maximisingtheeffectivenessofinformationsecurityawareness...

Royal Holloway Series Maximising the Effectiveness of Information Security Awareness

HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

1

Maximising theEffectivenessof InformationSecurity AwarenessThis thesis offers a fresh look at information securityawareness using research frommarketing and psychology.By Geordie Stewart and John Austen

KEY POINTS� Claims are made about the value of promotinginformation security awareness with little evi-dence to suggest that current methods areeffective

� There is evidence that the link between “aware-ness” and a change of behaviour is weak andheavily dependent on other factors

� The value of information security awarenessneeds to be measured by changes in behaviourwhich have positive outcomes for informationsecurity

� Research in psychology shows that an over-reliance on fear sanctions can be counterpro-ductive in risk communications

� A “mental models” approach, mapping existingaudience beliefs and attitudes, can significantlyimprove the success of risk communications

� Traditional information security awarenesscampaigns fit the profile of “mass marketing”which normally has a very low “success”rate

� “Direct marketing” is an ideal methodologyfor organisations seeking to influence theirinformation systems users and employstargeted communications for maximum effect

INTRODUCTIONOver the last twenty years, technical controls forinformation security have advanced and maturedconsiderably. However, despite these technicaladvances, information security breaches stilloccur on a regular basis. It appears that technicalsecurity controls have evolved faster than man-agement controls. Despite efforts at promotinginformation security awareness there is evidencethat human behaviour remains a significant vul-nerability in any information security system.Awareness campaigns are designed and imple-mented often at great cost to organisations - yetare we more secure as a result? Evidence sug-gests that common industry methods and prac-tices used to promote information securityawareness are ineffective. Not only is the promo-tion of awareness a costly and difficult venture,but the link between awareness and change inbehaviour has been shown to be weak.At a personal level we are bombarded on a dailybasis to give up smoking, stop speeding and loseweight—if these messages are routinely ignoredwhy should information security messages be anydifferent?If the goal of security awareness is to influence


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

2

human behaviour then disciplines specialising inthe study of influencing human behaviour such aspsychology and marketing offer an opportunity toreview and improve the effectiveness of informa-tion security awareness techniques.

PSYCHOLOGYPsychology is an established discipline of aca-demic research dealing with human behaviourand motivation. It offers the opportunity forincreased understanding and prediction of humanactions through the appreciation of the cognitivefunctions underlying the behaviour. Thisincreased understanding could be invaluable toinformation security professionals when attempt-ing to predict the outcome of communicationefforts directed at information security aware-ness.

Operant Conditioning: The study of “operantconditioning” is the study of human behaviour asa function of punishments and rewards. “Positivepunishment” is the addition of undesirable stimu-lus which serves to discourage any associatedbehaviours while “positive reinforcement” is theaddition of desirable stimulus and serves toincrease the frequency or magnitude of associat-

ed behaviours.When an organisation has problems withbehaviour impacting information security, it isimportant to recognise the implications of oper-ant conditioning, which suggests that all behav-iour exists because it is or has been rewarded insome way:

“When organisations face problems with costs,quality, productivity and attendance, these problemsoften stem from ineffective patterns of behaviourthat the organisation is unwittingly encouraging.To prevent and stop these problems, a behaviouralapproach to managing people is often the mosteffective.”

—Peter Makin and Charles Cox:Changing Behaviour at Work

Makin and Cox note that when seeking to dis-courage unwanted behaviour the “natural reac-tion” is to resort to the traditional stick approach– to punish behaviour which is considered non-compliant rather than rewarding patterns of com-pliant behaviour. Punishment often consists ofpressure and cajoling from management. Thisapproach, which is often used to promote compli-ance with security management controls, maynot always be the most effective motivator in the


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

3

operant conditioning equation. Recent examplesfrom the field of organisational management haveshown that rewards can be more effective toolsdepending on the situation. The critical factors toconsider when deciding the approach to use arethe timing of the response and asymmetry thatexists between reward and punishment.The timing of the response effectively refers tothe delay between the behaviour and itsresponse. A change in behaviour under this cir-cumstance depends on the subject perceiving thelink between the action and the response. Thelonger the time period between these two events,the weaker the influence on the subject. In aninformation security context it is important toconsider if there is a difference between punish-ment and reward in how quickly the consequencecan be delivered.The reward/punishment paradox refers to thefact that while behaviours can be effectivelyencouraged through occasional rewards, punish-ment must be consistent in order to have thesame impact, unless the punishment is signifi-cantly severe in some way. In an informationsecurity context it is important to consider that insome situations it may not be possible to imple-ment a punishment for each example of thebehaviour. For instance it may not be possible to

reliably detect the occurrence of the behaviour.If punishments cannot be reliably delivered foreach example of the behaviour it is likely that anoccasional reward of the desired behaviour statewould be more influential. It should also be notedthat an important potential unintended conse-quence of relying on punishments is that peoplemay have an incentive not to report an informa-tion security breach.

Fear Response: It is common for informationsecurity awareness messages to appeal to fearas a motivator. While it might be expected thatthe degree of influence that a fear has is simplya function of its severity it appears the results aremore complicated. The “Boomerang Effect” hasbeen defined by KimWitte as an explanation forwhy an individual’s response to the severity offear eventually has a declining impact.Where the individual perceives that dangerand their own ability to manage the danger ishigh, they are likely to take steps to control therisk. However, if the danger is high but the indi-vidual perceives a low ability to manage the dan-ger, the individual is likely to develop a “CognitiveDissonance”. This is when a contradiction existsbetween two cognitions or thoughts. This couldinclude a contradiction between attitudes and


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

4

actual behaviour. Psychologist Stephen Pinkerstates that cognitive dissonance is an uncomfort-able state for the individual. The surprising resultis that instead of changing behaviour to removethe conflict the individual is more likely to “inventa new opinion” to resolve the conflict. This goes

some way to explain why so many people con-tinue to take risks even when the awareness ofthe danger improved. Rather than change theirbehaviour they may have adopted a copingmechanism.Coping mechanisms might include denial orother rationalisations such as “it will never hap-

pen to me”. A case study is presented in the fullthesis for an organisation that has used rewardsto motivate compliance behaviour instead of rely-ing on fear sanctions. Since the perception of fearand perceived control efficacy is an individualproperty it makes it difficult for an organisation tofind an optimum level of fear appeal where suffi-cient motivation is gained for some subjects with-out creating risk apathy in others. This suggeststhat organisations should either carefully targetfear appeals to segmented audiences or userewards instead to avoid the boomerang effectaltogether.Excessive fear is also associated with a declinein cognitive effectiveness. The implication is thatit might be possible to scare users with informa-tion security threats and risks to the extent thatthey start to make mistakes.

Mental Models: Research into relevant psy-chology principles shows that the mental modelsapproach advocated by risk communicationsexpert M. Granger Morgan is of significant bene-fit. Mapping existing audience beliefs and atti-tudes is a critical prerequisite to understandinghow an audience will process and interpret riskcommunications. Risk communications will likelyhave unintended consequences if audiences have


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

5

Mapping existingaudience beliefs andattitudes is a criticalprerequisite to understand-ing how an audience willprocess and interpret riskcommunications.

significantly different understandings about anyreferenced concepts such as “risks” and “threats”.The full thesis contains the results of a mentalmodels study completed in a large UK organisa-tion. Responses were invited from three separateteams: HR, Information Security and Finance.Questions tested beliefs such as “A risk is thesame thing as a threat” and attitudes such as “Ishould consider someone’s motivations beforereporting them for suspected breaches of infor-mation security policy”.Not only were interpretations of key conceptsfound to be inconsistent between teams, but theresults were also internally inconsistent as mem-bers of the same teams had a significant range ofinterpretations. It is clear that any informationsecurity awareness campaign employed in thisenvironment would need to reconfirm basic defi-nitions before proceeding. The concept of riskperception is exposed as a uniquely personalinterpretation that organisations need to con-sider before embarking on any communicationsexercise.

Heuristics:Humans appear to be broadly logi-cal creatures but some systematic failures havebeen identified in human risk perception. Heuris-tics are mental shortcuts that are a consequence

of the need to make decisions in a short periodof time. The extent of human rationality can bemeasured in a laboratory setting, but this doesnot represent real world decision making whichis likely to take place with distractions and timepressures. As a result of the need to make deci-

sions in a relatively short period of time it appearsthat humans have evolved cognitive shortcuts forresponding to risks. Generally, we focus on risksthat are new, unfamiliar, controlled by others andill-defined in some way (such as radiation leaksand hackers). Risks which are familiar and can be


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

6

The concept of riskperception is exposedas a uniquely personalinterpretation thatorganisations need toconsider before embarkingon any communicationsexercise.

controlled by the individual in some wayare perceived as less risky (such as ourown driving or remembering to backupyour data).While these mental shortcuts canlead to bias and behaviour which appearsillogical, this behaviour is also predictableto some degree. Information security pro-fessionals need to measure and anticipatethe cognitive biases present in their audi-ences and adjust their information securi-ty awareness messages accordingly.

Predicting Awareness Effectiveness:The following model has been created toshow the points of failure that could pre-vent the success of an information securi-ty awareness message.

MARKETINGTraditionally, marketing is thought of as anactivity which is done for profit. However,it is not always the case that marketing isdone to create a demand for a product orservice. The closest marketing example forinformation security awareness wouldprobably be government marketing cam-


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

7

FIGURE 1

STEPS INVOLVED IN REALISING BENEFITS FROMINFORMATION SECURITY AWARENESS

paigns such as “Think! Road Safety”, an initiativethat seeks to influence the behaviour of driversand other road users. The similarities to informa-tion security awareness are:

1. Profit is not the primary objective althoughthere may be a significant shared economic bene-fit from reducing road accidents

2.Awareness of risk is one of the key compo-nents which the campaign seeks to communicate

Traditional information security awarenesscampaigns often use a mass marketing format.Generic messages are sent to an audience viascreen savers, posters and mouse mats whichpromote awareness of information security butoften with very little in the way of a measurablebehaviour change. The problem is that a changein awareness does not necessarily result in achange of behaviour.

Direct Marketing:Direct marketing is an alter-native marketing methodology that focuses onindividuals and has two important distinctionsfrom mass marketing. Firstly, communicationstake place in the context of an ongoing discussionwhere both parties can learn about the other and

communications become progressively moreeffective based on preferences expressed by bothparties. Secondly, the defining feature of directmarketing is the expected result – a call to actionof some sort on behalf of the recipient. Ratherthan dealing with concepts as abstract as brandawareness, direct marketing has an empirical out-come expected of each set of interactions. Theoutcome could be to change a password, visit aweb site, or to book security training. Attributingthe responses received allows methods to berefined and a return on investment (ROI) to becalculated. So typically a mass marketingapproach is one size fits all, often with little in theway of immediate empirical results, while directmarketing is tailored to the individual in someway and expects an immediate and measurableoutcome.Organisations can leverage the informationthey hold about their information system usersfor a shared benefit within the restrictions of theData Protection Act. Consider that there is usual-ly already a relationship between the organisationand a target audience, who could exist asemployees or customers of its information sys-tem, which can be exploited by direct marketing.Most organisations would already have a signifi-cant database of information about their poten-


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

8

tial audience which would show many prefer-ences and attributes useful for designing commu-nications. For employees the company is likely tohold job title, age, sex, address, department,length of employment, and how many times theyhave called IT for support. These are all usefulattributes to know when attempting to under-stand the perspectives and likely responses of anaudience when exposed to security communica-tions.Direct marketing maximises the effectivenessof communications by focusing on audienceresearch, measuring existing attitudes and findingquantifiable metrics as essential tools to max-imise results. How many organisations embark onawareness activities without considering any ofthese factors? If information security awarenessreally is as important as so many informationsecurity practitioners make it out to be, then is itnot worth doing effectively? Taking a direct mar-keting approach to information security aware-ness could hold the answer to the problem ofattaining and demonstrating effective communi-cation.The example at right illustrates the key differ-ences between marketing activities undertakenfor profit and marketing activities used in aninformation security context.


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

9

CONCLUSIONA recurring theme in the review of informationsecurity awareness effectiveness is a lack of met-rics to demonstrate the impact of informationsecurity awareness. Information security practi-tioners need to find ways of measuring results inthe form of quantifiable behaviours. Measuring

attitudes and beliefs through the use of surveyshas been found to have a poor correlation withactual behaviour.This lack of metrics not only causes problemswith obtaining business support for informationsecurity awareness activities, but has also con-

tributed to a difficulty in improving informationsecurity awareness techniques. The bedrock ofthe Plan, Do, Check, Act management cycle isreliable metrics. If there are no reliable waysavailable to an organisation to demonstrate theeffectiveness of a particular technique, how canimprovements be made by identifying that onetechnique was more effective than another?Although potential ways of improving informationsecurity awareness using psychology and market-ing principles have been identified, the benefitswill be difficult to demonstrate because of thelack of metrics.Information security professionals have con-tributed to this lack of metrics but they are alsopart of the solution. We need to move beyondglib statements about the “criticality” of aware-ness and focus on making a business case forawareness activities. All behaviour has a conse-quence and some consequences are easier tomeasure than others. Information securityprofessionals need to find ways of measuringthese consequences to infer the effectivenessof communication techniques.The reference model shown on pages 11 and 12has been created to show designers and imple-menters of information security awareness pro-


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

10

This lack of metricscauses problems withobtaining business supportfor awareness programmesand creates difficultiesfor us in improving ourawareness techniques.

(Continued on page 13)


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

11


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

12

grammes how to align with psychology andmarketing principles and serves as a snapshot toevaluate the likely effectiveness of a given cam-paign. This includes principles such as risk per-ception, learning and motivation for the modifica-tion of behaviour. �

ABOUT THE AUTHORS

Geordie Stewart is an IT SecurityConsultant working for Network Rail. He isa New Zealander who has lived in London for5 years and his security experience includesfinance, retail banking, telecommunications andinsurance. His technical qualifications includeMicrosoft, Checkpoint, Citrix and ISS. Geordie’sprofessional interest is in understanding userbehaviour in an information security context.

John Austen is a consultant lecturerin information security at Royal Holloway,University of London, after a distinguishedcareer as head of the Computer Crime Unitof New Scotland Yard. He teaches the coursesin Computer Crime and Digital Forensics onthe M.Sc. in Information Security at RoyalHolloway.


HOME

KEY POINTS

PSYCHOLOGY

MARKETING

CONCLUSION

MEASURINGEFFECTS

13

(Continued from page 10)

maximisingtheeffectivenessofinformationsecurityawareness...

Documents