Like precocious teenagers, some employees don't want to be told what to do when it comes to cyber security. Too many rules about what they can and cannot do with technology can lead to bad decisions that inadvertently put company data at risk. Instead, a more subtle approach is required to help them make better decisions on their own.
But changing employees' behavior is no easy task. People have an innate need to socialize and share information, says Alessandro Acquisti, professor of IT and public policy at Carnegie Mellon University, and a member of Carnegie Mellon CyLab.
In studies, self-disclosure was found to trigger neural mechanisms in the brain that are associated with reward, showing that people highly value the ability to share thoughts and feelings with others. In one experiment, subjects were even willing to pass up money for the chance to disclose information about themselves.
"The problem is that modern technology has increased our ability to disclose information to such a degree that we no longer realize how much we're giving and to how many people," Acquisti says.
Awareness training for employees does help, according to Aberdeen Group. Changing employee behavior reduces the risk of a security breach by 45% to 70%. What's more, it can be accomplished with less foot-dragging than security leaders might think -- if they pull the right behavioral strings.
Here are five sneaky ways employers and researchers are leveraging positive and equally powerful human behaviors to guide employees toward better security decisions.
1. The Hero
Insurance provider XL Group was looking for a way to grab employees' attention so that they could pass on valuable security information -- not only to protect corporate data, but personal information, as well.
The company wanted everyone to work toward a common goal and appeal to their sense of compassion. So it asked employees to accept a challenge -- watch an educational security video and in turn, for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries.
The company created seven educational videos around protecting the company, its data, mobile devices and personal data with topics on spear phishing, phone phishing, bot nets and social media threats. The short videos were delivered monthly through emails and blogs.
"The goal was to have the videos watched by XL colleagues 10,000 times, raising $10,000 for Doctors Without Borders," says Thomas Dunbar, chief information risk officer. The campaign easily exceeded its goal and Dunbar's team presented a check to the charity in December.
Equally important to the company, the campaign engaged 4,500 XL Group employees worldwide in protecting their corporate and personal information.