A number of studies confirmed that people often have a tendency to find ways to work around organisational cybersecurity policies. This is actually not something that they do on purpose but rather based on their habits. In other words, this behaviour is an effect of bad habituation.
Achieving individual objectives and finding the way of least resistance is the key driver for many employees when approaching working responsibilities. For example, cybersecurity warnings are used to inform the users on the risks of allowing potentially harmful applications to run on a particular computer. However, the practice shows that most of the users tend to ignore those warnings as they are appearing over and over again. This behaviour eventually leads to bad habituation.
Among others, a bad habituation is explored by hackers sending out about 156 million phishing emails every day. This results in more than 80,000 people falling victims to phishing emails daily. As phishing emails are getting increasingly convincing, the number of these attacks increased by nearly 300% in 2018!
A few days ago the US Customs and Border Protection (CBP) announced that an unnamed subcontractor transferred copies of license-plate images and travellers’ photos from federal servers to its own company network, without CBP’s authorisation. The major concern is that it is not just the breadth of the stolen data but also the number of people exposed by this erroneous behaviour.
Another recent example warned that, despite the huge level of media attention on the ‘WannaCry’ attack, which hit the NHS and many UK organisations, more than half of UK workers do not know what ransomware is.
Have people forgotten to think critically or they have not been thought to do so? In fact, one of the problems is that many users ‘suffer’ from a form of ‘cyber autism’. They simply ignore warnings as well as periodic awareness campaigns and training sessions and continue working out of firmly established unsafe habits.
Cultivating cybersecurity habituation
Habituation can be broadly described as a kind of learning that occurs when we become accustomed to a stimulus and stop reacting to it. Most would probably agree that our habits impact us throughout our lives. What we repeatedly do will ultimately form our long term habits also known as unconscious behaviour.
For example, we may feel distracted by a noisy sound produced by an old printer but when we spend more time inside the room, we tend to ignore the annoying sound – even though it is still there. This happens due to habituation, which simply means that we tend to ignore the stimulus to which we have been exposed too many times.
The exact behaviour exhibits during human errors that result in cybersecurity breaches. We do not pay attention to or simply ignore security warnings. Indeed, many studies confirm that more cybersecurity incidents were caused by unintentional mistakes rather than malicious acts. These unintentional mistakes are the consequence of habitual behaviour that promotes an unconscious response.
Is than changing habitual behaviour possible?
However, it is easier said than done as changing habits goes through the same process as habit formation: repetition.
New situations create new behaviour that is often guided by conscious intention, but with continuous repetitions, that behaviour becomes ‘written’ into the subconscious mind. The significance of this practice lies in the fact that 95% of our behaviour is reliant on the subconscious mind. Hence, it is important to focus on both subconscious habitual behaviour and on 5% of the conscious mind.
However, changing behaviour requires more than providing information about risks and reactive behaviour. Firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so – and the latter requires changes to attitudes and intentions.
In that regard, the key factor for raising awareness and changing people’s behaviour is – motivation. If we want people to behave in a certain way we need to motivate them. In other words, we have to understand why employees do certain things and then to select an optimal persuasion method for changing their behaviour. That includes identifying the behavioural drivers.
Also, not all security warnings that we see on our computer screens are positive. There are still lots of ‘false flags’, which in many users cause a ‘cybersecurity fatigue’ symptom. It manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion’. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.
Under fatigue, we tend to make ‘escaping’ decisions, which often results in dangerous habitual behaviour. Building an appropriate cybersecurity personal ‘hygiene’, awareness and culture can be a good answer to the cybersecurity fatigue threats.
Cultivating habituation ultimately means safer organisations – at least when the weakest cybersecurity link, human factor, is concerned. This should be a decisive guideline for those that design cybersecurity awareness and training programmes.
Minding all the above, we at VM Advisory must reaffirm that cybersecurity is increasingly necessitating both multidisciplinary and multi-stakeholder approach. Relying solely on technology will not make us safer in the cyberspace.