- Behaviour change
- 8 min read
Learn how to create a security culture by leveraging the behaviour change wheel and the COM-B model to focus your training and awareness materials for maximum effectiveness.
The cyber security landscape is ever evolving, and trends in technology and cyber threat reports are demonstrating a clear picture for 2023.
Our digital connectivity is expanding globally, data continues to be produced and stored in huge volumes and artificial intelligence (AI) is a hot topic of focus. AI tools like ChatGPT have caught the imagination of millions of people, as well as cybercriminals who are using such tools to produce their code and extend their social engineering capabilities.
With the threat landscape continuing to be dominated by ransomware, which sees increases in the average level of ransomware demands, payments and recovery costs, it is hard to imagine how organisations can bolster their defences even further. Cybercriminals adaptive strategies continue to find routes through to networks, maybe through evasive malware or MFA bombing and it has to be acknowledged that phishing remains one of the preferred attack vectors used by hackers.
To compound the threat even further, analysis conducted in March into HTML attachments, by security firm Barracuda, has found that 45.7% of HTML attachments are malicious. Therefore, there is almost a one in two chance that employees receiving HTML attachments might open a malware-infected document.
Faced with this reality and this snapshot of current threats, it is increasingly important to engage your workforce in their role within a strong line of defence against cyber attacks.
Training and awareness building are fundamental foundation stones in enabling people to provide that line of defence. However, training alone will not provide the behaviour change that is required from every employee.
Understanding the factors that can influence behaviours are the key to behaviour change.
The COM-B model of behaviour change, used by The Security Company (TSC), proposes that to engage in a behaviour (B) at any given moment, a person must be physically and psychologically able (C) and have the opportunity (O) to exhibit the behaviour, as well as the want or need to demonstrate the behaviour at that moment (M).
This model is effective because it identifies what component of behaviour needs to be changed in order for an intervention to be successful.
Capability is whether someone has the knowledge, skills and abilities to engage in a behaviour. This capability comprises mental state, knowledge and skills, and physical strength. For example, to make an individual feel capable of performing a behaviour or achieving an outcome, implementing a training session to help support learning of that behaviour may boost feelings of capability.
Do your employees ...
.. to be a strong line of defence?
Opportunity means the external factors that make execution of a behaviour possible. Physical opportunity, opportunities provided by the environment, and social opportunity are all valid components.
Do your employees:
... to be a strong line of defence?
Motivation means the internal processes that influence decision making and behaviour. Reflective motivation – the reflective process involved in making plans and automatic motivation, which are the automatic processes such as impulses and inhibition.
For example, to improve motivation, it is helpful to turn a desired behaviour from something people need to do, to something they want to do.
Do your employees:
... be a strong line of defence?
Behaviour change research shows that an individual’s behaviour will change if all the elements above are successfully implemented.
These three sources of behaviour are combined with the behaviour change wheel to provide a systemic overview for your organisation of your current security culture.
The behaviour change wheel explores your organisation’s infrastructure from guidelines, policies and procedures, communications and marketing processes, legislative and regulatory requirements to identify areas that will further support the behaviour change required.
The second layer of analysis is your organisation’s intervention functions that support or inhibit behaviour change. These include training, incentivisation, working environment and modelling.
The final layer contains the 14 Theoretical Domains Framework (TDF) domains for behaviour change.
When SABR (Security Awareness Behaviour Research) is layered with COM-B and the behaviour change wheel it provides a powerful tool to be able to focus resources in the right place. With employees consistently displaying secure habits and behaviours you can have the confidence that your human resources will be providing a strong line of defence against the cyber threats of 2023 and beyond.
For more information about how TSC can support you to enable behaviour change in your organisation contact us here.
If you would like more information about how The Security Company can help you to increase employee awareness or how we deliver long term security culture change ... please contact our Head of Business Development, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51