The MINDSPACE framework: What factors influence human behavior?
Even when your company has the best technology and the most efficient security controls, it still has to invest in the human factor. Regardless of the methods a company adopts, nothing can be accomplished unless users of the technology are motivated and able to apply the methods effectively. According to a recent study, a misunderstanding of the human factor is the main reason that cyber security awareness training fail to change employee behavior.
Increase your influence over the human factor by understanding it better
To influence the human factor, you have to understand it. The MINDSPACE framework helps explain how habits are formed and how to alter behavior. Created in 2012, the framework is often used to influence behavioral change, and it has led to the success of a wide range of information security awareness programs. Here’s how you can integrate the nine MINDSPACE elements in your information security awareness campaigns.
The nine elements of the MINDSPACE framework
During a cybersecurity awareness campaign, users must perceive that the information conveyed is useful and truthful.
M: The Messenger
The credibility of the Messenger, i.e. the party transmitting the information, is one of the most important considerations. For your next campaign, allow some of your trained employees to become Messengers to their co-workers. As a result, you can expect greater adherence (engagement) from these employees.
I: The Incentives
Your employees should work in an environment that supports the expected change in behavior. How can you establish this type of setting? First, by offering employees the necessary Incentives to engage in the requested change of habit. In other words, your employees’ efforts should be recognized and rewarded by upper management or the immediate supervisor.
N: The Norms
Second, you should bear in mind that employees adjust their behavior, either consciously or unconsciously, to the social Norms that surround them. Do you have employees who leave confidential files out in the open? Lead by example by always storing your files in a closed cabinet. Make this practice the norm rather than the exception by publicly commending employees who adopt the desired behavior.
D: The Default
Why is it so important to change the environment in order to change employee behavior? Since people tend to adopt the Default option or choice when making a decision, you could preselect default choices for your employees as a way to trigger the expected behavior and foster new habits. Knowing that your employees are inclined to accept all the default security parameters they see on their screen, you could ensure that these parameters reflect your organization’s confidentiality norms and regulations.
S: Salience effect
Additionally, keep in mind that when people are confronted with several pieces of information at once, they tend to react to the information that they perceive to be the most important (Salience effect).
P: Priming effect
Their behavior is also strongly influenced by the ideas that come to them spontaneously (Priming effect). For these reasons, communications materials such as posters and banners can be used to remind your employees of best cyber security practices, while phishing simulations can keep them alert to potential threats.
A: The Affect
Affect is a key consideration when motivating someone to change their behavior. Motivation is directly impacted by the way training is dispensed and by the format of the training materials. A rule of thumb is to properly plan the communications surrounding the implementation of the training activity. The training materials should be relevant, and employees should be told the purpose of the training as well as their role in preventing security breaches.
C: The Consistence
Users aim for Commitment in their behavior; in other words, they must feel that their behavior is Consistent with expectations. It is recommended that you establish clear expectations concerning the desired behavioral changes following a cyber security awareness campaign.
E: The Ego
You should give your users highly structured feedback regarding these expectations, but be careful not to harm their Ego. Employees must always feel competent and should understand exactly how their actions lead to the prevention of potential security breaches. This is why strategies aimed at instilling fear or those that threaten employees may not be effective at changing behavior.
Considering the human factor in security awareness planning
The MINDSPACE framework helps you reflect on concrete ways to consider the human factor when planning security awareness programs. The framework will challenge the way some organizations address information security with their employees. For maximum effectiveness, the framework must be used as part of a structured and tested process. Keep in mind that a good cybersecurity awareness program must act on the nine elements of MINDSPACE. For instance, behavioral change can’t be expected if phishing simulations are the only awareness activity used. These simulations will undoubtedly have a Salience and Priming effect on behavior, but will not influence any of the seven other elements of your employees’ MINDSPACE. Interactive training, phishing simulations and constant communication with your users make up the ideal combination for changing behavior over the long term and instilling best cybersecurity practices in your organization.