Analyzing behavior to raise your people's cyber resilience

Safe behavior: the large gap

Over the past decade, we've come to understand that people play a critical role in cybersecurity, right alongside technology and processes.

Psychology has made a key impact by showing us that awareness isn't enough when it comes to the human aspect. There's a clear difference between knowing the right thing to do and actually doing it. So, the aim should really be promoting safe behavior.

I'm encouraged to see that newer, more developed programs are now putting the spotlight on fostering safe behavior as their end goal.

Willingness plays a strong role

I'd like to take this a bit further and focus on some key factors that influence behavior: self-efficacy and organizational culture. I've gathered and examined data that provides insights to deepen our understanding of behavior and ultimately make people more resilient.

But first, a quick refresher on the foundational psychology behind behavior. It's a mix of three things: ability, motivation, and opportunity.

For this study, I concentrated on the second element, which is motivation. Our level of willingness greatly influences our actions. I find this aspect particularly fascinating, so I decided to center my efforts on this area for our clients.

People's belief in their own ability

Motivation is a multifaceted concept, shaped by various elements: the feeling of choice (am I doing this because I have to, or because I want to?), the sense of importance (do I believe this matters?), and also self-efficacy.

This is the aspect I delved into. Self-efficacy is about how much people believe they can actually pull off the behavior in question. Can I really do this?

Generally, people steer clear of tasks if their self-efficacy is low but are more likely to tackle tasks when they believe they can actually do it. I wanted to explore how this element plays a role in secure behavior online. If I can establish a link between behavior and self-efficacy, it could offer us useful guidance on how to change behavior effectively.

Password managers: the gap between knowing and doing

For this study, our team gathered information through an online survey centered on password managers. In a pool of nearly 2400 respondents across four organizations, we discovered that 68% are aware of what a password manager is and its functions. From an awareness standpoint, that's a pretty decent figure.

However, the data shows that just 21% of respondents actually use a password manager. This indicates that nearly half of those surveyed know about password managers but choose not to use them.

We found that the self-efficacy of people who don't use a password manager is significantly lower than those who do. This highlights that an individual's confidence in their ability to use the tool is a key factor in converting that awareness into action.

In simple terms, if people think they can manage using a password manager, they're more likely to actually download and install one.

This is very interesting, since it implies that self efficacy can be one of the more effective buttons to turn when you try to change behavior. Instead of repeating the rules or making a nice lift poster to promote the use of a password manager, it would be more impactful to raise self efficacy. But how?

Mastery Experience

When it comes to building self-efficacy, the most powerful driver is mastery experiences. Have you successfully completed a similar task before? If you have, you will likely feel confident about tackling it again.

However, mastery experiences are a double-edged sword. While positive experiences can boost your self-efficacy, negative ones can weaken it. If you're looking to get your hesitant employees on board with using a password manager, aim to provide them with a positive mastery experience.

Interactive instead of presentation

Instead of just giving a presentation about how a password manager operates, consider hosting an interactive demo. Guide a group through the process of downloading and setting up a password manager. Address their issues step by step, and by the end, they'll have firsthand experience that proves they can do it.

Your chances of success go up when you set a time limit for the demo. Letting people know, "You won't have to spend much time figuring this out; we'll walk you through it. Just one hour of your time, and you'll have the password manager installed, an account created, and your top five accounts securely stored," can be very effective. This approach is what I'd recommend for boosting self-efficacy concerning password managers.

For other behaviors, the approach to creating mastery experiences may vary slightly.

For instance, if your employees feel less confident about spotting phishing emails, you could provide training that lets them practice the very skill they lack confidence in. Just like in sports, hands-on practice and repetition will help them realize they can improve and become proficient.

Raising the cyber resilience of your people

In short: people's belief in their own ability is an important behavioral aspect, that we can harness for achieving safe behavior. That is, after all, what we all aim for.

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.