By Laura Bishop, Director of Human Risk Science at OutThink
Providing employees with cybersecurity awareness training ticks a compliance box, but it may not really be driving positive behaviours within your organization. Picture yourself as an employee that has just finished the annual cybersecurity training campaign. You now know what needs to be done to reduce the risk of a breach, but you don’t see a chance of a cybercriminal attacking you, and IT has it all covered anyway. If your computer is attacked, you’ll just get another one, plus you don’t like the company and are looking for a new job.
It is not enough to just provide employees with the skills to protect your organisation, they must have the motivation to then put those skills into action.
How motivated can employees become?
Motivation sits along the following continuum from least to most beneficial:
- Amotivation — No pleasure, sanctions or value seen and no action taking place.
- Extrinsic motivation (externally driven) — Fulfilled due to rewards or fear of punishment.
- Extrinsic motivation (internally driven) — Driven by guilt or most optimally seeing value.
- Intrinsic motivation — Feelings of pleasure and interest
Behaving securely will never be deemed by employees as pleasurable or interesting. The key to motivating employees is to educate around its value, increasing the perception of its benefits versus its costs.
Motivation is also characterised by whether its key purpose is in the process of an action or its outcome. An example would be a task that may have a definitive end goal to strive for (e.g., weight loss), or no clear end goal (e.g., healthy eating). Actions with an end goal can be extrinsically motived and therefore rewarded, with losing weight resulting in congratulations from others or lower feelings of guilt. However, process actions with no defined end goal require a form of motivation that is either intrinsic or self-determined. So, to commit to eating healthy every day for the rest of your life you must either find it pleasurable or see the true value in it. Cybersecurity behaviours are process driven, ongoing, with no definitive end, so people need to see the pleasure in it, or, at the very least, understand its value. The latter being the only option.
Motivation within awareness training is often presented in the form of gamification, the use of elements found within games such as points and leader boards to drive interest in the activity. While this can hold benefits for the completion of the training itself (as this is goal related) it should not be confused with motivating employees to act outside of the training platform. External rewards have limited influence when an end goal is not present.
So, the aim for organisations is to not only educate and raise security awareness amongst employees, but also to clearly articulate why secure behaviours are required and the impact of not administering them.
How can you increase cybersecurity motivation?
There are several suggested key drivers of motivation that can help encourage more self-determined behaviour in your organisation. A few examples include:
- Perception of risk — Understanding the true severity and probability of threat.
- Competence — Feeling confident in policy measures and self-application of these measures.
- Psychological ownership — Mental ownership of the data, technology and need to avoid its loss.
- Autonomy — Less focus on external pressures and feelings of self-choice.
- Culture — A sense of belonging and social acceptance.
If employees do not feel risk probable, they will not see the value in behaving more securely, especially when busy fulfilling their primary role. Similarly, if they do not feel they have the skills to protect the organisation, why bother to try? If they have no attachment to the organisation’s data or technology, particularly with everything now in the cloud, why try and protect it?
Finally, if employees feel cybersecurity is forced down on them or their peers complain when they follow policy rather than the previously agreed, more sensible ‘workaround’, they will not engage. You must therefore ensure that as well as raising security awareness and upskilling your employees you:
- Communicate true risk and any incidents occurring both within and outside of your organization.
- Encourage employees to feel connected to their work data and technology.
- Ensure all cybersecurity communication is empowering and a knowledge-sharing cybersecurity culture fostered. Don’t just teach your employees how, teach them why.
To find out how the OutThink Cybersecurity Human Risk Management platform raises awareness, drives more secure behaviours, and increases motivation across an organisation, please get in touch with us at FUEL Online. email@example.com
FUEL has partnered with OutThink to include its award-winning human risk management platform as one of the software solutions it offers clients.