Activity – Behaviour change case studies

Scenario: Passwords

In this scenario, employees often use weak or reused passwords, which poses significant security risks. Here are the solutions proposed:

1. Password Management Tool Implementation:
   • Implementation: A password management tool can be introduced to assist employees in creating and managing strong, unique passwords. The tool can provide real-time feedback on password strength and discourage weak password practices.
   • Success Reasoning: This method is effective because it simplifies the process of generating and storing secure passwords, making it easier for employees to comply with password policies without sacrificing convenience.
2. Extended Password Expiry Periods:
   • Implementation: Extending the period before passwords must be changed, while clearly communicating the reasons and providing support, can encourage better password habits.
   • Success Reasoning: This approach reduces the cognitive burden and frustration associated with frequent password changes, leading to more thoughtful and secure password practices.
3. Easier Password Creation Methods:
   • Implementation: Promoting simpler but secure password creation methods, such as using three-word passphrases, can make it easier for employees to create strong passwords.
   • Success Reasoning: This method reduces the cognitive load of remembering complex passwords, making it more likely that employees will comply with password policies.

Best Method(s):

• Password Management Tool Implementation is likely the most effective solution because it directly addresses the common issue of weak and reused passwords by providing a practical tool that employees can use daily. It simplifies the process and ensures strong password practices without significantly altering user behavior.
• Easier Password Creation Methods is also valuable as it reduces the complexity of password creation, making it more accessible for all employees, particularly those who may struggle with more complex security practices.

Scenario: Phishing Awareness for Small Business

In small businesses, employees may not prioritize security due to limited resources and time constraints. Here are the solutions proposed:

1. Security Champions:
   • Implementation: Identify and empower influential individuals within the organization to advocate for security practices and communicate the importance of phishing awareness.
   • Success Reasoning: This method leverages peer influence, making security messages more relatable and increasing the likelihood of behavior change.
2. Increased Awareness of Threats:
   • Implementation: Provide ongoing updates about the latest phishing threats and how to recognize them, helping employees stay informed and vigilant.
   • Success Reasoning: Awareness is crucial for recognizing phishing attempts and understanding the risks associated with them, leading to more cautious behavior.
3. Employee Training Programs:
   • Implementation: Conduct tailored training sessions that educate employees on phishing risks and the correct responses to suspected phishing attempts.
   • Success Reasoning: Education through training provides employees with the knowledge and skills needed to identify and respond to phishing emails, which is essential for reducing the risk of security breaches.
4. Feedback from Security Incidents:
   • Implementation: Share insights from past security incidents within the organization to highlight the real consequences of phishing and encourage behavior change.
   • Success Reasoning: Learning from real incidents provides concrete examples of the impact of phishing, making the risks more tangible and motivating employees to adopt better security practices.

Best Method(s):

• Employee Training Programs is likely the most effective solution as it provides employees with the necessary knowledge and skills to identify and respond to phishing threats. Training can be tailored to the specific needs of the organization, ensuring relevance and effectiveness.
• Security Champions can also be highly effective as it uses trusted individuals within the organization to reinforce the importance of phishing awareness, making the message more impactful.

Book References for Further Reading:

1. “Security Awareness: Applying Practical Security in Your World” by Mark D. Ciampa – This book provides practical guidance on implementing security awareness programs and improving security behaviors, with examples that align with the scenarios discussed.
2. “Computer Security: Principles and Practice” by William Stallings and Lawrie Brown – This textbook covers a range of security topics, including user authentication and security awareness, and provides insights into behavior change strategies in security.

These references will provide further insights into the application of behavior change models and strategies in real-world security scenarios.