The personalization power trio: How RM, BP, and AP transform security behaviors
You already know this much.
Who we are affects how we take in information and learn new skills.
Of course it does. That’s hardly revolutionary, right?
And (shocker) when interventions align with who we are as individuals, we’re more likely to take them on board. In other words, personal interventions are more effective.
It’s a whole thing. Head to our essential guide to get up to speed:
But here’s the problem: Surprisingly few of us understand the mechanisms behind this. Or how to use them in cybersecurity.
This blog takes a look at 3 big behavioral change techniques (BCTs) that you need to know about:
-
- Risk message (RM)
- Behavioral practice (BP)
- Action planning (AP)
Why do they work? And how exactly do they help make a big impact on people’s security awareness and skills?
And…what does a vintage planning hack have to do with it?
Why should I care about BCTs?
We get it. Do you really need more acronyms floating around in the alphabet soup of your brain?
Yes (#sorrynotsorry). As part of our 2023 Cyber Security Quirks study we put three BCTs under the microscope.
We assessed if and how RM, BP and AP impacted people’s security behaviors.
And the results were eye-opening! Take these nuggets for instance:
-
- The presence of all three techniques significantly boosted participants’ objective password hygiene scores.
- An impressive 44% of those exposed to behavioral practice and action planning changed their primary email account passwords after the intervention, highlighting a positive shift in password management practices.
- Across the board, participants exposed to one or more BCT exhibited improved password hygiene scores, indicating stronger and longer passwords. The combo of all three BCTs proved most effective.
That’s why you should care.
When personalized interventions incorporate RM, BP, and AP the result is improvements in people’s cybersecurity behaviors.
RM x BP x AP = where the magic happens.
The three big behavior change techniques for personal security awareness
Enough preamble. We’re about to dig into what the big three BCTs are, how they work, and what makes them so useful.
Risk message (RM)
No prizes for guessing that risk message is all about…yep, delivering messages about risks.
Specifically, we’re talking about personalized messages about potential cyber risks.
Risk messages tell people about specific threats they might face online, emphasizing the importance of vigilance.
This technique aims to raise awareness and provide insights into the individual’s unique risk landscape, enabling them to make informed decisions about their actions.
By shaping a message to individual contexts, RMs serve as a crucial tool for bolstering online safety consciousness.
Behavioral practice (BP)
Behavioral practice involves guided exercises to enhance practical cybersecurity skills.
It’s about translating theoretical knowledge into actionable behaviors, which encourages people to actively engage in secure practices.
BP focuses on turning knowledge into routine habits. Over time it improves someone’s ability to implement secure practices in real-world scenarios. Practice makes progress.
Behavioral practice offers a hands-on approach to cybersecurity, enabling people to develop practical skills in a controlled environment, before it matters.
This technique reinforces better security behaviors. It’s the training dojo where theoretical knowledge becomes actionable habits. And that can make all the difference in defense.
Right, let’s hit the brain-fizzing stats, shall we?
How CybSafe does it
Speaking of practical skills, CybSafe GUIDE and PHISH both provide hands-on exercises tailored to individual cybersecurity needs. So whether it’s identifying phishing attempts or beefing up passwords, CybSafe helps people to actively engage in building and applying their cybersecurity skills.
Action Planning (AP)
Action planning is a structured approach to cybersecurity goal-setting.
It helps individuals plan and implement specific security measures, breaking down the overall security strategy into manageable steps.
AP is about converting intentions into actions. By setting clear goals and providing a roadmap for implementation, it supports individuals in taking proactive steps to enhance their cybersecurity.
Action planning provides a structured framework for individuals to set clear cybersecurity goals and implement proactive security measures. By offering a step-by-step approach, AP gives better goal clarity, making it easier for people to integrate cybersecurity practices into their daily routines.
Vintage tip: It’s an oldie but a goodie! Assuming you haven’t just woken up from a forty-year cryosleep you will have heard about SMART goalsetting. Chances are you’ve used it too. SMART stands for specific, measurable, achievable, relevant, and time-bound.
The concept’s been around forever (alright, 1981) because it really works.
So, don’t forget to keep it in mind when crafting any action-planning opportunities.
Tomato. Mozzarella. Basil. These components work beautifully together, and so does this trio of BCTs. They form a comprehensive and personalized approach to cybersecurity. And they can address both awareness and hands-on skill development.
That’s the what and the why. What about the how?
Personalization sweet spots
By now, you might be wondering which specific factors in cybersecurity strategies are worth personalizing?
Based on the Cyber Security Quirks report’s insights, here are a few places to focus your personalization efforts:
Tailor interventions to guide individuals on creating strong and secure passwords. Emphasize techniques like using three random words for password generation.
Address misconceptions and concerns related to two-factor authentication (2FA). Offer clear explanations of how 2FA functions, and encourage people to try it out on a few accounts initially.
Clarify the benefits and address misconceptions surrounding password management strategies, such as browser-saving or password manager applications. Encourage gradual changes and provide information on the security of these strategies.
Influence false beliefs by explaining ‘why’ and ‘how’ specific cybersecurity advice is the most secure option. Provide information that helps individuals understand the rationale behind cybersecurity recommendations.
Getting started: A checklist for your organization
Raring to go with your organization’s cybersecurity awareness personalization? Hold your horses! Implementing ALL the personalization, all the time, everywhere is not it.
Burnout and overwhelm is not the way. This is all about playing the long game.
Some personalization is better than no personalisation. So start small by personalizing across one or two factors. Here are some factors to consider:
-
- Socio-demographic factors like age, gender, and culture.
- Education-dependent factors like learning styles and literacy levels.
- Personality type, for instance the Big Five traits.
- Risk-relevant factors like job roles and expertise, industry-specific risks, and work location.
- Interests and preferences, for instance personalized paths, device types and locations, and hobbies and interests.
How CybSafe does it
CybSafe RESPOND provides actionable insights, allowing organizations to tailor their response plans based on real-time data and user behaviors.
There’s a lot more personalization gold in the full Cyber Security Quirks report, by the way. Not only will you want to read it, but you’ll want to share it with the team.
Personalised interventions
for Human Cyber Resilience
Oh, and if you’re curious about how CybSafe’s products make security awareness personalization easier, you can book a demo (personalized—obvs 😉).
