Turn Cybersecurity Training Into Action

By Laura Bishop, Director of Human Risk Science at OutThink

Providing employees with cybersecurity awareness training ticks the compliance box, but is it really driving effective behaviours within your organisation?

Picture yourself as an employee that has just finished the annual cybersecurity training campaign. You now know what is necessary to reduce the risk of a breach, but… you don’t see any chance of a cybercriminal attacking you. IT has it all covered anyway, if your computer is attacked, you’ll just get another one, plus you don’t like the company and are looking for a new job.

It is not enough to just provide employees with the skills to protect your organisation, they must have the motivation to then put those skills into action.

Organisations need to change how employees perceive the context of cybersecurity. Contextual motivation can be experienced either intrinsically or extrinsically. Intrinsic motivation is superior as it is driven by pleasure or genuine interest in the task. Extrinsic motivation is either controlled externally for example through policy, rewards and punishment or internally by seeing the task’s true value.

How motivated can employees become around cybersecurity?

Intrinsic motivation brings about more positive behaviour but cannot always be relied upon as some tasks will never be completed for sheer pleasure. For some tasks, the highest level of motivation that can be achieved is understanding why it needs to be done despite obtaining no pleasure from it. Internally driven motivation can come from feelings of guilt or by understanding its value (most closely linked to intrinsic motivation).

Behaving securely will never be deemed as pleasurable or interesting so the key to motivating employees is education around its value, increasing the perception of its benefits versus its costs. Cybersecurity behaviours are process driven and ongoing so understanding the value is key.

Motivation within cyber awareness training is often presented in the form of gamification, the use of elements such as points and leaderboards to drive interest in the activity. This can hold benefits for the completion of the training itself but should not be confused with motivating employees to act outside of the training platform. External rewards have limited influence when an end goal is not present so organisations must clearly articulate why secure behaviours are required and the impact of not administering them.

How can you increase cybersecurity motivation?

Examples of key drivers of motivation that can help encourage more self-determined behaviour in your organization include:

• Perception of risk — Understanding the true severity and probability of threat
• Competence — Feeling confident in policy measures and self-application of these measures
• Psychological ownership — Mental ownership of the data, technology and need to avoid its loss
• Autonomy — Less focus on external pressures and feelings of self-choice
• Culture — A sense of belonging and social acceptance.

If employees do not feel risk probable, they will not see the value in behaving more securely, especially when busy fulfilling their primary role. If they do not feel they have the skills to protect the organisation, they will not try. Finally, if employees feel cybersecurity is forced on them, they will not engage. To combat this:

• Communicate true risk and any incidents occurring both within and outside of your organization.
• Encourage employees to feel connected to their work data.
• Ensure all cybersecurity communication is empowering and a knowledge-sharing cybersecurity culture fostered. Don’t just teach your employees how, teach them why.