2nd February 2021
To train and improve the security awareness of employees for the long term, five steps should be followed to build and maintain a cyber security culture. During this blog series, we will introduce you to these five steps, including selected tactics that will lead to success. Part four deals with the topic of how to change employee behavior sustainably and for the long term.
Have you perhaps already asked yourself about the best way to proceed with the correct implementation of security awareness measures? How can the behavior of employees be changed effectively and sustainably? What building blocks does a security awareness campaign need to achieve this goal?
To change a person's behavior, there are a few things to consider. McKinsey has developed the “Influence Model” for this. This model helps to show which areas should ideally be covered so that behavioral change can happen. Measures can be developed with the help of the "Influence Model" and the taxonomy levels according to Bloom. There are various ways to determine which measures should be taken. Examples are quantitative and/or qualitative employee surveys, ISO Findings, or the B=MAT and COM-B models. Once measures have been defined, the next question is about the channels that should be used for communication. There are various options here too, which are presented below. To determine the success of a campaign, it is also important to select measurable measures and evaluate them after the campaign.
In this article we show you what you should pay attention to when building a security awareness campaign so that it changes the behavior of your employees sustainably and successfully and thus makes your company more secure.
To counter today's security threats, you need more than just a good IT solution: employees also contribute to the security of a company. The role of humans in the defense against cybersecurity attacks is becoming increasingly important. Science and business have also recognized this. This leads to the following question: how can I make my employees more secure and more responsible, so that they actively and automatically maintain secure use of IT resources, data protection and physical components in a company? This is where security training and awareness come into play, i.e. the security awareness training of every employee. No matter what role they have in your company, be it a “normal” employee or someone with a managerial role, everyone contributes to protecting a company with their behavior. Security awareness measures help to implement this.
Dr. Thomas Schlienger was one of the authors of the “Cybersecurity Culture Guidelines: Behavioral Aspects of Cybersecurity” report for ENISA (European Agency for Network and Information Security). Four methods were examined in the report as an investigation of the human aspect in cybersecurity. Although two methods were based on social science models, one on qualitative studies, and the fourth on current practice in organizations, none of them were enough on their own to understand, predict, or change behavior relating to cybersecurity issues (ENISA 2018). This means that a combination of different methods is necessary to change behavior.
But which methods must be used? Is there one solution that meets all requirements or does each case need to be considered individually? How can I now change the behavior of my employees effectively and sustainably?
McKinsey developed an “Influence Model” consisting of four blocks, which helps to influence the attitude and behavior of employees. This model can be used as the basis for designing measures. The four pillars of the “Influence Model” are (McKinsey 2016):
If the employees understand the “why” of a change and if they agree to it, this helps in changing the behavior. For understanding and acceptance of a change to happen, the goal and the why of the change must be clearly communicated. McKinsey sees one possibility of communicating the transformation as a story about change. It explains where the company wants to go with the change, what should change and why the change is important.
Create positive incentives for employees who change their behavior. It should be noted, however, that the fear is not a basis for incentives. For example, information about a possible phishing mail should give feedback on whether it is such a mail or not and should not cause problems for an employee if he or she falls for a phishing email.
Foster the development of new skills and talents and encourage your employees with personal responsibility and competence to use those new skills. This increases the chance that changes in behavior will also come about. If employees feel that the new skills are of no use to them and do not change their situation, they are most likely to remain passive in their behavior without changing it.
An important aspect is the example of the desired behavior. Role models are perceived consciously and unconsciously. It is therefore important to find role models in the organization who exemplify and promote the desired behavior. Leaders especially should also act in a security-conscious manner and thereby encourage their employees to follow their example. After all, why should I adopt a certain behavior, for example wearing my employee ID visibly, if my supervisor does not?
The power of the group is also part of role models. The more people behave securely, the more likely new people are encouraged to do the same.
When developing security awareness measures, it is advisable, on the one hand, to keep the above-mentioned change mechanisms in mind and, on the other hand, to structure the measures and training according to a common principle. A good option here is Bloom’s taxonomy. Bloom developed 6 taxonomy levels to classify and control learning objectives. This enables training to be successfully set up and carried out.