People, not technology, pose the greatest risk to organizations ... but they are also the greatest enablers of behavioral change!
The importance of culture in change management
While people represent the main agent of change, they are also naturally reluctant to it. Either because we don’t believe in it, because we have other priorities or because we think we are just ‘a drop in the ocean’, with no real change power on our own.
Therefore, more than just a sense of urgency, it is making the change desirable that will incentivize employees. To achieve this, it is important to think about the blockers and enablers that may prevent or accelerate or the change:
| Change Blockers | Change Enablers |
| What’s the point anyway? | I see a colleague close to me doing it |
| The other won’t do it either | It seems that the majority has adopted the change |
| I have other priorities | I understand the collective benefits |
| I don’t see what the problem is | I feel capable and supported by others |
Messages tailored to your target audience will always be more effective. Do not overlook the importance of early change adopters or influencers. Convincing them first is an efficient way to go, as it will drag the majority to join the movement and adopt the intended behaviors. Keep in mind that, whatever the change, “culture is the shadow of the leader”: people will be more tempted to change if the leader makes the first step.
Influencing change on a micro-behavior or individual level
Humans don’t always act rationally. In order to effectively understand risks related to individual behavior and drive the appropriate change, it is important to grasp some of the basics of cognitive psychology.
One example of a cognitive psychology bias is “Mental Anchoring” which means that people heavily influence their opinion by the piece of information they first receive. In our learning process, we might understand a message in different ways due to our brain making shortcuts or falling prey to certain biases:
- Confirmation bias: retaining information that confirms the currently held belief
- Desirability bias: retaining the information one would like to be true
Risk management must take those constraints into consideration and try to overcome them. Cognitive psychology and nudging can be used for different purposes (political reasons, advertisement…), so why could they not serve in an ethical way to improve and establish the right risk behaviors in cyber security?
By using the appropriate words, changing the order of choices or the point of view of a sentence, you can have a completely different impact on your readers or listeners. These techniques can be used on an individual level to influence the behavior of our day-to-day activities, such as responding to a malicious e-mail.
Putting Humans@Center in your cybersecurity strategy
Every human has good and bad days and, sometimes, we forget about security. Whether it is due to social norms (holding the door for someone right after you) or laziness of performing a tedious verification (clicking on a phishing e-mail which looks legitimate), we can all, from time to time, adopt the wrong behaviors
A cybersecurity culture and awareness program can protect you against these risks. A successful awareness leader has a program with clearly defined objectives. The program should be tailored to the organization’s threat landscape starting from an adversary point of view.
It is important to realize that culture change is not a one-shot effort. Continuous reinforcement using different communication channels and platforms is important and should be tailored to the target audience and organization. Communication is about tailoring your message and repeating it.
Moreover, trainings will be more efficient if they are fun and include a rewarding mechanism. Find what works the best with your audience by collecting regular feedback and involving the workforce into the design of the program.
Measuring the success of behavioral change through compelling metrics would not only allow to assess the effectiveness of your efforts and prioritize future awareness actions, but would help to convince the board to ultimately unlock the much-needed awareness budget.
Obviously, the awareness program should be as attractive and accurate as possible. But don’t think too big, the awareness program should match the organization’s culture, budget and resources. Also, don’t be impatient and keep in mind that this process can take several years.
Navigating externally induced pressure
Newsletters EY Belgium
Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more.
Summary
You can’t ensure security through technical solutions alone. Putting humans at the center is essential to the success of the security strategy.
The key take-away here is that a good cybersecurity culture and awareness program require more than just training. Humans should be encouraged and included to drive change from the bottom-up. It is a common saying that “change starts with you”, and this definitively holds in the cybersecurity domain.
