KnowBe4’s Security Culture Report is the result of data collected from 120,000 global employees in the following industries: Banking, Financial Services, Insurance, Consulting, Business Services, Technology, Healthcare & Pharmaceuticals, Consumer Services, Not for Profit, Other, Retail & Wholesale, Legal, Manufacturing, Government, Construction, Energy & Utilities, Transportation & Education.
The Security Culture Report seeks to provide an objective scientific method for assessing, reporting and comparing culture. In order to do this, it breaks culture down across the following seven distinct dimensions.
We will examine what each of these dimensions mean in a series of blogs.
In this first post, we’ll take a look at Attitudes.
Attitudes: The feelings and beliefs that employees have toward the security protocols and issues
Social psychology has undertaken much research into what attitudes are, how they are formed, and how they can be changed. In short, attitudes are a set of emotions or beliefs that people carry in relation to particular objects, people, organisations, issues, or events.
Attitudes are formed over time and are based on experiences -- in other words, they are learned opinions. For example, when you get into the driver’s seat of a car for the first time, you may not have any preconceptions about it. However, having experienced it, the interior layout, the responsiveness, the handling, the fuel economy, the practicality, etc., next time you may have a positive attitude towards it. This is an evaluation based on your thoughts, behaviour and feelings. So next time you see that car, a similar car, or a car built by the same manufacturer, you anticipate a similar outcome, looking for positive reinforcement of that attitude.
Because attitudes are evaluations, they can be straightforward to assess with techniques like questionnaires. The attitudes themselves are formed from three main elements (the ABC model of attitudes):
- Affect: How an issue, object, or person makes you feel.
- Behaviour: How the object influences your behaviour.
- Cognition: Your thoughts and beliefs about the object.
Let’s bring this to life by taking the example of using the corporate VPN when working remotely (as opposed to directly connecting via the internet).
In terms of affect: They feel happy when they use the VPN.
In terms of behaviour: They always connect to the VPN when outside of the office.
In terms of cognition: They believe using the VPN is the responsible thing to do.
Understanding Attitudes in Cybersecurity
When trying to foster a culture of security, attitudes play a key role in understanding whether or not a particular strategy or set of security controls will be successful or not.
Simply providing employees with security knowledge sometimes isn’t enough to change their attitudes. For example, many will know that reusing passwords could lead to a breach and have negative consequences. But, many will still reuse passwords, resulting in risky behaviour and a form of cognitive dissonance in which there is a tension between beliefs and activities. “I shouldn’t reuse passwords because it’s risky. I nevertheless reuse passwords.”
People often relieve the tension by changing their attitude, “All my colleagues reuse their passwords and have never been breached, so it’s not so bad.” This change of attitude is often easier than changing the behaviour (to not reuse passwords).
Other changes in attitude include, “Why would an attacker come after me? I’m just an ordinary employee.” In many cases, we see this scale up to the organisational level, “Why would a nation state attack us? We are just a small business.”
Attitudes can be an important predictor of user behaviour. So, it’s important to vary training methods that can change attitudes towards certain issues. There is no defined way in which this can be done, but what we do know is that the ABC model of attitudes can be experienced in a different order depending on the security requirement. Understanding this means we can change the security messages we’re communicating. This is called the Hierarchy of Effects.
- Low Involvement Hierarchy (Cognition, Behaviour, Affect)
This is where we take almost immediate action and then later think about our feelings involving the security requirement. This is the pattern for frequent or even daily activities. For example, showing your badge at the door to gain entry to the office is something a lot of people may not feel strongly about.
- High Involvement Hierarchy (Cognition, Affect, Behaviour)
This is the sequence for larger decisions which we think about, assess our feelings towards, then decide what course of action to take. For example, choosing a new laptop based on whether it offers biometric authentication could make the user feel like they are meeting corporate security requirements, whilst increasing convenience.
- Experiential Hierarchy (Affect, Behaviour, Cognition)
These are usually emotionally-led decisions where you only think about it after the fact. Encrypting all the files on a server even though it may impact performance may seem like a good idea because it’s for the right reasons.
- Behavioural Influence Hierarchy (Behaviour, Cognition, Affect)
These are impulse decisions where you do something, think about it afterwards, then assess how you feel. Emailing confidential documents to an external party to expedite a process may not feel like a great idea in hindsight.
While employee attitudes may not be formed in such a clear-cut manner, this framework does help us with understanding our security culture, and which strategies should be used to adjust attitudes on certain issues. Attitudes are learned and can be an effective predictor of behaviour. If we can understand how the attitudes toward security controls, requirements, and even the security department are formed, we’re in a better place to adjust our campaign in order to influence those attitudes.
Like any aspect of security culture, attitudes towards security aren’t permanent. They can change for better or worse based on new information, beliefs, and experiences. Therefore, it’s important that you continually reinforce the attitudes you want employees to have with your security culture through new-school security awareness training.