17th June 2020
Time and again, we find that many awareness campaigns fail to achieve the goal of changing their employees' behaviour.
This is partly due to the many challenges concerning human behaviour. Hurdles must be overcome on a psychological and sociological level. Among other things, people perceive risks differently. For this reason, awareness campaigns must not only communicate risks and the desired behaviour, but also ensure that the employees understand the content and are qualified and motivated to implement it.
The challenge of changing employees' behaviour cannot be solved by simply laying down guidelines and rules or by short, one-off campaigns. In fact, the solution involves a combination of both. Rules and guidelines must consolidate and be a basis for security. Building on this, long-term campaigns are planned to support employees in changing their behaviour sustainably over time, thereby helping to make the company more secure.
To do this, users must recognize that the information in a campaign and in rules and regulations is relevant to their work. They must understand them and at the same time be motivated to implement them. There are some simple rules and approaches to consider when planning an awareness campaign.
Die Problematik, dass viele Awareness Kampagnen scheitern das Verhalten, zu ändern, ist nicht neu. Bereits 1999 (1) wurde dies festgestellt und ist seither ungelöst. Das Problem hierbei ist, dass einerseits die Grundkonzepte der Security Awareness nicht berücksichtigt werden und andererseits für eine komplexe Problemstellung nach zu einfachen Lösungen gesucht wird. Die Industrie und die Kunden sind oft nicht gewillt, genügend Ressourcen, sei dies Budget, Zeit oder Expertise, aufzubieten, damit Awareness Kampagnen so aufgebaut werden können, dass sie auch zum Ziel führen. Stattdessen wird versucht, nur punktuell Massnahmen umzusetzen. Leider ist dies nicht zielführend und führt nicht zum nachhaltigen Erfolg der Kampagne.
The problem that many awareness campaigns fail to change behaviour is not new. This was already recognised in 1999 (1) and has since remained unresolved. The problem here is that, on the one hand, no consideration is given to the basic concepts of security awareness, and on the other hand, the solutions that are sought are too simple for this complex problem. Industry and customers are often unwilling to devote enough resources, be it budget, time, or expertise, to build awareness campaigns to reach their goals. Instead, the only attempt made is to implement one-off measures. Unfortunately, this is not effective and does not lead to the sustainable success of the campaign.
The four main reasons for the failure of campaigns are:
A sound basis is needed to change the behaviour of the employees in the long term and to make a campaign successful. It requires security policies, training, tools and processes, as well as regulated responsibilities at the organisational and group levels. If the right basis exists, human behaviour can be changed accordingly. An auxiliary tool to check if and how the security basis has been built in a company, where adjustments need to be made, and what needs to be done at the individual level to change behaviour, is our Security Awareness Radar®. Building on this, long-term and effective campaigns are then developed to change human behaviour.
Various building blocks must be considered in order to build and execute a successful security awareness campaign.
Careful planning is necessary to succeed. Security campaigns should be developed by qualified personnel. If there is no security department that is can do this, a campaign can be conducted with a specialized provider like us. First, determine which goal is to be achieved with the campaign, and plan the actions and content according to the goal. Plan your resources: budget, time spent and total duration, and expertise are important foundations on which to build a campaign.
The right communication is the alpha and omega of a successful campaign. It is target group oriented, simple and understandable. The desired rules of conduct that are communicated should be consistent by aligning with internal guidelines.
Directives and policies are included in the campaign. The goals, measures and contents of the campaign are aligned with the guidelines and regulations. There must be alignment with the desired behaviour in the campaign. There is no point in engaging with risks or rules of conduct which are not relevant or meaningful. This also means that depending on the department, rank or geographic location, different risk components need to be handled and different behavioural changes are required. Therefore, select the topics according to the target group. For example, some topics may not concern the financial director in the same way as the employees of the HR department.
The human factor, i.e. human behaviour, must be considered for a successful campaign. For example, there are cultural differences in risk perception. These differences can occur not only regionally, but also between departments. In addition, there are various other factors that need to be considered. These can be on a personal or cultural level.
To generate change, the current factors of influence must be identified. These can be on a personal as well as on a cultural level.
Influencing factors on a personal level:
The motivation and abilities of the individual are some of the most powerful influencing factors. The individual must also be able to apply the desired change. However, there is a danger of security oversaturation ("security fatigue"). This can happen especially when security is considered an obstacle. For this reason, it is important to be centred in the "security-functionality-usability triangle" and not drift too much towards security for its own sake or the creation of security regulations that are hard to respect.
Influencing factors on a cultural level:
An important factor influencing the success of an awareness campaign is the cultural aspect. This should therefore be included in the design of training and awareness messages.
In the study "Cyber Security Awareness Campaigns: Why Do They Fail to Change Behaviour?"(3), the authors examined cyber security awareness campaigns from the UK and Africa. In the studies from the UK the focus is on the individual: "in short, the weakest links in the cyber security chain are you and me (3, page 126)". This point of view, highlighting the individual, applies specifically to the Western Hemisphere. In Africa, but also in Asia, the focus is on society. Therefore, the study addressed this entity: "friends must protect friends (3, page 126)".
These cultural differences and how to address the target audience of the campaign should be considered if success is to be ensured, especially in international campaigns.
Depending on the cultural context, the risk perception is different and should therefore be considered.
In order to influence human behaviour, different techniques can be chosen. Some are important and helpful, while others should not be used. Here we show you what you should look out for.
1. Consider human behaviour
Choose a simple and understandable language so that it can be understood by all employees, regardless of education, culture or department. For example, IT terms should be avoided unless the target audience has an IT background. Word choice, sentence length and sentence structure are also considerations.
The type of communication also plays a role. Communicating something in a humorous way works well with employees. For example, using a cartoon can convey information in a simple, concise and entertaining way. On the other hand, frightening communication should be avoided as it is often counterproductive , deterring users instead of motivating them. As a result, such campaigns are generally unsuccessful. Use internal examples when presenting risks. This helps employees to better identify with them.
An important element for targeting a campaign well is the consideration of different cultures. There are two options for international campaigns: adapting the campaign to the individual cultures, which is very time-consuming, or trying to cater to all needs within the communication. This means addressing the individual and the community, and both needs at the same time. Our approach in campaigns is communication that it is compatible with different cultures.
2. Make security liveable
The goal of a campaign must be feasible and integrated into day-to-day processes for behaviour to change (4). Confirm your statements in the campaign with scientific research results. This gives the information more credibility and helps it to be accepted. In our white paper, "How to Achieve Real and Sustainable Behavioural Change," we introduce two scientific models that can be used to analyse corporate security measures and understand possible causes of misconduct.
The white paper can be obtained free of charge upon request. Simply write an e-mail to firstname.lastname@example.org.
Get support from specialists. These can be helpful when it comes to finding a simplified word choice without technical terms, structuring a campaign and finding the right topics and addressees beforehand.
3. Plan for a lot of time
To accept, implement and internalize change takes time. This is helped by a steady repetition of campaigns and topics, rather like a steady drip of water wears down a stone. You can do either a long, multi-year campaign or many shorter campaigns over a period of several years (4).
Publishing through different channels helps to address and achieve the different types of learning.
A useful tool for planning, implementing and reviewing a security campaign is our Security Awareness Radar®. On the one hand, security requirements can be detected and improved, on the other hand, the state of organisational and human behaviour can be determined, and then appropriate measures planned and developed. This helps to change human behaviour and align the business system accordingly (4). This puts your campaign on a sound footing and allows it to fully leverage its opportunities for behavioural change.
The process towards secure behaviour is shown in our 'Model of Secure Behaviour'. Picture: Model of secure behaviour.
McKinsey has also described this process of change in its Influence Model. In our news article "What does it take for a successful change management", we already mentioned this model.
We can summarise with the following points that must be considered for a successful security awareness campaign:
For an awareness campaign to be sustainably successful, employees must accept that the topic is relevant. They need to understand it and know how to implement it. And they must be willing to make what they learn into a part of the professional lives. A campaign can make what they learn into a habit. Security awareness can thereby become a sustainable success factor of a company.
References and sources:
(1) Whitten, A., Tygar, J.D. (1999): Why Jonny can’t encrypt: a usability evaluation of PGP 5.0. SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8, 14-14. USENIX Association Berkeley.
(2) Angela Sasse (2015): Scaring and Bullying People into Security Won’t Work. IEEE Security & Privacy, May/June 2015. Security & Privacy Economics.
(3) Maria Bada et al. (2015): Cyber Security Awareness Campaigns: Why do they fail to change behaviour?. January 2015.
(4) ENISA Report (2018): Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, pages 20/21.