Behaviour Change in your Organisation (short video)

Written by: Lisa Forte

Categorized: General

Behaviour change whiteboard

Getting your staff to change their security behaviour

It is often submitted that fear is bad. Actually, from a behavioural science perspective we know fear is the most effective tool for stimulating behavioural change. Fear of crime is necessary but not sufficient to motivate us to act.

It is often a balancing act in people’s mind. Their risk appetite Vs their perception of the risk. This applies to all crime not just cyber crime.

So fear is necessary but what is crucial is that it is accompanied by a feeling of self-efficacy. People have to see the threat but also believe that they have the ability and the tools to reduce the risk.

This flows from something known as Protection Motivation Theory. The theory states that we need to appreciate that phishing, for example, is a threat. It is highly dangerous. It is likely. It can easily happen to me. This is all “fear” of the threat manifesting. An important motivator but in itself not sufficient. The Theory states we need this fear to be accompanied by a feeling that we understand how to cope with the threat. “I know I click “report” to suspicious emails”; “I never download email attachments”. When these two are combined we see people motivated to take action. Empowered.

If fear increases but you don’t furnish people with the tools to personally control the threat you will yield inaction. They will resign themselves to being hopeless against the threat. Accepting their fate so to speak.

Cyber security is all about raising awareness of the threat but we must also remember that behavioural science tells us whilst fear is needed it isn’t sufficient if not accompanied by empowerment.

Related Content

How to get exec approval for a cyber exercise

Testing your response to a cyber-attack will save you resources in the event of a real incident, but for many organisations taking the first step in exercising can seem like a big commitment in time and energy. Here are some top tips on getting exec approval for a cyber exercise.

Read more

Get started with crisis communication planning

Cyber-attacks are no longer outlier events. In fact, the old saying of “it’s not if – but when” has sadly proven true for many organisations. For this reason many organisations are now heavily focused on planning and preparing for a cyber-attack and increasing their levels of resilience, response and redundancy to enable them to survive.

Read more
Menu