Behaviour changes when cyber security gets personal
Awareness of threats to cybersecurity does not necessarily mean a change in behaviour. What we do practically will only change when there are three factors present: a level of motivation to want to change, being equipped with the right tools to be able to change, and being prompted and reminded effectively.
This was one of the main outcomes from a keynote presentation Using behaviour design to build effective security culture and awareness programs delivered by Anna Collard, SVP of content strategy & evangelist, KnowBe4 Africa, at the ITWeb Governance, Risk and Compliance 2022 virtual conference.
Collard said according to KnowBe4 Africa research, based on a survey of the digital awareness of users across eight countries, 44% of respondents will continue to work from home or in a hybrid fashion, but only 29% feel their employers have adequately trained them in cybersecurity.
“We’ve heard how important it is to take the corporate defence to the personal defence rather, people don’t feel comfortable. What’s even worse is that in certain areas we are actually dealing with a level of unconscious incompetence – that’s people that think they know, but they actually don’t even know what they don’t know.”
As an example, KnowBe4 asked if respondents are confident in their ability to detect a cyber security incident on their devices.
More than half of the respondents boldly said they were and could detect any issues.
Collard explained: “Now, I’ve worked in cyber security for twenty years and I can tell you now, I am not confident, because it is very stealth… in the same survey, again, over half of the respondents didn’t’ know what something as popular and as simple as ransomware was, or what multifactor authentication is. The fact is we are dealing with people who are not digitally savvy enough to protect themselves, including their families and their children.”
There are three things that have to be considered to improve security culture, said Collard.
- Just because I’m aware doesn’t mean that I care
- If you try to work against human nature, you will fail
- What people do is way more important than what they know
However, the problem with awareness is that ‘awareness’ itself does not automatically result in secure behaviour.
The traditional approach of focusing on content, policy and driving up awareness in the hope that people will change does not work, Collard advised.
Lifting the Fogg
Collard referred to a behaviour model devised by BJ Fogg, who she said is recognised as being ‘the father of behaviour design’, albeit more within the marketing / ecommerce
The principles of this behaviour model can be applied in the context of cyber security, Collard said.
According to Fogg’s model, behaviour only happens when there are three elements apparent at the same time.
Said Collard, “The first one is we need to engage or inspire a level of motivation in the person to want to change. The second one is we have to equip the person with the tools or the ability in order to be able to change, and then the third one is that we actually need to remind them or prompt them to do what they must to change.”
These elements combined represent the optimal outcome in terms of behavourial change.
Among the techniques that can be used to engage people is through the use of campaigns and digital workshops to run through practical guidelines, positive reinforcement of cyber security messaging and a more collective, supportive approach to cyber security guidance.
Collard added that companies like Discovery, Old Mutual and Nedbank have initiated popular online campaigns, also with the participation of celebrities.