In the recent webinar series “People Matter,” convened by Nick Wilding and Richard Knowlton, Ceri Jones from NatWest shared valuable insights on effective security behavior change. Here’s a summary of the best practices highlighted during the discussion:
- Avoid Blaming Users: Recognize that security issues are not solely the users’ fault. Instead of blaming users, focus on understanding the environmental factors that contribute to insecure behaviors.
- Understand Before Intervening: Don’t rush into interventions like awareness programs without first comprehending the underlying barriers that prevent secure behavior. This could include usability issues or lack of support systems.
- Adopt Data-Driven Approaches: Avoid relying on assumptions. Security behavior change should be grounded in research and data, ensuring that strategies are effective and evidence-based.
- Move Beyond Awareness: Awareness alone is not sufficient. The goal should be behavior change that reduces risk. This involves integrating security into the organization’s culture and leadership practices.
- Use Positive, Accessible Language: Security communications should avoid technical jargon that can alienate users. Instead, use clear, positive language that engages users and makes them feel confident in their ability to act securely.
- Leverage Existing Organizational Culture: Rather than imposing a new security culture, work within the existing cultural frameworks of the organization to embed security practices more naturally.
- Continuous Engagement: Security behavior change should be an ongoing effort, not a one-time event. Regular assessments, training, and communications are key to maintaining and reinforcing secure behaviors.
- Ethical and Supportive Approaches: Avoid using fear to drive compliance. Scare tactics can backfire, especially in a post-pandemic world where anxiety is already high. Focus on empowering users with knowledge and support.
By following these best practices, organizations can create a more effective and sustainable approach to security behavior change, ultimately fostering a safer and more secure working environment.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.