How can you change employee behavior? (Part 2)

<< Continuation of Part 1 of this blog
‍

To train and improve the security awareness of employees for the long term, five steps should be followed to build and maintain a cyber security culture. During this blog series, we will introduce you to these five steps, including selected tactics that will lead to success. Part four deals with the topic of how to change employee behavior sustainably and for the long term.

Which measures must be taken?

To accomplish long-term change, you need to establish security in the culture of your business. Of course, you need to find technical solutions to make this possible. However, to ensure that security is in fact implemented, your employees are the decisive starting point.

Changing the behavior of people is a challenge. It is even more difficult if their behavior is not properly understood. That is why our approach to sustainable behavioral change builds on understanding these issues through scientific models.

You can make sustainable behavioral changes in your organization by leveraging that understanding and choosing the measures that most effectively address security vulnerabilities.

The effective change of behaviors in companies must be based on a clear understanding of the past mistakes or omissions. Without this clear foundation, the multiple causes of security vulnerabilities will be vaguely summarized as "human error" without being able to resolve them. Two scientific models for analyzing corporate security measures provide a basis for understanding the reasons for undesirable behavior and then selecting appropriate remedial action.

To better understand the two models, here is an example:

Imagine how you might secure a castle - high walls, a moat and the latest and greatest access control. With your technically perfect approach to security, it is impossible to find even the smallest chink in the castle defense – at least, theoretically.

And yet, three doors remain wide open:

1. Parcel deliveries are continually being made to your castle through one door
2. Ventilation of a dark, stuffy dark corridor is being done through another door
3. And because someone thinks he or she remembers an announcement that the "closed-door policy" applies only in the east wing because of the wind direction, a third door is open in the west wing.

Clearly, attackers will have no difficulty in invading and wrecking your castle.

The COM-B model

The COM-B model (adapted from Michie et al., 2011) summarizes the necessary prerequisites for security-conscious behavior as these three elements:

Capability

Can the employees carry out a security measure? Lack of knowledge and lack of empowerment are both possible obstacles.

In our example of the castle above, either nobody knows how the parcel pass-through hatch can be opened or the employees do not have a key to this hatch and must therefore use the door.

Opportunity

Are employees given the chance to put the security measure into practice? Physical or social factors can get in the way here.

If the only clean air supply is cut off, employees in the castle will have no choice but to keep the door open. Or as another example, they do not want to make life unnecessarily difficult for their colleagues at the post office by keeping doors closed, which has already led to arguments in the past.

Motivation

Do employees even see why they should perform a certain action? The motivation for action can be positive (awareness of the purpose, knowledge of the meaning of the action, prospect of a reward) or negative (punishment, fear of the negative consequences of omission).

In the castle it must be made known that the doors are not closed against wind, but to keep out attackers. The fear of this threat can contribute to the motivation to keep the door properly closed.

All three parts influence behavior.

The B=MAT model

A related model by Fogg (2009) maps considerations of ability, motivation, and opportunity onto the aspects of activation. Employees are more likely to perform an action when it is easy for them (according to their ability) and motivating (positively or negatively, see motivation above). To achieve activation of security measures, companies can not only give employees the opportunity to act, but also create triggers for that behavior.

Other options for determining measures

With the help of our Security Awareness Radar, an online employee survey, it can be determined which areas need to be changed in which target groups (e.g. departments). The report of the Awareness Radar concludes with a list of measures that can also be used for an ISO 27001 certification. Furthermore, compliance requirements, audit findings or risk assessments can provide information on measures.

Also to be noted

The measures defined should then be sorted according to urgency and feasibility. Simple vs. difficult to implement and inexpensive vs. expensive.

When defining the measures, it is important to avoid lopsidedness. It is best to choose measures that can be quantitatively and qualitatively determined and implemented. So that the actions can be analyzed and measured, they should meet the SMART criteria:

• Specific: is a specific area selected for action?
• Measurable: is the action measurable?
• Actionable: does the result provide concrete improvement?
• Relevant: is the action relevant (and realistic) for your organization and are the results understood?
• Time-related: has a time frame been defined for target implementation and achievement?

It is important to note that change does not happen overnight. This takes time and regular actions so that the desired behavior can become natural and firmly established.

Depending on the target group, functions or risk background of the company, other learning objectives are defined. Employees in the HR department will be trained differently than sales managers. In addition, individual metrics at the personal level such as tests and quizzes can be built in, or organizational metrics where an entire area is trained, for example, with a phishing simulation.

Which channels can be used for an awareness campaign?

Security awareness campaigns offer an optimal basis for changing behavior. Thanks to today's technologies, we have many more means and opportunities to convey information to employees in different ways. This is also helpful because not all people learn the same way and the different types of learning should therefore be addressed in a campaign. For these reasons, it is important to communicate through different channels.

Possible channels are:

• Emails and newsletters
• Intranet reports
• Posters
• Video clips
• Simulations
• Brochures
• Information sheets
• Information events such as a security breakfast or security lunch
• E-learning
• Classroom training
• Checklists and fact sheets
• Intranet knowledge databases
• FAQs

Choose a simple design for your campaigns and convey the information briefly and succinctly. They can thus be better absorbed and processed. Bring examples from your company. This helps improve understanding of the topic. Also, show the benefits of newly learned behavior.

Changing behavior successfully

To successfully change behavior, different aspects must be considered, and different channels must be used for training and awareness measures.

To start from the right base, the possible measures must first be determined.

These can be determined in a first step with our Security Awareness Radar, based on audit findings or compliance requirements.

The “Influence Model” provides a basis for finding measures that can influence employee behavior and attitudes. With the B-COM model and the B=MAT model, erroneous behavior can be analyzed, and suitable security measures can be selected accordingly.

Learning targets for measures and training are found according to the Bloom taxonomy levels. If possible, the measures should meet the SMART criteria so that they can be analyzed and measured.

To successfully change the behavior of employees, many factors must be considered. The better this is done, the more sustainable the measures and actions and the more secure the company and its employees will be.

Not every security officer has the appropriate knowledge or capacity to do this. We are happy to support companies in successfully and sustainably changing the behavior of their employees.

‍

Literature:

• ENISA (2018): “Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”. Authors: A. Joinson, A Sasse und T. Schlienger. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity
• McKinsey (2016): “The four building blocks of change”. https://www.mckinsey.com/business-functions/organization/our-insights/the-four-building-blocks--of-change
• Bloom, B. S.; Engelhart, M. D.; Furst, E. J.; Hill, W. H.; Krathwohl, D. R. (1956). Taxonomy of educational objectives: The classification of educational goals. Handbook I: Cognitive domain. New York: David McKay Company.
• TreeSolution (2019): Whitepaper - How to achieve a real and sustainable behavior change.
• Michie, S., Van Stralen, M. M., & West, R. (2011): The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation science, 6(1), 42.
• Fogg, B. J. (2009, April): A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology (p. 40). ACM.