An effective approach to addressing human security vulnerability in an organisation

Abstract

The current security awareness framework is far from effective, with little measured impact or enjoyment from its participants. Instead, the science of behaviour change provides a solid framework for security practitioners to consider when looking to create security awareness programmes that have a measurable impact on the underlying security posture of an organisation and its employees. The model of behaviour change suggests that for someone to change a behaviour, three essential ingredients need to coexist: motivation, ability and triggers. First, practitioners must select and prioritise the most critical security behaviours to focus on. To create desired change in those behaviours, practitioners can make a behaviour easier to do (increase ability) or drive up motivation around the targeted behaviour (increase motivation). Ability can be improved through technology or educational means. Motivation can be harnessed on an individual and organisational level and should be leveraged when the task at hand is difficult to do. With these tools in hand, it is possible to create effective campaigns with measurable impact to address the top issues in human security, such as reducing phishing and increasing reporting rates.