Cyber Awareness Part II: The Psychology of Behaviour Change
Part II: Optimising Behaviour Change
In our first blog Part I: The Science of Behaviour & Social Influence we covered the scientific theories behind behaviour change, introduced a practical framework used by professionals, as well as looked at the important factor of social influence.
In this, the second part of our series, we shall be further examining some of the concepts and discoveries that guide behavioural change experts in their work, including the use of deterrence or sanctions, principles of communication, the evolving science of habit forming, and the importance of effective training.
“[The] acquisition of skills requires a regular environment, an adequate opportunity to practice, and rapid and unequivocal feedback about the correctness of thoughts and actions.” - Daniel Kahneman
Framing your Message
The way in which a message is communicated has a big impact on how it is perceived and interpreted. The question is: how do we as security professionals frame our message to optimise behaviour change?
Incentives: Loss Looms Larger?
One of the most established concepts in behavioural economics is that of prospect theory. Developed by Daniel Kahneman and Amos Tversky in 1979, the theory asserts that individuals value gains and losses differently, placing more significance on perceived gains versus perceived losses. In other words, we care more about losing what we have than what we could gain.
As well as being highly significant in the field of economics, prospect theory also has its implications in the world of information security regarding how to best frame messages in the aim of affecting positive behavioural change.
For example, the statements “80% of users have strong passwords” and “20% of users do not have strong passwords” both convey the same information, yet people will reliably respond differently to these alternative framings.
When considering this observation in the context of information security though, we must remember, while negative behaviour can result in a loss (financial, reputational, etc.), positive behaviour does not result in a tangible gain, but rather a lack of loss (e.g., not experiencing a ransomware attack.
In a 2020 experiment, researchers investigated how the loss/gain framing of messages impacted online security behaviour.
Having participants navigate an online shopping process in which they receive both a fixed fee for participation, and a variable fee that “depended on the decisions they made during the online shopping process”, groups were subjected to either loss or gain framed security messages.
Loss Framing - “Navigate safely. If you do, you could win [the] maximum final endowment.”
Gain Framing - “Navigate safely. If you don’t, you could lose part of your final endowment.”
Tests found that messages focused on the negative consequences of non-compliance were more persuasive to participants, and that these loss framed messages were most effective when used in conjuncture with information security guidance, and when users had a personal motivation to change (i.e., financial loss).
This sort of finding is also evident in other areas of research, including health related messaging. For example, in an experiment into alcohol-related intervention, gain framed messages were found to be more effective with low issue involvement (lower personal stakes), whereas loss framed messages were more effective in those with high issue involvement.
Additional research has also found that when individuals are confronted with a decision that involves a risk of obtaining an unpleasant outcome (e.g., a cancer screening), loss again looms larger, yet when the perceived risk of the unpleasant outcome is low, or when the outcome is pleasant (e.g., physical activity), a gain-framed message has been shown to work better.
In terms of information security behaviour, the findings of this research have interesting implications for security specialists. We could, for example, theorise that when addressing different topics of behaviour, a combination of both loss and gain framing may be optimal for affecting change.
Both of the above are common topics for security awareness training, though each are very different in terms of perceived risk. The potential outcomes of a ransomware attack being significant financial and reputational cost, loss of data, time, and a whole host of other unpleasant consequences.
Contrast that with the topic of password managers, in which the risk is significantly less obvious. Firstly, in security training, we’re most likely looking to promote their use, as they help with both generating and storing passwords in a central location, and are widely used as a tool of convenience and security. The risk associated with not using one though, can in some cases be essentially negligible (if for instance, the user has few passwords to remember or has an excellent memory).
We can therefore hypothesise that when communicating about the topic of ransomware, a loss framed approach (emphasising its many unpleasant potential outcomes) will best affect desirable behavioural change. Whereas, when trying to promote the use of password managers, a gain framed approach (convenience etc.) would be our best choice.
Deterrence and Sanctions
Expanding on pleasant/unpleasant outcomes, the subject of deterrence is an often-overlooked area in terms of the conversation around security based behavioural change, and understandably so.
For the most part, security awareness training providers (Hut Six included) prefer their products to be primarily used as positive, educational tools, that also allow organisations to identify areas and individuals that require further assistance, and not to identify potential candidates for punishment.
Yet, at the same time, security management standards, such as ISO 27001 describe requirements for a “disciplinary process” that sanctions non-compliant behaviour (ISO/IEC 2013a). Raising the question, just how well do sanctions actually work?
As with our other areas of discussion, the answer isn’t immediately straightforward, and the field of what is known as deterrence theory offers no one-size fits all answer.
As the authors of a 2019 paper entitled ‘A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research’ found contradictions in the research on using deterrence theory to predict Information Security Policy compliant behaviour.
The paper, which identified multiple variables, including sanction severity (harshness of a punishment), sanction certainty (likelihood of punishment), and sanction celerity (swiftness of punishment), finds that all these variables factor into the efficacy of reducing information security policy non-compliance.
For instance, the meta-analysis asserts that sanctions play a “limited role” in “deterring non-malicious ISP non-compliance”, but that punishment can regulate malicious ISP non-compliance.
Concluding that, based on the research “the greater the sanctions, the more likely they are, and the swifter they come, the more likely employees will adhere to ISP regulations”, but that deterrence provides a better payoff in specific contexts (“malicious contexts, those of high-power distance cultures, and those of high uncertainty-avoidance cultures”).
Although the role of sanctions is always going to be somewhat contentious, what we can say from a behavioural psychology perspective, is that how an organisation should leverage punitive measures to improve security behaviour will depend on its own culture and should require careful consideration and input from security professionals.
Window of Opportunity
Perhaps not the most obvious of area in terms of behavioural psychology and information security, research seems to suggest that the timing of intervention plays a significant role in affecting behavioural change.
In an interesting study published in the Journal of Environmental Psychology, researchers tested what is known as the habit discontinuity hypothesis, which proposes behavioural changes are more likely to be effective when instituted at a time of significant life change. In this case, when moving house.
Observing 800 participants, and controlling for various factors (past behaviour, intentions, perceived controls, personal norms etc.), researchers found that those who had experienced this significant life change in the preceding 3 months were considerably more likely to report changes in behaviour.
This finding has also been supported by other research, and though both these cited examples relate to sustainability-related behaviour, this idea should not be overlooked in the security behaviour context.
Given this seeming ‘window of opportunity’ for maximising behavioural change, and given the generally accepted significance of beginning a new job, we could hypothesise that to increase our likelihood of affecting positive change, it may be wise for individuals to participate in security awareness training during an early stage of their employment, or indeed, at the beginning of a new role.
Here at Hut Six, we always try and incorporate the best practices, latest research, and most relevant insights into our work to provide as much value to our customers as possible. In putting together this research, we hope use some of these ideas to inform your own organisation’s information security strategy.
In addition to behavioural psychology offering insight into mitigating security risk, providing employees with the right information and training is a vital element to promoting security awareness, reducing avoidable human error, and affecting positive behavioural change.
As many experts have pointed out, security education and training (SETA) programs are necessary not only for detecting threats, but also avoiding them, and “should be provided to all staff not just security professionals.”
Consistent with the behaviour change theories previously outlined, we at Hut Six maintain that by equipping users with relevant, salient, and relatable security awareness training (which also encourages self-efficacy), organisations have the best chance of promoting desirable behaviour and minimising information-based risk.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Based the latest scientific research, tips to reduce human error and protect businesses against phishing attacks.
Cyber awareness helps reduce human error and insecure behaviours. Examining how the psychology of behaviour change will help us deliver effective awareness campaigns.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.