When boiled down to its core, the objective of any good cybersecurity awareness program is quite simple: to help people make better risk decisions. That sounds great, but achieving it can be quite a different thing.
Awareness Is Not Enough
I am at that stage of my life where family, friends, doctors, and social media influencers are telling me I should watch what I eat and work out regularly. I usually nod, but that's where it ends. That is the challenge with many awareness programs, in that just making someone aware of an issue is not enough to stimulate a behavioral change.
This is where understanding human psychology, how it works, and how to introduce some of its concepts into cybersecurity awareness training can make a huge difference.
What to Learn From Marketing Psychology
Manufacturers approach products from primarily two angles: They ask people what they want and then create that product; or, most commonly, they create a product and then find a way to convince people it is something they need. That is where marketing comes in — and in that respect, marketing is just as valuable as innovation in manufacturing.
Showcasing the value of security to employees and explaining why partaking in the awareness program is beneficial is essential to embedding real behavioral change within the organization.
The Experience Matters
When planning your awareness program, consider a car. It is primarily a mode of transportation, but there are limits to how fast it can go.
Where the speed of the journey cannot be increased, one can increase the comforts within the car to create a more enjoyable experience. If your family car can provide charging ports for tablets and Wi-Fi, then not only would it put an end to the chants of, "Are we there yet?" but kids may actually look forward to a longer journey.
How often do we see security awareness programs resemble long, boring car journeys with no end in sight? While employees may not verbalize it, their inner dialogue is asking when it will end and when they can get back to their real jobs.
Building a Better Security Awareness Program
There are many elements from psychology that we can incorporate into cybersecurity awareness programs to make them more effective.
1. Make It a Challenge
Video game makers create games that start off easy and gradually build in difficulty. This is because if a game is too difficult, people get disheartened and leave, and if it is too easy, it does not present enough of a challenge. People are clever and like to work things out for themselves. Ensure your awareness program takes this into account and does not patronize employees, nor make things needlessly difficult.
2. Consistency Over Intensity
Short and more frequent topics can be better than lengthy training sessions which take up several hours. Consistency is more important than going for intensity. Think of your favorite TV show versus a movie. A movie requires a greater one-time investment of a couple of hours, but a TV show can have shorter episodes that last a lot longer and have greater impact.
3. Remove Negative Stigma
In football (soccer to Americans), statistically you are more likely to score a penalty if you shoot straight down the middle. But people don't do it because they may look stupid if they miss. If a player kicks it down the left or right and the keeper saves it, then they do not look stupid; the keeper just looks very good.
Part of creating a culture of cybersecurity involves removing the stigma associated with the fear that comes with having to report a mistake. By making reporting an error or attack a positive experience, organizations can overcome this hurdle.
No Exact Science
When dealing with people, it is important to remember that it is not an exact science. While you may have accurate ways to measure improvement or change, it is not the only thing worth considering.
It is why the weather forecast may state the weather is 75 degrees, but it "feels like" it is 68 degrees. The weather anchor knows that despite science being able to accurately measure temperature and provide an exact number, it is not how it is always perceived by humans.
The human mind is not like a computer where you can patch the software once and forget about it. Rather, it needs to be engaged and positively reinforced repeatedly to make a long-lasting change. For this, we need to understand humans just as well as (if not better than) we understand computers. Because in the realm of cybersecurity awareness, psychology is the prevalent technology.