Select Page

Achievement unlocked: How behavioral science transforms device security

CYBSAFE-SebDB Webinar-preblog-221011MS-36

8 November 2022

Why this security no-brainer gets pushback, and what you can do about it

Last time we looked at why dirty password habits are so persistent. This time we’re taking stock of locks—or a lack thereof. Be it PIN, pattern, or biometrics, a lock screen is a cybersecurity cornerstone.

Why people are so attached to their dirty password habits cover

It’s the most basic of security measures. And with remote and hybrid working environments, paired with people’s ever-growing collection of portable devices, it’s more important than ever.

Because if they’re not securing their devices, they’re opening themselves—and your organization—up to security risks like data theft and identity theft.

What are we up against?

Safe to say, not everyone is making the right choices with their devices. 

Take your colleague, Tony, for instance. He locks his house every morning before leaving for work. Locks his car when he heads for the office. And even locks his shed full of old lawnmowers.

But Tony doesn’t lock his smart phone.

It’s clear that Tony’s receptive to security messaging. He already has some good security habits, and he’ll adopt one more, with a little nudge in the right direction.

While Tony’s behavior is concerning. It’s just as concerning as people that do lock their devices, but use simple PINs like 1-2-3-4 or their birth year.

And that’s because people just don’t think a cyberattack is something that would ever happen to them. But shoulder-surfing and smudge attacks are more common than most would like to believe.

The science part

A recent study looked at screen lock behaviors and perceptions, how long it took to create security information, and how memorable it was. The researchers also looked at how long it took to log in, how often login attempts were successful, and whether screen size made a difference to screen lock functions.

Here are a few thought-provoking insights:

^

People spend an hour every month (about two minutes a day) to unlock their devices. On average, that’s only 2.9% of their overall screen time.

^

Out of the nearly 3,500 situations the participants were asked to consider, shoulder-surfing was considered a potential risk in just 11 of them.

^

Size matters: people found it quickest to use a pattern on a tablet, and a PIN on a phone.

^

Patterns are better remembered than PINs. This is because it’s easier to remember an image than a string of numbers.

^

12 percent of people write down their password in order to remember it.

^

3 in 4 people choose difficult patterns (e.g. 8-1-6-4-3) over easy patterns (e.g. 1-2-3-6-5). 90 percent of people opted for a difficult PIN instead of an easy one.

Crucially, another recent study showed a short, informative video explaining the risks of unauthorized access to people who didn’t lock their devices. And it worked. Just this simple intervention changed their behaviors.

So, what does all of this mean for your security strategy?

^

If 75 percent of people are choosing difficult patterns over easy ones, it means they’re willing to make some extra effort if it keeps data safe, and they just need some support, education and encouragement.

^

A lot of people forget their logins. So, encourage biometrics and password managers.

^

Don’t overlook simple interventions like raising awareness through a short video.

You can read more about how using lock screens links to security risks on SebDB

Or, if we’ve got you thinking about influencing behaviors across the board, why not take a look at our whitepaper on behavior change.

check out our behavior whitepaper
Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter:

You may also like

Tool or infrastructure? Why it matters for HRM

Tool or infrastructure? Why it matters for HRM

Tool or infrastructure? Why it matters for HRM Let’s be clear: Not all HRM software is the same. It sounds obvious, right? Yet many people miss the difference between HRM tools, and HRM infrastructure.  And when it comes to compounding security gains and designing for outsized impact, the...

NIS2: Beefing up security for critical industries

NIS2: Beefing up security for critical industries

So, you've probably heard whispers (or maybe full-blown announcements!) about this thing called NIS2.  But what exactly is the NIS2 Directive, and why should you care?  Well, in a nutshell, it's a new set of rules from the EU designed to seriously beef up critical security infrastructure across...

An open letter to CISOs & Security Leaders

An open letter to CISOs & Security Leaders

The human side of cybersecurity is evolving. Fast.But there’s a good chance you might be stuck in the past. You probably have well-established views on security awareness, culture, and human risk.You genuinely believe they matter. But if we’re being honest - you mostly pay lip service to them. And...

Why security awareness still isn’t taken seriously (and how to fix it)

Why security awareness still isn’t taken seriously (and how to fix it)

Let’s start with a painful truth:Security awareness, culture, and human risk professionals are often undervalued. Despite the rising threat of human-enabled cyber attacks, many organizations still treat addressing the human aspect as a checkbox. A communications initiative. A nice-to-have....

Security metrics reboot: Less input, better output, real outcomes

Security metrics reboot: Less input, better output, real outcomes

Unfortunately, most security awareness professionals don’t really understand the difference between: ✅ Inputs✅ Outputs✅ Outcomes But they don’t want to admit it. And honestly? We get it. It’s like pretending to know the plot of Inception when deep down, you’re just as confused as everyone else. No...

The dogma of security awareness: Exposing cybersecurity’s biggest blind spot

The dogma of security awareness: Exposing cybersecurity’s biggest blind spot

“Humans are the weakest link.”“Security Awareness training = better behaviour”"If we can nail engagement, we’ll nail risk reduction.""Security Awareness is *actually* about so much more than awareness.”“Security culture is the golden ticket to risk reduction.”“Good communication, messaging,...