Security behaviour change challenges

Scenario 1: The Challenge of Contextual Nature of Security Practices

Target Audience: Employees of an Organization
Insecure Behavior: Sharing Potentially Sensitive Information

Scenario: In a large financial institution, employees frequently discuss work-related matters during lunch breaks in public spaces such as cafes near the office. While these conversations seem harmless, they often include discussions about sensitive client information, upcoming mergers, or internal projects. The contextual nature of this behavior is that, within the office, employees are generally careful about maintaining confidentiality. However, outside the office, in more casual environments, the same level of vigilance is not maintained.

Connection to the Challenge: The challenge here lies in the contextual nature of security practices. Good security behavior, such as maintaining confidentiality, is highly dependent on the environment. In the informal setting of a public space, employees may not perceive the same level of risk, leading to insecure behaviors like discussing sensitive information openly. This makes it harder for organizations to identify and address these behaviors effectively because the context changes the perception of what is considered secure behavior.

Solution:
To mitigate this risk, the organization could implement security awareness training that emphasizes the importance of maintaining confidentiality in all environments, not just within the workplace. Additionally, creating guidelines for appropriate discussions in public settings and encouraging employees to use secure communication channels for sensitive topics could help address this challenge.

Scenario 2: The Challenge of Visibility and Measurability

Target Audience: People Who Train Others in Cybersecurity
Insecure Behavior: Weak Password Security

Scenario: A cybersecurity training company provides workshops on password management to various organizations. The trainers focus on teaching employees the importance of creating strong passwords and regularly updating them. However, after the training, there is no follow-up or mechanism to measure whether the employees have actually implemented these practices. As a result, many employees continue using weak or reused passwords, believing that the training alone is sufficient to improve their security posture.

Connection to the Challenge: The challenge in this scenario is the visibility and measurability of security behavior changes. While the training is intended to encourage better password practices, the actual adoption of these practices is not visible or easily measurable. Without a way to track and evaluate whether employees are following the advice given in training, it’s difficult to assess the effectiveness of the intervention.

Solution:
To address this challenge, the training company could introduce post-training assessments or regular audits to measure the adoption of strong password practices. They could also implement tools that monitor password strength and provide feedback to employees, making the changes in behavior more visible and measurable. This approach would help ensure that the training has a lasting impact on employee behavior.

Book References

For further reading on the challenges of security behavior change and strategies to address them, the following books are recommended:

1. “Security Behavior: The Unintended Consequences of Policies, Processes, and Practices” by Herve Schauer (2019)
   • This book explores the complex nature of security behaviors in organizations and provides insights into how to influence them effectively.
2. “The Human Factor in Cybersecurity: Exploring the Nexus of Human and Organizational Factors” by Jennifer L. Bayuk (2013)
   • This book examines the role of human behavior in cybersecurity and discusses the challenges of changing security behaviors in organizations.
3. “Behavioral Cybersecurity: Applications of Personality Psychology and Cognitive Science to IT Practitioners” by Kerry Brown (2018)
   • This book applies psychological principles to cybersecurity, offering strategies to address the challenges of influencing security behaviors.

These resources provide a deeper understanding of the complexities involved in changing security behaviors and offer practical approaches to overcoming the associated challenges.