
Getting your staff to change their security behaviour
It is often submitted that fear is bad. Actually, from a behavioural science perspective we know fear is the most effective tool for stimulating behavioural change. Fear of crime is necessary but not sufficient to motivate us to act.
It is often a balancing act in people’s mind. Their risk appetite Vs their perception of the risk. This applies to all crime not just cyber crime.
So fear is necessary but what is crucial is that it is accompanied by a feeling of self-efficacy. People have to see the threat but also believe that they have the ability and the tools to reduce the risk.
This flows from something known as Protection Motivation Theory. The theory states that we need to appreciate that phishing, for example, is a threat. It is highly dangerous. It is likely. It can easily happen to me. This is all “fear” of the threat manifesting. An important motivator but in itself not sufficient. The Theory states we need this fear to be accompanied by a feeling that we understand how to cope with the threat. “I know I click “report” to suspicious emails”; “I never download email attachments”. When these two are combined we see people motivated to take action. Empowered.
If fear increases but you don’t furnish people with the tools to personally control the threat you will yield inaction. They will resign themselves to being hopeless against the threat. Accepting their fate so to speak.
Cyber security is all about raising awareness of the threat but we must also remember that behavioural science tells us whilst fear is needed it isn’t sufficient if not accompanied by empowerment.