Back to main site

Tel: 01347 812150

Monthly Archives: July 2013

Are Security Awareness Programmes a Waste of Time?

Security_Banner_01

 

 

One question we’ve heard recently is, ‘Are security awareness programmes a waste of time?’  The answer might seem obvious – but perhaps some of them are a waste of time because they’re trying to achieve something they were never designed to do.

 

It is clear that simply making people aware of what they should be doing is often insufficient to persuade them to do it – ‘otherwise none of us would be obese, none of us would smoke and none of us would drive like lunatics’![1]  That’s not to say that raising awareness isn’t valuable but just that on its own it isn’t usually enough.

 

Cyber Security Behavioural Dynamics builds on existing research and uses a framework and process called social marketing.  By combining with behavioural theory we can develop interventions that are more likely to move end users from awareness to behaviour change.

 

So what might these interventions look like?  Well, most security awareness programmes rely onwhat marketers call SPLAT (Some Posters, Leaflets, Ads ‘n’ Things).  Increasingly these are brilliantly executed but they don’t dig beneath the surface of human motivation and decision-making to persuade the end user to take up secure behaviours.  Our research has demonstrated the importance of understanding end users from their own perspective before attempting to change their behaviour.  This is important because those who believe that they have some personal control over cyber security are at a different point in the journey towards changing their behaviour than those who believe that security incidents happen by chance.

We can also ascertain whether end users are ready to change their behaviour.  Behavioural theory offers a way of categorising end users into those who are at the pre-contemplation stage (in cyber security this would be the equivalent of the end user asking ‘what does that mean?’) through contemplation and preparation (‘oh I’ve heard about malware, is there anything I can do to stop it?’) to action (‘I’m afraid I’m not going to email that information to you because it contains customer confidential details).  An organisation can keep its security awareness programme running knowing that it will help those end users at the pre-contemplation stage – while a behaviour change intervention will tackle those ready to take action.

 

A participative approach helps us to develop an exchange proposition with end users by understanding the trade-offs that they make.  For example, if you want end users to carry out a specific security behaviour you need to know what your competition looks like – what does the end user get from continuing an insecure behaviour or not adopting the secure behaviour that you require?  Perhaps it’s something obvious such as speed or convenience but it’s equally likely to be something obscure that would never have struck you if you hadn’t taken the time to understand your end users from their perspective.

 

Security_Image_01Once we understand the competition we can use a mixture of design techniques to develop an intervention that will increase the benefits of the desired behaviour and the costs of continuing to carry out the problem behaviour while at the same time decreasing the barriers to adopting the desired behaviour and the benefits provided by the problem behaviour.  Basically it will use any means possible and practical to make it worth the end user’s while to desist from carrying out an insecure behaviour and move to carrying out the secure behaviour that you’ve identified.

 

So security awareness programmes don’t have to be a waste of time – but they do need to be part of a wider behavioural change programme if they’re going to contribute to changing end user cyber security behaviours.

 

Debi Ashenden & Darren Lawrence

Cranfield University, Defence Academy of the UK

 



[1] Ian Potter, New Zealand Health Sponsorship Council, New Zealand Herald, 2007

Subscribe to our emails

Twitter

For more information on our Charity Partner, The Turing Trust, Click here https://t.co/2dpLKEKaN3 https://t.co/UZtQde3QwR
For more information on our Charity Partner, The Turing Trust, Click here https://t.co/2dpLKEKaN3 https://t.co/UZtQde3QwR
Click here to secure your free delegate place: https://t.co/QDlKKnnWuY https://t.co/itGflr2c3s
Click here to secure your free delegate place: https://t.co/QDlKKnnWuY https://t.co/itGflr2c3s
Click here for more information https://t.co/DFqF004etU https://t.co/xYVtmTzsHC
Click here for more information https://t.co/DFqF004etU https://t.co/xYVtmTzsHC
For more information or to register, please click here https://t.co/G5xNmEUW27 https://t.co/lHSVGO6Vxh
For more information or to register, please click here https://t.co/G5xNmEUW27 https://t.co/lHSVGO6Vxh
For more information on attending CSP:2017, please click here https://t.co/UrDs9IiA6M https://t.co/VmrYmDf3Uk
For more information on attending CSP:2017, please click here https://t.co/UrDs9IiA6M https://t.co/VmrYmDf3Uk