Building a Security Culture With Behavior Design



Anyone who has run security awareness programs for a while knows that changing human behaviour is not an easy task. And that sometimes the problem with awareness is that "awareness" alone does not automatically result in secure behavior.

Let’s look at the challenge of building a security culture through the lens of behaviour design. BJ Fogg’s much-quoted behavior design model neatly outlines that behavior happens when three things come together at the same time: 

 

Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behaviour. 

Motivation

Fogg’s Behaviour Model highlights three core motivators: Sensation, Anticipation, and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.

Let's try apply these to cybersecurity: 

  • Tapping into people’s emotions by using visually appealing content, engaging with humour and story-based techniques, and activating positive sensations. 
  • Fear can be a powerful motivator too. Show what could happen when. But too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
  • Using the power of leadership or celebrity to tell stories and invoke a sense of belonging. 
  • Making it personally relevant by providing information on how to protect kids or family members 

Caveats: Humour is a great technique to grab people’s attention, evoke positive emotions and help with memory retention. However it has to be applied carefully and with a sensitivity to the audience's cultures, else it can backfire. Also, it shouldn’t be used too much, as it could result in the audience not taking the core message seriously enough. 

Ability

BJ Fogg says that training people is hard work, and most people resist learning new things. That’s just how we are as humans: lazy. Give someone a tool or a resource that makes the behaviour easier to do. A great example is a password manager. This is a tool that takes care of desired behaviour and simplifies the complexity of having to remember multiple different passwords. 

Prompts 

The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on and they all have the purpose to remind and tell people to "do it now". A good example are the password strengths meters reminding people to come up with better passwords as and when they create them. 

When designing an awareness campaign, it’s important to consider where prompts may be used. For example, in the moment nudges, such as when users look at emails while on the go or when they are about to send a large file to someone externally.

When it is possible to combine the three elements of motivation, ability and prompts, changing behaviour is a much more likely outcome than just spreading awareness content and hoping for a result. 

Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!


Get Your Free 2022 Cybersecurity Awareness Month Resource Kit

In today's hybrid work environment, your users are more susceptible than ever to attacks like phishing and social engineering. Cybercriminals know this and are constantly changing tactics to exploit new vulnerabilities. We've put together these resources so you can keep your users on their toes with security top of mind. Request your kit now to help your users defend against cybercrime whether they are fully remote, back in the office, or a combination of both.

Cyber-22-ResourcesHere's what you'll get:

  • Access to free resources for you including our most popular on-demand webinar and whitepaper
  • Resources to help you plan your activities, including your Cybersecurity Awareness Month Guide and Cybersecurity Awareness Weekly Planner
  • New featured interactive training module for your users: "2022 Social Engineering Red Flags," plus 3 additional interactive training modules, all available in multiple languages
  • Resources to share with your users including training videos, security docs, tip sheets, security hints and tips newsletters, plus posters and digital signage assets, all available in multiple languages
  • All assets are printable and available digitally, so they can be delivered to your users no matter where they are working from 

Get Your Free Resource Kit Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/cybersecurity-awareness-month-resource-kit 

Subscribe To Our Blog


Cybersecurity Awareness Month 2022 Free Resource Kit




Get the latest about social engineering

Subscribe to CyberheistNews