behaviour change and cyber-security

StreamTwoPeople:TheStrongestLink

#CYBERUK17

BehaviourChange,Cyber-SecurityandlessonsfromotherdomainsProfessorAdamJoinson,UniversityofBath

Lesson1:Identifyabehaviourtochange

• Fifteencampaignsanalysed

• Majorityawarenessraising• natureofcybersecurity

• raisingfearofconsequences

• Onepresentedevidenceofeffectiveness

• Onlyoneseemedtobebasedonbehaviourchangeprinciples

PasswordmanagementUp-to-dateanti-virus/OSLogout/shutdownTrusted/secureconnectionsandsitesStayinformedMinimizepersonalidentityBeawareofphysicalsurroundingReporting

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/309652/14-835-cyber-security-behavioural-insights.pdf

The ‘who and what?’ of security behaviour

“…thestyles,approachesandvaluesthattheorganisationwishestoadopttowardssecurity.Itcanrangefromwhetheremployeesadheretoacleardeskpolicytowhethertheysharesensitiveinformationonsocialnetworkingsites.”http://www.cpni.gov.uk/Documents/Publications/2016/03.08.2016%20SeCuRE%20Tool.pdf

8

COM-B system for analysing behaviour in context (Michie et al., 2011)

Michieetal.,2011

Lesson2:Knowwhatsuccess(andfailure)lookslike

Interventionmapping

Define‘Cyber’

TakeTraining

MeasureCompliance

Lesson3:Looktounderstandthecauses ofthebehaviour

23

The Behaviour Change Wheel: hub

Michieetal.,2011

24Michieetal.,2011

Michieetal.,2011

7

Common terms for methods for inducing behaviour change

EducateTrainHelp

Expose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce

ProvidePromptConstrain

Michieetal.,2011

9

Common terms for methods for inducing behaviour change

CapabilityEducateTrainHelp

MotivationExpose toInformDiscussSuggestEncourageIncentiviseAskOrderPleadCoerceForce

OpportunityProvidePromptConstrain

Michieetal.,2011

self-monitoring in cycling

Piwek, L., Joinson, A., & Morvan, J. (2015). The use of self-monitoring solutions amongst cyclists: An online survey and empirical study. Transportation Research Part A: Policy and Practice, 77, 126-136.

isself-monitoringmainlyrelevantforperformance-orientedcyclists?

13NON-TRACKERS

12TRACKERS

5 weeks

+INITIAL

SURVEY

DEBRIEFING INTERVIEW

pedometeronly

pedometer + calendar

+ cycling computer

experiencesamplingcalendar

total number of days cycled to campus in 5 weeks

total distancecycled across5 weeks (km)

non-trackerstrackers, high engagement with self-monitoring trackers, low engagement with self-monitoring

self-monitoringismainlyrelevantforperformance-orientedcyclists>

Spear Phishing Simulations

WorkingwithorganisationsintheCNI(gov,defenceindustry,finance)

Studyingtheirresultsfrominternalspearphishingexercises

>120,000spearphishemailssenttostaff

Codedbyresearchersoninfluencetechnique

Someindividualdataalsocollected

Inonecase,clickingledtosurvey

Commonphishingtechniques• Exploitsocialnormsanddecision-makingprocesses

SocialInfluenceProcesses

SenseofUrgency

InvokingEmotions

DecisionBiases

• Useofdeadlines

• Timepressure• Canbenegative

orpositive

• Excitement,desire,hopeorcuriosity

• Fear,panicoranxiety

• Anger

• Authority• Liking&

similarity• Reciprocity• Conformity

• Truthbias• Confirmationbias• Expectations

• Mimictrustedentities

• Exploitauthenticitycues

LegitimacyCues

Click rates vary hugelyAverage ~ 15% in largest data set (63,000)Authority, Urgency, Curiosity worked bestFew demographic differences, subsets of vulnerable users.

Followupfocusgroups

Example:Theroleoffamiliarityandexpectations

• “it’sacompanyshedealswith,we’vecurrentlygotproblemswithaccountspayable…andactuallywhywouldshenotbelievethatitwastrue.”

• “whenIfirstcamehere,Iwas,becauseIwasn’tfamiliarwithwhatthecompanieswerethatweregoingtoemailmenecessarilyIwasjustsortofclickingonanything…butitwasjustbecauseIwasn’tfamiliarwiththecompaniesthatweweredealingwith”.

• “Imeantherearesomeplaces,youdoget,yougetsomeemailsfromAmericaandtheywriteinadifferentwayanditdoesmakeitdifficultsometimestosortofspotthedifference”.

Williams, Hinds & Joinson (under review) ‘Employee susceptibility to

phishing’

E-A-S-TframeworkJoinson,A.,&Piwek,L.(2016).Technologyandtheformationofsociallypositivebehaviours.BeyondBehaviourChange:KeyIssues,InterdisciplinaryApproachesandFutureDirections,157.

Lesson4:Acceptcomplexityanddifficulty

Societal Influences Individual

Psychology

Individual Activity Activity

EnvironmentFood production industry

Consumption and practices

Biological Factors

Typeoftrigger

Lesson5:Workwith theflow,notagainstit

Kairos– themoment• Theopportunemomenttoaimaninterventiontowardsusers.• B.J.Fogg:PersuasiveTechnology,p.41

Make it easier to do the right thing

Lesson6:Evaluate,repeat

Thanks

a.joinson@bath.ac.ukor@joinsonwww.joinson.com