Behaviour changes when cyber security gets personal
Awareness of threats to cyber security does not necessarily mean a change in behaviour. What we do practically will only change when there are three factors present: a level of motivation to want to change, being equipped with the right tools to be able to change, and being prompted and reminded effectively.
This was one of the main outcomes from a keynote presentation “Using behaviour design to build effective security culture and awareness programs”, delivered by Anna Collard, SVP of content strategy & evangelist, KnowBe4 Africa, at ITWeb Governance, Risk and Compliance 2022, held in Sandton and online this week.
Collard said according to KnowBe4 Africa research, based on a survey of the digital awareness of users across eight countries, 44% of respondents will continue to work from home or in a hybrid fashion, but only 29% feel their employers have adequately trained them in cyber security.
“What’s even worse is that in certain areas we are actually dealing with a level of unconscious incompetence – that’s people that think they know, but they actually don’t even know what they don’t know.”
As an example, KnowBe4 asked if respondents are confident in their ability to detect a cyber security incident on their devices.
More than half of the respondents boldly said they were and could detect any issues.
Working against human nature
Collard explained: “Now, I’ve worked in cyber security for twenty years and I can tell you now, I am not confident, because it is very stealthy… in the same survey, again, over half of the respondents didn’t’ know what something as popular and as simple as ransomware was, or what multi-factor authentication is. The fact is we are dealing with people who are not digitally savvy enough to protect themselves, their families and their children.”
We are dealing with people who are not digitally savvy enough to protect themselves, their families and their children.Anna Collard, KnowBe4.
There are three things that have to be considered to improve security culture, said Collard:
- Just because I’m aware doesn’t mean that I care.
- If you try to work against human nature, you will fail.
- What people do is way more important than what they know.
However, the problem with awareness is that ‘awareness’ itself does not automatically result in secure behaviour.
The traditional approach of focusing on content, policy and driving up awareness in the hope that people will change does not work, Collard advised.
Lifting the fogg
Collard referred to a behaviour model devised by BJ Fogg, who she said is recognised as being ‘the father of behaviour design’, albeit more within the marketing / ecommerce sapce.
The principles of this behaviour model can be applied in the context of cyber security, Collard said.
According to Fogg’s model, behaviour only happens when there are three elements apparent at the same time.
Said Collard, “The first one is we need to engage or inspire a level of motivation in the person to want to change. The second one is we have to equip the person with the tools or the ability in order to be able to change, and then the third one is that we actually need to remind them or prompt them to do what they must to change.”
These elements combined represent the optimal outcome in terms of behavioural change.
Among the techniques that can be used to engage people is through the use of campaigns and digital workshops to run through practical guidelines, positive reinforcement of cyber security messaging and a more collective, supportive approach to cyber security guidance.
Collard added that companies such as Discovery, Old Mutual and Nedbank have initiated popular online campaigns, also with the participation of celebrities.