Given the majority of all successful cyber attacks involve some form of human error, we explore whether you can really scare people into better online security
It’s often assumed you can change the way people behave using fear. The fear of making a mistake or creating the security issue within the business we try to relate this to something other than security. Think of the tumours depicted in anti-smoking ads. Or the car crashes that feature in campaigns against drink-driving. In the security realm, think of pictures of faceless cyber criminals in hoods, or tales of single clicks inverting people’s lives.
The tactic seems simple: say something scary, change how people behave.
But does the tactic actually work? Can a big dose of fear really make people more vigilant in relation to security online?
What the experts say
In an effort to understand how fear impacts people’s online behaviours, we recently consulted human cyber security experts CybSafe, whose multi-award- winning software is currently revolutionising the human aspect of cyber security.
“The answer isn’t black and white,” CybSafe Head of Behaviour Science Dr. John Blythe initially said. “In a small number of cases, fear might change people’s behaviour. But in the overwhelming majority of cases, fear appeals are worse than useless.”
When you share a scary message, Dr. John explains, the majority of people actively avoid it. Particularly vulnerable people are especially likely to bury their heads in the sand. That might seem counter-intuitive at first. Why would vulnerable people ignore messages that could, when heeded, prevent a great deal of heartache?
It turns out there’s a very good reason.
Why fear isn’t as powerful as we think
Every day, the risk of catastrophe looms over all our lives. It’s omnipresent and it’s never going away. “We could ruminate on every impending catastrophe we face,” explains Dr. John. “Or we could decide not to worry too much until we absolutely must.”
Constantly worrying is detrimental to our mental wellbeing (picture waking up every day in a pit of despair). So, to keep us functioning, humans are blessed with what psychologists call an “optimism bias”. We accept catastrophes happen. But we find it difficult to accept that we might experience a catastrophe first hand.
“So when IT heads explain the horrifying consequences of cyber attacks, we pretty much just ignore them,” CybSafe CEO Oz Alashe notes. “We all already have a lot to do. And we’re going to get it all done before 5:30pm.”
What works instead?
Fortunately, just as scientific research reveals what to avoid in security training, it also reveals what to do instead.
“IT teams are better off empowering people,” advises Dr. John. “To change how people behave online, people must feel capable of preventing cyber attacks. And they must feel capable of preventing cyber attacks while getting their jobs done.”
According to CybSafe, empowered people become a formidable cyber defence. And CybSafe would know: their platform continuously measures human cyber risk to ensure its in-built security interventions actually work.
“We can’t scare people into preventing cyber attacks,” says Oz Alashe as a closing remark. That might be so – but perhaps it doesn’t matter.
Through empowering messages, people can still become a cyber defence.