The Bandura Effect: how to harness this powerful behaviour model in your training

Employees will always be critical in ensuring effective cyber security practices, and their behaviour and decision-making can significantly impact an organisation's security posture. Just as a fortress's strength relies on the competence of its guards, an organisation's security posture hinges on the behaviour of its people.

To address employee behaviour, we direct organisations towards social learning principles and psychological theories to enhance their cyber security training and awareness programs.

Simple, one-and-done compliance-based training is fine … but if it is not inspiring long-term changes in employees and your overall culture, are you positioning your training and awareness materials correctly?

The Bandura Effect: what is it?

Albert Bandura's Social Cognitive Theory (SCT) emphasises the role of observational learning, where individuals acquire knowledge and skills by observing others' behaviours and outcomes.

• Bobo Doll Experiment: Bandura ran a Bobo doll experiment to represent how observational learning works. In the experiment, children observed a film where an adult repeatedly hit a large, inflatable balloon doll and then had the opportunity to play with the same doll later. Children were more likely to imitate the adult's violent actions when the adult either received no consequences or when the adult was rewarded. Children who saw the adult being punished for this aggressive behaviour were less likely to imitate them.

In our case, employees and beginners will be observing cyber advocates and security leaders in your organisation.

The Bandura Effect possesses the power to shape individual behaviours through observational learning and role models. Just like a master illusionist, it pulls the strings of behaviour, guiding individuals towards secure practices.

Through observational learning, individual behaviours can spread across a culture through a process called diffusion chaining. This occurs when an individual first learns a behaviour by observing another individual and that individual serves as a model through whom other individuals learn the behaviour, and so on.

You must also keep in mind that Bandura clearly distinguishes between learning and performance. Unless motivated, a person does not produce learned behaviour and it never transfers to their work performance. With motivation and external reinforcement, such as the promise of reward or work-related incentives, you will see learning transform into new behaviours.

Furthermore, according to Bandura's research, there are several factors that increase the likelihood that a behaviour will be imitated. For example, employees are more likely to imitate:

• Colleagues they perceive as warm and nurturing.
• Colleagues who receive rewards for their behaviour.
• Colleagues who are in an authoritative position or high social status
• Colleagues who are similar to them in age, sex, and interests

By leveraging The Bandura Effect, organisations can cultivate a culture of cyber security awareness and empower their employees to become active participants in safeguarding their digital environments.

The power of cyber security advocates and role models

At the centre of The Bandura Effect lies the concept of observational learning, which suggests that individuals learn from observing others and the consequences of their actions.

Observational learning is at the heart of the Bandura Effect. Think of it as following a recipe for cyber security success. Much like watching a skilled chef cook a dish when following a recipe, employees can observe cyber security experts in action and learn best practices. By observing their behaviours, decision-making processes, and the positive outcomes of their actions, individuals gain invaluable insight into how to protect sensitive information and how to stay one step ahead of cyber threats.

In the context of cyber security, this means that employees can acquire knowledge and skills by observing their peers, managers, or designated cyber security advocates who demonstrate secure behaviours and practices. These advocates serve as role models, inspiring others through their actions and setting the tone for a security-conscious culture within the organisation. Just as a lighthouse guides ships through treacherous waters, these role models illuminate the path to a secure digital environment.

Research from the Ponemon Institute revealed that organisations with strong role models and observable behaviours in cyber security have a 70% higher compliance rate with security policies.

You can utilise manager masterclasses, champion programmes and interactive team activities with employees and security leaders alike to foster that culture of advocacy and observation.

By highlighting real-life examples of secure behaviours and their positive outcomes, organisations can tap into the inherent social nature of humans and create a ripple effect of behavioural change.

Humans are visual creatures. Just sitting them down in front of one piece of online learning a year is simply not enough. Back it up with visuals and activities that will stick with them and aid in fast and timely knowledge recall, especially at the most vulnerable points of operation.

How you can incorporate social learning principles to maximise effectiveness

Your organisation should utilise a range of strategies and mediums to reach employees at various stages of their awareness journey, different departments, and who learn alternatively to their peers.

What materials and channels can you use?

• Blogs and posters: Creating engaging and informative blog posts and posters that highlight best practices, real-world examples, and success stories can serve as constant reminders and reinforce desired cyber security behaviours. You can also use an internal blog as an awareness channel to keep employees up to date on emerging threats and keep them aware of threats and risks all year long.
• Intranet resources: Developing dedicated sections on your organisation's intranet that provides access to cyber security resources, such as articles, videos, and tutorials, enables employees to learn at their own pace and refer to information whenever needed. When human beings are told to do something at a specific time and at a specific pace, it can register as laborious and ignored. When you set up an always-accessible online resource that employees are free to refer to at any time they want, you hand power over to your employees and empower them to become security champions first-hand.
• Animations and infographics: Utilising animations and infographics to explain complex cyber security concepts in a visually appealing and easily understandable manner can enhance knowledge retention and engagement. Use animations to refresh employee behaviours when they are working digitally. And back it up with physical infographics to keep behaviours consistent.
• eLearning and gamification: Designing interactive e-learning modules and gamified training experiences not only makes learning enjoyable but also encourages active participation and skill-building. If you are looking to maximise effectiveness, an external partner such as TSC, can also create bespoke eLearning and games, from the ground up, incorporating your organisation’s language, protocols, and design architecture to slot seamlessly into your overall awareness campaign – creating a holistic product that will not confuse employees with mixed messaging.
• Webinars and interactive team activities: Conducting webinars and organising interactive team activities, such as mock phishing exercises or cyber security quizzes, foster collaboration and facilitate peer learning within the organisation. When you create a team activity space, you also naturally allow for the formation of security champions and security followers. By running team activities, you show that the organisation is handing over responsibility to the employees and wants them to be proactive in its status. Supplement this with rewards for your security champions to encourage an even more competitive, but healthy, workplace culture.
• Competency frameworks and manager masterclasses: Establishing cyber security competency frameworks that outline desired skills and knowledge levels can guide employees' professional development. Additionally, providing manager masterclasses on cyber security leadership equips managers with the tools to effectively promote and reinforce secure behaviours among their teams. This relates directly back to the main principle of Bandura’s social theory; individuals learn from observing others … and who better than your workplace superior?

Creating a supportive learning environment and security culture

We hope that clears up what materials you can use and how you can use them to encourage active observation of desired security behaviours, increase employee knowledge retention levels, make sure safe security behaviours are imitated and how feedback paired with motivation is a vital decisive step.

However, to maximise the impact of social learning in cyber security training and awareness programs, organisations must also consider the learning environment they have put together; you need one that encourages knowledge sharing and skill development.

How can you create one that does just that?

• Security Awareness and Behaviour Research (SABR): Conducting regular security awareness and behaviour research enables organisations to assess the effectiveness of their training initiatives, identify knowledge gaps, and adapt their programs accordingly. This is a key step many organisations do not value enough as it provides invaluable analysis of what your employees are engaging with, how they learn and what the biggest threats for your organisation are.
• 3-Year Strategies: Cyber attacks do not discriminate by date. In fact, threat actors will leverage anything if it increases their attack success rates. Developing comprehensive three-year strategies for cyber security training and awareness programs ensures a long-term focus and commitment to continuous improvement. These strategies should incorporate feedback loops, regular evaluations, and adjustments based on emerging threats and industry trends.
• Board engagement: Encouraging board-level engagement and support for cyber security initiatives fosters a top-down approach and sets the tone for a security-conscious culture throughout the organisation. If an employee sees their CEO or manager taking ‘Clear desk, clear screen’ policy seriously, they are more likely to emulate their safe behaviour they see as they associate it with leadership and progression in your organisation.

Organisations that prioritise creating an environment that fosters continuous learning and knowledge sharing are more likely to see positive behavioural changes and a heightened cyber security posture. Employees need to feel empowered and supported in their journey towards becoming cyber security advocates themselves.

In conclusion

In the face of growing cyber threats, organisations must recognise the power of social learning and the role it can play in enhancing their cyber security training and awareness programs.

The Bandura Effect is a fantastic foundation; it provides valuable insights and by leveraging this theory, organisations can plan and cultivate a culture of cyber security awareness and responsibility.

Through strategies such as blogs, posters, e-learning, games, webinars, and team activities, organisations can effectively incorporate social learning principles into their training initiatives.

By harnessing the power of social learning and embracing Bandura's Social Cognitive Theory, organisations can empower their employees to become active participants in the collective defence against cyber threats, mitigating risks and protecting valuable assets.

For more information about how TSC can support you to enable behaviour change in your organisation contact us here.

If you would like more information about how The Security Company can help you to increase employee awareness or how we deliver long term security culture change ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.