Picking target audience and behaviours to change

In cybersecurity practice, selecting the right target audience and identifying the specific behaviors that need to be changed are crucial steps in designing effective interventions. This process involves several layers of consideration, from understanding the organizational context to applying behavioral theories and practical techniques. Let’s delve into this in more detail:

Understanding the Purpose and Impact

When aiming to change security behaviors within an organization, it’s essential to start by asking key questions:

• What is the purpose of the behavior change?
• What impact do you hope to achieve?
• What are the specific security risks involved?

These questions help clarify the goals and guide the selection of target behaviors. For instance, if password security is identified as a critical issue, the focus might be on improving password complexity, avoiding password reuse, or encouraging the use of password managers.

Commonly Targeted Behaviors: Password Management

Passwords remain a significant area of concern in many organizations, despite being a well-known security measure. This is because many employees continue to reuse passwords or choose weak ones. The practitioner must recognize that simply repeating the same security advice isn’t enough. Employees may already be aware of the guidelines but fail to act on them due to habituation or perceived irrelevance.

Reframing the Message

To engage employees effectively, it’s often necessary to present the same security concepts in a new way. This might involve:

• Changing the Narrative: Illustrating the evolving nature of threats, such as how attackers adapt to better password practices, can make the issue more relatable.
• Positive Framing: Instead of emphasizing problems, frame security practices as opportunities for employees to contribute to the organization’s safety.
• Tailored Communication: Use the organization’s culture to craft messages that resonate with different teams, making them feel part of a collective effort rather than merely complying with top-down directives.

Investigating Behavioral Causes

Rather than focusing solely on observable risky behaviors, such as frequent clicks on phishing links, it’s essential to understand the underlying causes. For example, employees who appear to be “top clickers” might not be careless or uninformed. They might have been struggling with inadequate support or resources for years. Engaging with these individuals often reveals broader issues within the organization, such as inadequate IT support or lack of training.

Behavior Change Interventions: A Step-by-Step Approach

1. Identify the Target Audience and Key Behaviors:
   • Start with the personas that are most at risk. Determine which behaviors contribute to these risks.
   • Use tools like the Behavior Change Wheel (BCW) to assess the impact, ease, and acceptability of changing specific behaviors.
2. Prioritize and Plan:
   • Focus on behaviors that are both impactful and feasible to change. It’s important to avoid overwhelming employees with multiple behavior changes at once.
   • Implement change management principles, understanding that it takes time for a new behavior to become automatic.
3. Assessment and Pre-Evaluation:
   • Conduct a pre-assessment to understand the specific needs of the target audience. This helps tailor the intervention to the unique context of the organization or department.
4. Developing a Holistic Approach:
   • Policy Foundation: Establish clear policies that define secure practices, such as password creation guidelines.
   • Training and Information: Provide comprehensive training that explains not just the “how” but also the “why” behind security practices.
   • Supportive Tools: Implement tools like multifactor authentication (MFA) to reinforce secure behaviors.
5. Long-term Engagement:
   • Recognize that behavior change is an ongoing process. Regularly reinforce the new behaviors and adapt the strategy as necessary to keep up with evolving risks and organizational changes.

Book References

For a deeper understanding of behavior change in cybersecurity, consider the following books:

1. “Nudge: Improving Decisions About Health, Wealth, and Happiness” by Richard H. Thaler and Cass R. Sunstein: This book introduces the concept of “nudging” and how small changes in the environment can significantly influence behavior. Although not specific to cybersecurity, the principles can be applied to designing interventions that guide employees toward more secure behaviors.
2. “The Behaviour Change Wheel: A Guide to Designing Interventions” by Susan Michie, Lou Atkins, and Robert West: This book provides a comprehensive framework for understanding behavior change and designing effective interventions. The Behavior Change Wheel model is particularly useful for identifying which behaviors to target and how to structure interventions in a systematic way.
3. “Influence: The Psychology of Persuasion” by Robert B. Cialdini: This classic book explores the principles of persuasion and how they can be used to influence behavior. Understanding these principles can help in crafting messages and interventions that resonate with employees and encourage compliance with security practices.
4. “Switch: How to Change Things When Change Is Hard” by Chip Heath and Dan Heath: This book offers insights into how to drive change, even when it’s difficult. It emphasizes the importance of understanding both the rational and emotional sides of behavior change, which is crucial when trying to shift security practices in an organization.

These resources provide both the theoretical background and practical guidance needed to effectively target and change cybersecurity behaviors in an organizational context.