaviour change programme need?

Remember, research suggests that behavioural change campaigns are more likely to be successful if they are supplemented with:

• Understanding of rational choice and planned behaviour
• Sufficient protection motivation
• Efficient use of communication channels
• Generational targeting with messages for specific audiences
• Products and services to support the target security behaviours
• Role models/champions programme to encourage widespread adoption of desired behaviours.

As you can see, there are many factors that influence the effectiveness and scale of adoption for any behaviour change programme. These include environmental factors such as the design of the technology and the incentives driving the behaviour. Social factors such as peers and managers can influence behaviour. Our personal knowledge, beliefs, attitudes, perception, and coping strategies can also have a substantial influence.

The MINDSPACE model is a useful framework for assessing what influencers you can meddle with to ensure that correct behaviour communications are not only listened to, but also digested and retained. Knowledge and information is an important prerequisite to behaviour change but without focus on how you deliver that information, you may find you are putting a plaster over a large chasm.

If you would like more information about how The Security Company can help your organisation to enable employee behaviour change with the goal of improving your security culture ... or how we can run behavioural research to pinpoint gaps in your security culture ... or how we deliver data protection, privacy, and phishing training, please contact  Jenny Mandley.