How can you change employee behavior?

‍To train and improve the security awareness of employees for the long term, five steps should be followed to build and maintain a cyber security culture. During this blog series, we will introduce you to these five steps, including selected tactics that will lead to success. Part four deals with the topic of how to change employee behavior sustainably and for the long term.

Have you perhaps already asked yourself about the best way to proceed with the correct implementation of security awareness measures? How can the behavior of employees be changed effectively and sustainably? What building blocks does a security awareness campaign need to achieve this goal?

To change a person's behavior, there are a few things to consider. McKinsey has developed the “Influence Model” for this. This model helps to show which areas should ideally be covered so that behavioral change can happen. Measures can be developed with the help of the "Influence Model" and the taxonomy levels according to Bloom. There are various ways to determine which measures should be taken. Examples are quantitative and/or qualitative employee surveys, ISO Findings, or the B=MAT and COM-B models. Once measures have been defined, the next question is about the channels that should be used for communication. There are various options here too, which are presented below. To determine the success of a campaign, it is also important to select measurable measures and evaluate them after the campaign.

In this article we show you what you should pay attention to when building a security awareness campaign so that it changes the behavior of your employees sustainably and successfully and thus makes your company more secure.

The human factor in IT security and its challenges

To counter today's security threats, you need more than just a good IT solution: employees also contribute to the security of a company. The role of humans in the defense against cybersecurity attacks is becoming increasingly important. Science and business have also recognized this. This leads to the following question: how can I make my employees more secure and more responsible, so that they actively and automatically maintain secure use of IT resources, data protection and physical components in a company? This is where security training and awareness come into play, i.e. the security awareness training of every employee. No matter what role they have in your company, be it a “normal” employee or someone with a managerial role, everyone contributes to protecting a company with their behavior. Security awareness measures help to implement this.

Dr. Thomas Schlienger was one of the authors of the “Cybersecurity Culture Guidelines: Behavioral Aspects of Cybersecurity” report for ENISA (European Agency for Network and Information Security). Four methods were examined in the report as an investigation of the human aspect in cybersecurity. Although two methods were based on social science models, one on qualitative studies, and the fourth on current practice in organizations, none of them were enough on their own to understand, predict, or change behavior relating to cybersecurity issues (ENISA 2018). This means that a combination of different methods is necessary to change behavior.

But which methods must be used? Is there one solution that meets all requirements or does each case need to be considered individually? How can I now change the behavior of my employees effectively and sustainably?

How to change people's behavior

McKinsey developed an “Influence Model” consisting of four blocks, which helps to influence the attitude and behavior of employees. This model can be used as the basis for designing measures. The four pillars of the “Influence Model” are (McKinsey 2016):

Role model

An important aspect is the example of the desired behavior. Role models are perceived consciously and unconsciously. It is therefore important to find role models in the organization who exemplify and promote the desired behavior. Leaders especially should also act in a security-conscious manner and thereby encourage their employees to follow their example. After all, why should I adopt a certain behavior, for example wearing my employee ID visibly, if my supervisor does not?

The power of the group is also part of role models. The more people behave securely, the more likely new people are encouraged to do the same.

Encouragement of understanding and conviction

If the employees understand the “why” of a change and if they agree to it, this helps in changing the behavior. For understanding and acceptance of a change to happen, the goal and the why of the change must be clearly communicated. McKinsey sees one possibility of communicating the transformation as a story about change. It explains where the company wants to go with the change, what should change and why the change is important.

Development of talent and skills

Foster the development of new skills and talents and encourage your employees with personal responsibility and competence to use those new skills. This increases the chance that changes in behavior will also come about. If employees feel that the new skills are of no use to them and do not change their situation, they are most likely to remain passive in their behavior without changing it.

Confirmation of changes through formal mechanisms

Create positive incentives for employees who change their behavior. It should be noted, however, that the fear is not a basis for incentives. In this way, employees who report a phishing mail should also receive feedback on whether it was indeed phishing.

‍

Change behavior with awareness measures

When developing security awareness measures, it is advisable, on the one hand, to keep the above-mentioned change mechanisms in mind and, on the other hand, to structure the measures and training according to a common principle. A good option here is Bloom’s taxonomy. Bloom developed 6 taxonomy levels to classify and control learning objectives. This enables training to be successfully set up and carried out.

‍

1. Knowledge: factual knowledge, familiarity
   Employees reflect what they have learned.
   Example: I know what phishing is
   ‍
2. Understanding: Understand, justify in one’s own words
   Employees can reproduce what they have learned in a different context.
   Example: I can list the characteristics of a phishing email
   ‍
3. Application: Implementation of one-dimensional learning content, examples from practice
   Employees can apply what they have learned.
   Example: I can identify a phishing email
   ‍
4. Analysis: disassembly into parts, case studies
   Employees are able to combine different components with each other and break them down into their components and they recognize relationships.
   Example: I understand how attackers launch a multi-stage spear phishing attack.
   ‍
5. Synthesis: interlinking and optimization, interdisciplinary representation, project tasks
   Employees can combine different, unknown components and create new ones.
   Example: I am able to detect new phishing attacks.
   ‍
6. Assessment: Corresponds to level 4 with additional assessment by the employees
   Employees can assess a situation for its appropriateness. They make a judgment to accomplish the task correctly.
   Example: I can make suggestions for how the company can better protect itself from phishing.

‍

Want to learn more? Download the whitepaper "How can you change employee behavior?".

Learn more about what actions need to be taken to create long-term change. How the COM-B model and the B=MAT model from science can help you, and how best to communicate actions.

Subscribe to our newsletter now and never miss news and blogs about information security and security awareness. The subscription form appears after the literature reference.

‍

‍

Literature:

• ENISA (2018): “Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”. Authors: A. Joinson, A Sasse und T. Schlienger. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity
• McKinsey (2016): “The four building blocks of change”. https://www.mckinsey.com/business-functions/organization/our-insights/the-four-building-blocks--of-change
• Bloom, B. S.; Engelhart, M. D.; Furst, E. J.; Hill, W. H.; Krathwohl, D. R. (1956). Taxonomy of educational objectives: The classification of educational goals. Handbook I: Cognitive domain. New York: David McKay Company.
• TreeSolution (2019): Whitepaper - How to achieve a real and sustainable behavior change.
• Michie, S., Van Stralen, M. M., & West, R. (2011): The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation science, 6(1), 42.
• Fogg, B. J. (2009, April): A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology (p. 40). ACM.

‍