Is the cybersecurity awareness training you do for staff really improving behaviours within your company or it is merely a compliance exercise?
An employee that completes an annual cybersecurity training programme often forgets what they learned soon after, reverting to old ways which leave the company vulnerable. They know what is necessary to reduce the risk of a breach, but there is no follow up and the knowledge is not top of mind. A common attitude exists that it is not the employee’s responsibility but more of an issue related to the IT department.
So, it is not enough to just provide employees with the skills to protect your organisation, they must have the motivation to then put those skills into regular action.
Organisations need to change how employees perceive the context of cybersecurity. Intrinsic motivation is effective as it is driven by pleasure or genuine interest in the task. Extrinsic motivation is either controlled externally through policy, rewards and punishment.
How to Motivate Staff
Intrinsic motivation brings about more positive behaviour but cannot always be relied upon as some tasks will never be completed for sheer pleasure. For some tasks, the highest level of motivation that can be achieved is understanding why it needs to be done despite obtaining no pleasure from it. Internally driven motivation can come from feelings of guilt or by understanding its value.
Behaving securely will never be considered pleasurable or interesting so the key to motivating employees is education around its value. Increasing the perception of its benefits versus its costs. Cybersecurity behaviours are process driven and ongoing so understanding the value is important.
Motivation within cyber awareness training is often presented in the form of gamification. The use of elements such as reward points and leaderboards drive interest in the activity. This can hold benefits for the completion of the training itself but should not be confused with motivating employees to act outside of the training platform.
External rewards have limited influence when an end goal is not present so organisations must clearly articulate why secure behaviours are required and the impact of not administering them.
Drivers of motivation that can help encourage more self-determined behaviour in your organisation include:
- Perception of risk. Understanding the true severity and probability of threat.
- Competence. Feeling confident in policy measures and being able to self-apply these measures.
- Psychological ownership. Mental ownership of the data, technology and need to avoid its loss.
- Autonomy. Less focus on external pressures and feelings of self-choice.
- Culture. A sense of belonging and social acceptance.
If employees do not feel risk probable, they will not see the value in behaving more securely, especially when busy fulfilling their primary role. If they do not feel they have the skills to protect the organisation, they will not try.
Finally, if employees feel cybersecurity is forced on them, they will not engage. To combat this:
- Communicate true risk and any incidents occurring both within and outside of your organisation.
- Encourage employees to feel connected to their work data.
- Ensure all cybersecurity communication is empowering and a knowledge-sharing cybersecurity culture fostered. Don’t just teach your employees how, teach them why.
FUEL has partnered with leading cybersecurity company OutThink to include its award-winning human risk management platform as one of the software solutions it offers clients.
OutThink received the highest possible score from ratings body Gartner Peer Insights, as well as a Seal of Excellence award from the European Innovation Council.
To find out how the OutThink Cybersecurity Human Risk Management platform can raise awareness, drive more secure behaviours, and increase motivation across your organisation please get in touch with us at email@example.com.