In the provided scenario, the goal is to design a behavioral intervention to encourage employees to report potential phishing emails. The scenario outlines that employees have been trained on identifying phishing emails and a reporting mechanism is in place, but they are not utilizing it. To address this, the Extended Parallel Process Model (EPPM), a model that focuses on fear appeals, is a suitable choice for the intervention design.
Extended Parallel Process Model (EPPM)
EPPM is a behavioral change model that explains how individuals respond to fear-based messages. The model suggests that when a fear appeal is communicated, individuals engage in two types of appraisals:
- Threat Appraisal: Individuals assess the severity of the threat and their susceptibility to it. In the scenario, this is achieved by providing information on the prevalence and success of phishing attacks, emphasizing that anyone in the organization could be a target.
- Efficacy Appraisal: Individuals assess their ability to effectively respond to the threat (self-efficacy) and the effectiveness of the recommended action (response efficacy). In the scenario, this involves reminding employees that they have the skills to identify phishing emails and that reporting them is a simple yet effective action that helps protect the organization.
Designing the Intervention
- Fear Appeal Communication:
- Threat Information: The intervention should clearly communicate the risk associated with not reporting phishing emails, such as the potential for data breaches, financial loss, and damage to the organization’s reputation.
- Impact of Past Incidents: Citing previous breaches caused by phishing attacks in the organization can make the threat more tangible and immediate, enhancing the perceived severity and susceptibility.
- Reinforcing Self-Efficacy:
- Remind employees that they have already been trained to recognize phishing attempts.
- Emphasize the simplicity of the reporting process (e.g., clicking a report button).
- Response Efficacy:
- Explain how reporting phishing emails contributes to the overall security of the organization by enabling the IT department to take preventive measures and mitigate threats.
- Additional Considerations:
- Message Delivery: The message could be communicated by senior management or the Chief Security Officer (CSO) to increase its authority and impact.
- Timing and Presentation: The message should be sent when employees are most likely to read it, with a clear, concise format to avoid overwhelming them.
Implementation and Follow-up
After implementing the intervention, it is crucial to evaluate its effectiveness. This can be done by monitoring whether there is an increase in phishing email reports and gathering feedback from employees to refine future interventions.
Book References for Further Reading
- “The Psychology of Fear Appeals: An Integrative Approach” by Melanie Tannenbaum and Michelle A. Edwards – This book provides an in-depth analysis of fear appeal theories, including the Extended Parallel Process Model (EPPM), and their application in various contexts.
- “Protection Motivation Theory and Fear Appeals: Application to Information Security” edited by M. Norman and S. Elizabeth – This text explores the application of fear appeals and protection motivation theory in the field of information security, offering practical insights for designing interventions.
These resources will help deepen your understanding of how to effectively apply behavioral change models like EPPM in cybersecurity scenarios
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.