LONG READ
How to Measure Security Behavior
Introduction
Technology isn’t enough to protect your business from modern cyber threats. Cybercriminals exploit the human element at every opportunity. Making people more secure is core to any meaningful cyber security strategy.
Over recent years security teams have brought the human element of security more into focus. You’ve put in place regular training and information sharing. It has been a significant shift, and a great start. But as cyber threats get more advanced, so should our understanding of the people who play a role in security.
People are complex. Which means reasons people aren’t cyber secure are also complex. The reason someone reuses passwords is very different from the reason someone falls for a phishing scam. To be able to change those actions, we have to work in the best way for each.
Understanding why people do things in a certain way, and how to effect real change is well worth the effort. Don’t worry, it’s interesting stuff! And at the end of this eBook you’ll have some great tools to take to your team.
At CybSafe, behavioral science is at the heart of everything we do. With our dedicated behavioral science team, we help organizations reshape how they make people more secure.
Let’s get stuck in to “measuring behavior”
As security professionals we often talk about “behaviors’”, but how do we measure them? And how do we get data-driven insights and proof for the decision-makers?
So, there are two things to bear in mind here. Measuring behavior isn’t just about understanding which behaviors are happening. We need to know why they are happening, too.
We want to show you six ways of measuring behavior. They each help you analyse, benchmark, and understand why people do what they do. It’s important to remember that we’re all different. So what works for Alison in accounting, won’t work for Matt in logistics. Or Risha, or Fiona. But once you have the secret sauce the important thing is to continually evaluate.
Enough talk, let’s look at how we get this done.
Chapter 1: Objective measures
Objectively speaking, objective measures are a great place to start. Not to sound cold, but it removes all emotion from the situation. These measures aren’t based on feelings or what people think.
Here we evaluated the way in which people undertake tasks. For example, computer logs or a password strength “calculator” can collect objective data. Importantly, this method is purely focused on what people are doing.
There are a couple of points to take into account with this approach. It may need technical integrations and access to data sources. So could potentially have a cost implication. And teams must be made aware of the data being gathered and how it’s being used.
There’s so much more to learn on this subject. Get yourself a coffee and read this research: “On Defining Subjective and Objective Measurements” from J.M.Rothstein from a deeper dive.
Chapter 2: Self-report
Next up it makes sense to talk about self-reporting. As it says on the tin, it’s asking people to report on their own behavior, view, or opinions. Either by survey, diary, or interview.
Pros: to it’s easy-to-conduct and low-cost.
Cons: when assessing themselves, people may answer to make themselves look good (there’s a cracking piece of research on this from the Journal of Business and Psychology).
To encourage people to answer honestly – rather than saying what they think a colleague or manager wants to hear – start with good questions. This is not easy. But it’s critical if we’re to get the most accurate data.
An entire book can be (and has been) written on the creation of research criteria for self-reporting. A great resource can be found at the Pew Research Centre. But we will focus on three things for creating effective reporting surveys.
1. Allow anonymity. Probably the most important consideration for creating self-report surveys. Making reports anonymous has been shown to increase the honesty of a response. People are more likely to feel they can reveal true behaviors, and the reasons for them, if they won’t be held directly accountable. An honest evaluation of practices is the most effective way to enable planning and processes that can address behaviors.
2. Be specific. When asking about particular behaviors, be specific with time periods. Open options such as, “do you install updates on your computer”, allow room for interpretation. The respondent probably has done this at some point, but unlikely once a week or even in the last six months. So framing it with a time period focuses the answer to be more accurate. The question then becomes “In the last month did you install updates on your computer?” You might be more likely to get a no – but it’s honest!
3. Be concise. Avoid jargon. Avoid double-barrelled questions. Avoid long scenarios. Avoid…you get it. Keep it simple to keep respondents engaged.
What’s great about self-reporting is that it gives a quick temperature check or snapshot of the current situation within the organization. It also gives you a good baseline so you can start measuring behavior change over time. And that’s something we can work with.
Chapter 3: Proximate measures
Have you ever wanted to see the future? No crystal balls needed! Proximate measures show us behavioral intent in a person. It’s a measure of a person’s motivation or desire to perform a behavior, which is a predictor of future behavior. But it’s not a measure of actual behavior.
This is the first measure where we’re looking more at the why of the actions in the team. This measure provides insight into how to motivate people to follow through with improving habits and behaviors.
To support behavioral intent and transform it into actual behavior we need to support it with goal setting and planning. It helps people build better habits by aligning them to goals.
People tend to be motivated to do something by meeting a goal or gaining a reward. We could go all the way back to Pavlov (if you’ve ever had a dog, you’ll know what we mean). But bringing it back to humans and the modern day, there’s a lot of scientific evidence to back this up. Gollweitzer and Sheeran produced a great study which is worth a look. Or we could go back to the forefather of the theory of planned behavior and look at Ajzen work which has stimulated the research into human behaviors.
Chapter 4: Scenarios
Bringing risk factors to life in an interactive way engages people. It could be a detailed story, or a live simulation. People are asked to show how they would respond to different situations.
It can spice up otherwise mundane training. However, scenarios can be open to interpretation. Opt for simplicity and clarity in the setup.
Because scenarios are fictional, people are more likely to respond as they would in real life, rather than as they think they should. They should still reflect real life though. Creating a situation that wouldn’t happen in real life, no matter how entertaining, is pretty pointless. For greatest impact, why not create fictional identities for participants. It’s not just David Bowie who wants to be Ziggy Stardust sometimes.
When creating scenarios, making them relevant to your organization will increase engagement. Spend time getting the scenarios right. The results will take care of themselves.
There are over 70 specific security behaviors. How many are you measuring? Contact one of our team to find out more.
Chapter 5: Observational data
As you can probably guess, observation involves watching people in their natural environment. Think David Attenborough. To understand why people do things in a certain way, the best thing is to see them do it in their own space.
[voiceover] Piotr has received the phishing test email. He’s looking at it intently. Perhaps his distant Aunt Magda really does need help managing her wealth. He clicks. The trap is sprung.
Poor Piotr.
The person running the observation has two options. Be hands off, or be involved. Purely observing people in their own workplace can give a great view of true behavior. Alternatively, they might want to get hands on and talk to the people to get deeper insights.
Getting back to Sir David Attenborough, he has the most incredibly in-depth knowledge of the natural world he observes. To get the best insights from observation, the person doing the observing has to be highly trained. They need to know what they are looking at and looking for. It’s important to make accurate recordings of the information gathered. And also get a second opinion to make sure the observation isn’t biased.
Chapter 6: 360 feedback
As with performance reviews, 360 feedback relies on feedback about a person provided by those they work with. The more input you get, the more reliable the complete picture of a person’s visible security behaviors, such as locking the computer screen.
360 feedback isn’t about finger pointing. It should always be focused on observed actions, not guesswork or hearsay. And it should always be confidential. Observing behaviors works best in a physical workplace and in team environments.
What’s important is the way 360 feedback is designed. The focus here is how to design a process that is effective across a large number of people.
There are three elements in an effective 360-degree design process:
1. Relevant content. First, make sure content is fit for purpose. That means using specific, relevant questions. Second, make sure that cultural differences are taken into consideration.
2. Accountability. The person overseeing 360 feedback plays an important role in how people will answer. It can be useful to get a third party to facilitate collating feedback and making it anonymous. People are more likely to be open if the feedback can’t be attributed to them.
3. Census. Including everyone within the business lends itself to successful 360 feedback.
This paper – When does 360-degree feedback create behavior change? And how would we know when it does?– is an excellent resource.
Chapter 7: Measuring for future change
So that’s a whistle-stop tour of six ways to measure behavior. But, as mentioned at the beginning of this Ebook, the two most important factors in any measurement strategy are engagement and continual evaluation.
Continuous evaluation should never be an afterthought. Building it into the programme makes sure it can be used to understand actual changes in behavior.
Chapter 8: Evaluate and influence to stay secure
Businesses are taking security very seriously – it isn’t optional. The ones who really understand how to make people the strongest link will be the ones who are better protected. They will be the ones to win.
A single workshop or leaflet isn’t going to effect change. Evaluating and influencing behavior in your team brings measurable impact and change for your organization.
Measuring behavior is possible and there is a range of options for measurement available. It doesn’t need to be complicated. Simple can be just as effective, as long as it is tailored for your people and what they need.
Doing so will help your organization be all the more secure.
Chapter 9: Summary – six ways to measure behavior
Objective measures
Pros:
- Measures the way people complete tasks
- Emotion free
- Fact based
Cons:
- Technical considerations/costs
- Data management/privacy considerations
Additional reading:
Self-report
Pros:
- People give answers based on self reflection
- Easy to conduct
- Gives a good snapshot of the situation
Cons:
- People may answer as they feel they should
- People avoid extreme opinions
- Good survey design requires time and care
Proximate measures
Pros:
- Measures intent and motivation
- Useful for goal setting
- Focuses on positive habits
Cons:
- Not a measure of behavior
- Needs focus on ensuring follow through from intent to action
Scenarios
Pros:
- Engages people with active participation
- Anonymity through fictional setups
- Honest actions more likely
Cons:
- Scenarios are open to interpretation
- Time investment needed for best results
Observational data
Pros:
- Observation in the natural work environment
- Option to engage with participants for deeper insights
Cons:
- Training needed to understand what should be observed
- Only applicable to visible security practises
360 feedback
Pros:
- Wide range of feedback means higher reliability
- Confidential/anonymised answers call for openness and honesty
Cons:
- Difficult to implement in virtual working environments
- Good survey design requires time and care
There are over 70 specific security behaviors. How many are you measuring?
Contact one of our team to find out more.
Security awareness is dead (or dying)
Traditional security awareness training is a relic of the past. Learn how you can quantify human cyber risk and change security behaviors.
A new approach to simulated phishing
Anyone can be phished and simulated phishing is not enough to protect your people. Learn four steps to an effective Agile Phishing Strategy
Ebook: Ransomware is real
What you – and your people – do need to understand about ransomware (and any malware!) is how to spot it, and stop it. And importantly, not to be afraid of it. If you are ready to ditch the fear and find an approach that works, this Ransomware is boring eBook is what you need! Download today.