Implementing cybersecurity behavior change involves navigating various barriers and challenges that can hinder the effectiveness of the change process. The model for changing security behavior, developed by Hielscher, Kluger, Menger, and Sasse, provides a structured approach, but several factors can cause these steps to falter.
Key Barriers and Challenges:
- Time Constraints:
- Explanation: One of the primary barriers is the limited time users have to engage with security behaviors. Since security is often a secondary task to their main work responsibilities, users may not prioritize or even resist engaging with new security measures.
- Impact: This can lead to low adoption rates of security practices, as users focus on completing their primary tasks.
- Solution: Organizations should allocate adequate time for behavior change initiatives and avoid shortcuts like strict compliance mandates, which may not lead to meaningful change. Instead, they should clearly identify target behaviors and engage users to understand their challenges and motivations.
- Lack of Understanding the User Community:
- Explanation: A user community is often composed of subcommunities with different capabilities, resources, and security focuses. Not understanding these differences can result in behavior change programs that are ineffective or irrelevant to certain groups.
- Impact: This can lead to low engagement, as users may feel that the security measures are not tailored to their specific needs or capabilities.
- Solution: Adopting a people-centered approach is crucial. This involves deeply understanding the user community and designing interventions that are relevant and accessible to all subgroups.
- Cognitive and Physical Burden:
- Explanation: Behavior change can impose additional cognitive and physical burdens on users. For example, setting up and regularly using multi-factor authentication (MFA) can be time-consuming and mentally taxing.
- Impact: High cognitive and physical burdens can discourage users from adopting new behaviors or lead to inconsistent compliance.
- Solution: It is important to implement behavior changes at appropriate times, provide clear explanations, and ensure that training is easily accessible. A user-centered and transparent approach, involving all stakeholders in the planning process, can help alleviate these burdens.
- Wrong Interventions or Timing:
- Explanation: Addressing a behavior problem with the wrong intervention or at an inappropriate time can lead to failure. For instance, trying to change users’ behaviors to avoid clicking on phishing links may not be effective for those whose job involves engaging with external communities.
- Impact: Misaligned interventions can result in wasted resources and low compliance, potentially increasing security risks.
- Solution: Ensure that the behavior change proposed is likely to be effective and provides a good return on the effort required. In some cases, technological solutions may be more appropriate than behavioral interventions.
- Poor Quality Security Advice:
- Explanation: Providing unrealistic or unsupported security advice can further lower users’ self-efficacy and trust in security measures.
- Impact: This can lead to confusion, frustration, and resistance to adopting new behaviors.
- Solution: Security advice should be realistic, evidence-based, and tailored to the specific capabilities and resources of different user subgroups. It’s essential to avoid generalizations and provide clear, actionable guidance.
- Negative Attitudes and Behaviors of Security Teams:
- Explanation: If the security team treats users as problems or adversaries, this can create a hostile environment that hinders behavior change.
- Impact: Users may become disengaged or even actively resist security measures, leading to increased risks.
- Solution: Security professionals should work collaboratively with users, treating them as partners rather than adversaries. This empathetic approach helps align behavior change with the users’ context and fosters a more positive security culture.
Conclusion
Overcoming these barriers and challenges requires a comprehensive understanding of the user community, careful planning, and a user-centered approach to designing and implementing security behavior change. By addressing these issues effectively, organizations can create a supportive environment that encourages and sustains positive security behaviors.
Book Reference
For further reading on implementing behavior change in security, consider the following reference:
Cranor, L.F., & Garfinkel, S. (Eds.). (2005). Security and Usability: Designing Secure Systems That People Can Use. Sebastopol, CA: O’Reilly Media.
This book provides insights into the intersection of security and usability, offering strategies for designing systems that promote secure behavior while being user-friendly. It addresses the challenges of behavior change in cybersecurity and provides practical solutions for overcoming common barriers.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.