What comes to mind when you think of cybersecurity? Encryption? Firewalls? Antivirus software? While these are all important components of a cybersecurity platform, there’s one piece of hardware that doesn’t receive the attention it deserves: the human brain.
The companies best equipped to handle the evolving threats from hackers and other cybercriminals are the ones that have established a culture of security. According to a recent Ipsos survey, almost half of C-suite executives at large companies say “human error or accidental loss by an employee/insider caused a breach at their organization.” This is a stark reminder that all the security technology in the world won’t protect your company from the vicissitudes of human behavior.
To change human behavior, you have to understand it. There are many aspects of human behavior that are particularly salient to cybersecurity professionals — from our propensity to take risks to the incentives that motivate us to how we absorb and retain information. The better you understand why your employees think and act the way they do, the more effective your cybersecurity platform will be.
Understanding and differentiating risk
While this may sound surprising coming from the CEO of a security awareness company, not all forms of risk-taking are bad. A tolerance for risk is a powerful engine of innovation — we never would have invented airplanes or walked on the moon if our species was totally risk-averse. But our willingness to assume risk can also be dangerous and unnecessary. If you dump all your savings into a dicey investment, ride a motorcycle without a helmet, or spend all day outside without sunscreen, you’re taking inordinate risks for no apparent reason.
The psychology of risk-taking is nuanced and complex — many of the tendencies that are implicated in reckless behavior can also serve a useful purpose if they’re channeled properly.
For example, a study recently published in the Academy of Management Journal found that rivalry can lead to increased risk-taking. This makes sense, as many other studies have pointed to the link between competition and elevated testosterone, which is a hormone associated with risky behavior (for both men and women). Rivalries are particularly intense forms of competition, so it’s no surprise that they make participants feel extra inclined to take risks.
But this doesn’t mean companies should always be wary of rivalries with competitors and among employees. As the authors of the Academy of Management study note in a summary of their findings, “Risk-taking is not inherently good or bad; it depends on the context.” A rivalry with another company could inspire employees to take the controlled risk of embarking on an ambitious and demanding project. But the same rivalry could push employees to do something irresponsible in search of an advantage, such as using an unsecured cloud productivity tool.
This is just one example of an antecedent to risky behavior, but it demonstrates a larger point: It’s vital to distinguish between the risks that are worth taking and those that aren’t, which is what security awareness helps employees do.
Learn how to change behavior
It’s impossible to change the culture of a company without the right set of incentives and a thorough understanding of employees’ needs, priorities, and attitudes. Companies often try to change behavior with heavy-handed, top-down interventions like stringent new rules and impersonal systems of reward and punishment, but these interventions are just as likely to alienate employees as they are to motivate them.
To build on the example we looked at in the previous section: competition can be a catalyst for behavioral change. Gamification techniques such as leaderboards and team-based challenges encourage healthy competition between employees — a tactic that has proven successful across many different businesses and contexts. An Accenture report notes that “one company experienced a 230 percent increase in new product sales within 30 days,” while another saw a “50 percent increase in sales quotas within six weeks” when they implemented gamification platforms to motivate employees.
No matter what strategies you use to change employee behavior, it’s crucial to establish norms of open communication and mutual respect if you want employees to be engaged and responsive. An innate sense of reciprocity and fairness is one of the most basic social intuitions we have, which is why an international survey of almost 20,000 employees conducted by Harvard Business Review found that “respect” was what employees valued more than anything else from their leaders.
From employee programs that leverage our natural urge to compete to the recognition that each employee craves and deserves respect, your attempts to change behavior should be built around an in-depth understanding of human behavior.
Cybersecurity requires long-term solutions
The most fundamental goal of a security awareness program is to create lasting cultural change. This is why I’ve always opposed check the box security exercises like cursory emails from the IT department and monotonous security meetings that take place a few times a year.
Two of the most important characteristics of a security-oriented culture are consistency and frequency. The landscape of cybersecurity is constantly changing, so employees always need to be informed about emerging threats and strategies for combating them. Repetition also helps with memory retention — at a time when there are more demands on employees’ attention than ever before, they won’t make cybersecurity a priority unless the importance of doing so is consistently reinforced.
Another way to ensure that employees retain the information they learn about cybersecurity is to present it in narrative form (i.e., case studies about major data breaches and what could have been done to prevent them). People have an easier time processing and remembering stories than random, discrete pieces of information because they have emotional value and a cohesive structure. An article in The European Journal of Communication Research points to the “superiority of narratives over expository material found in some studies,” while a literature review published in the Proceedings of the National Academy of Sciences observes that “Empirical studies support … a categorical difference between paradigmatic and narrative processing, and suggest that narrative processing is generally more efficient.”
Finally, we return to the issue of respect. You can’t develop a culture of security if your employees don’t feel like stakeholders who have an active interest in protecting the company. According to a literature review published in the Psychological Bulletin, “People’s subjective well-being, self-esteem, and mental and physical health appear to depend on the level of status they are accorded by others.” Your employees are no different.
Understanding human behavior — from the risks employees take to how they learn to what they value — is integral to the development of a culture of security. The sooner companies recognize this fact, the safer they’ll be.