We know that the human factor and employee engagement are critical when talking about raising cyber security awareness. You’ve invested a lot in technologies or highly sophisticated processes, but your employees will still be the last line of defense in thwarting a cyberattack. On the other hand, they’re the ones who are hardest to mobilize!
In 2017, a major study was conducted among organizations from 58 countries around the world. The findings of the study speak for themselves: Employee engagement is one of the most significant obstacles to carrying out an information security awareness campaign. We also know that motivation is one of the essential factors to consider for changing such behaviors among employees in a way that lasts.
But why is it so hard to motivate our employees? What are the major barriers to motivation? And how can we fix them?
A psychology researcher named Albert Bandura looked into this question a little over 40 years ago. More specifically, he developed a theory that even today can help us better understand what gets in the way of motivating people.
The challenge of perceived risk: This isn’t that serious
In an interesting science article, researchers explain how the issue of cyber security awareness-raising has become a paradox: Although information security risks are on the rise, people seem to feel less and less worried about the matter. But why? One of the hypotheses that the authors raise is that if someone is used to dealing with the risk, they become less cautious around it. For example, that person may say: “I’ve never had antivirus software on my personal computer and I haven’t had any problems in the last 10 years” or “I once had someone clone my credit card, but the bank told me right away and refunded me the money that was spent”. The takeaway is that when we encounter situations that potentially put us at risk of falling victim to cyberattacks or fraud, we develop the feeling of being immunized against those risks to some extent.
So what should we do? Managing risks necessarily means assigning a value to the probability that they will occur and the severity of their impacts. It means helping our employees understand that the consequences of a cyberattack may have serious repercussions within the organization – and even on themselves. For example, you might ask your employees to share negative personal experiences they’ve had as a result of encountering fraud. You can show them the real-time consequences of being hacked through phishing simulations or social engineering simulations.
The challenge of individual responsibility: It’s not up to me
Even if we understand the potential risks associated with an information security breach, we still need to feel that it’s our role as employees to take part in stopping one from happening. Why bother to participate in a cyber security awareness campaign if it doesn’t concern us? “It’s not my responsibility to handle information security for my organization, that’s the job of the IT department,” is what some will say. This is the second obstacle that you may encounter when deploying an awareness campaign. Employees who don’t feel involved in information security simply cannot understand their role in preventing security breaches.
Feeling affected by a situation primarily means being able to realize that our current behaviors are not in line with what is expected when it comes to information security. An excellent way to help your employees grasp this fact is to have them test their knowledge with a quiz. In addition to being able to objectively grade their knowledge of information security, they will also be able to compare their own scores to those of their coworkers. This is an excellent way to get them thinking together about the importance of implementing a cyber security awareness campaign within the organization (and on top of that, you now have objective data that can be cited to demonstrate the need for such a campaign to your higher-ups!).
The challenge of self-efficacy: There’s nothing I can do about it anyway
The last challenge comes from the feeling of self-efficacy. This refers to the feeling that employees have with respect to their ability to influence their environment. In other words, the stronger an employee’s sense of self-efficacy, the more they are convinced that their actions as an individual will truly be effective in preventing a security breach. For this reason, employees need to be convinced that they have the knowledge and skills required to take part in preventing potential cyber security breaches. Using online courses or role-playing games to teach new information and apply it to concrete situations is an excellent way to boost the feeling of self-efficacy among your employees. Your employees will feel more competent and will understand exactly how their actions help play a part in preventing potential information security breaches.
How about getting your employees involved throughout the process?
Planning and implementing an awareness campaign are not processes that should be done in a silo. Getting employees involved in the process from the outset has proven to be an excellent way to make them feel more responsible for preventing information security risks within your organization. Feeling like someone with a stake in an action or project is also a very powerful motivator – and helps people stay motivated.
Finally, don’t forget to address information security outside of work during your campaigns. At home, your employees are genuinely the only ones who can prevent risks. This is an excellent additional benefit to your employees from participating in your awareness campaign: The knowledge and skills they develop may also help them protect their own personal information at home.
Three Success Factors For
Long-term Behavioral Change
in Cyber Security Awareness
Behavioral change involves a spectrum of factors, including the culture of an organization, the motivation stemming from both workforce and leaders, as well as the selection of learning opportunities that are made available to each member.