Due to the many cyber attacks that have taken place in recent years, organisations and (local) governments are increasingly putting cybersecurity on the agenda as a problem that needs to be tackled. Historically viewed as ‘merely an IT problem’ that can be solved through better programming and other technical solutions, this viewpoint has changed as incidents caused by human error or through the exploitation of human weaknesses are increasingly taking place. This has led to governments and organisations turning an eye to the end-user - the people, who use technology and who are, as some say, ‘the weakest link’ in cybersecurity.
If it is true that people are the weakest link, and IT solutions are not sufficient to prevent cyber threats such as ransomware attacks where files or whole systems are locked by criminals and only released after paying a hefty sum, then it seems reasonable to focus on these end-users to ‘fix’ cybersecurity problems. So, what can be done to reduce the likelihood of successful cyber attacks through the manipulation of end-users? When asking stakeholders such as policy makers, managers and other interested parties, their answer usually includes something along the lines of “awareness campaigns” and “hope”. Stakeholders often ‘hope’ that by running awareness campaigns, they will influence end-users’ behaviour. The reasoning behind awareness campaigns is that people are generally rational, and that if they misbehave, that is due to a lack of knowledge - or awareness - and that merely pointing out the risks of their behaviour will push them to perform more secure behaviour in the future.
Sadly, awareness campaigns are not very effective. And that is not surprising either. For example, everyone is aware that smoking is bad for you, that eating too much is unhealthy, and that texting while driving is dangerous, yet these behaviours still occur. The reason that awareness campaigns do not work, is that the assumption that people are rational is not true, and therefore we cannot expect people to change their behaviour for the better after merely being presented with facts on possible risks. Of course, it is a noble, and useful, cause to improve awareness of cyber threats, and to create a security culture in which cybersecurity is not seen as merely an IT problem. However, relying on increasing awareness as a way to positively influence behaviour is not enough. We cannot stop there. To effectively battle cybersecurity threats, and reducing the risk for organisations and end-users to become victims of cybercrime, we need to focus on three things: more knowledge about cyber threats, providing people with the tools and capabilities to improve their cybersecurity-related behaviour, and offering the opportunity to integrate such behaviours into daily routines and (work) habits. Being aware, or knowledgeable about risks is a first step in this process. But even when an awareness campaign is expanded by incorporating the preferred behaviour instead of merely pointing out risks, people are unlikely to change their behaviour as other factors play a role as well. For an effective improvement of cybersecurity behaviour, people need to know, and feel, that they are capable of performing the secure behaviours. Not only in a vacuum, but also in the often-hectic situations in which they find themselves during the day, where there are many distractions and goals are prioritised over means. It is in that space that people need to know the risks, know the solutions, and feel capable of performing the secure behaviour.
The only way to successfully change cybersecurity behaviours is by focusing on all three of these aspects and finding a way to seamlessly incorporate these behaviours into daily routines. Examples of these security behaviours are locking your computer screen when you leave your workspace, or thoroughly checking the origin of a digital message asking for your bank details. Only when security behaviours are included in daily routines, rather than seen as an addon to habitual tasks, can cyber threats be battled effectively from the end-user’s perspective. These steps take more than awareness campaigns that can easily be shared across social media, billboards and radio commercials. They, inconveniently, demand an active, personal and intensive approach. Admittedly, this requires more effort, time and money than a simple awareness campaign, but only then can we ‘hope’ to improve cybersecure behaviours, and reduce the risk and impact of cyberthreats.