One question we’ve heard recently is, ‘Are security awareness programmes a waste of time?’ The answer might seem obvious – but perhaps some of them are a waste of time because they’re trying to achieve something they were never designed to do.
It is clear that simply making people aware of what they should be doing is often insufficient to persuade them to do it – ‘otherwise none of us would be obese, none of us would smoke and none of us would drive like lunatics’! That’s not to say that raising awareness isn’t valuable but just that on its own it isn’t usually enough.
Cyber Security Behavioural Dynamics builds on existing research and uses a framework and process called social marketing. By combining with behavioural theory we can develop interventions that are more likely to move end users from awareness to behaviour change.
So what might these interventions look like? Well, most security awareness programmes rely onwhat marketers call SPLAT (Some Posters, Leaflets, Ads ‘n’ Things). Increasingly these are brilliantly executed but they don’t dig beneath the surface of human motivation and decision-making to persuade the end user to take up secure behaviours. Our research has demonstrated the importance of understanding end users from their own perspective before attempting to change their behaviour. This is important because those who believe that they have some personal control over cyber security are at a different point in the journey towards changing their behaviour than those who believe that security incidents happen by chance.
We can also ascertain whether end users are ready to change their behaviour. Behavioural theory offers a way of categorising end users into those who are at the pre-contemplation stage (in cyber security this would be the equivalent of the end user asking ‘what does that mean?’) through contemplation and preparation (‘oh I’ve heard about malware, is there anything I can do to stop it?’) to action (‘I’m afraid I’m not going to email that information to you because it contains customer confidential details). An organisation can keep its security awareness programme running knowing that it will help those end users at the pre-contemplation stage – while a behaviour change intervention will tackle those ready to take action.
A participative approach helps us to develop an exchange proposition with end users by understanding the trade-offs that they make. For example, if you want end users to carry out a specific security behaviour you need to know what your competition looks like – what does the end user get from continuing an insecure behaviour or not adopting the secure behaviour that you require? Perhaps it’s something obvious such as speed or convenience but it’s equally likely to be something obscure that would never have struck you if you hadn’t taken the time to understand your end users from their perspective.
Once we understand the competition we can use a mixture of design techniques to develop an intervention that will increase the benefits of the desired behaviour and the costs of continuing to carry out the problem behaviour while at the same time decreasing the barriers to adopting the desired behaviour and the benefits provided by the problem behaviour. Basically it will use any means possible and practical to make it worth the end user’s while to desist from carrying out an insecure behaviour and move to carrying out the secure behaviour that you’ve identified.
So security awareness programmes don’t have to be a waste of time – but they do need to be part of a wider behavioural change programme if they’re going to contribute to changing end user cyber security behaviours.
Debi Ashenden & Darren Lawrence
Cranfield University, Defence Academy of the UK
 Ian Potter, New Zealand Health Sponsorship Council, New Zealand Herald, 2007