Security awareness personalization:
The essential guide.
The personalization paradox
Think about it. Your phone’s assistant greets you like a long-lost friend. Your grocery app knows you’re nearly out of toothpaste before you do. And your streaming service curates a personalized movie night experience in microseconds.
This seamless integration of personalization has become so ingrained in our lives that we often take it for granted. But it’s subtle influence on our experiences is undeniable.
Even if we don’t think about it, personalization is everywhere.
Or, to put it another way: Personalization is everywhere. Which is precisely why we’ve stopped seeing it. That’s the paradox.
Yet personalization makes a huge difference to us in everyday life.
Top tech: Masters of personalization
Personalization is part of what made some tech giants…well, giant.
Netflix harnesses user data, machine learning, and complex algorithms to craft a hyper-tailored viewing experience.
Spotify delivers tailored playback features, personalized artist and genre discovery, and exclusive content recommendations.
And it’s not confined to our leisure activities. B2B solutions like SAP’s S/4HANA Cloud can be tailored to the individual user, based on their role and preferences. This means users’ tasks are optimized and the right data is on hand to make stronger decisions.
It’s clever stuff. More importantly it’s mightily impactful. So riddle us this:
Why are so many cybersecurity awareness interventions strategies still treating everyone the same? And what can you gain by getting personal in cybersecurity?
We were so serious about this that we carried out a study on personalization in cybersecurity. It measured the effectiveness of three behavior change techniques (BCTs) on participants’ password-saving behavior and password hygiene. And then we wrote all about it. It’s called Cyber Security Quirks.
Personalised interventions
for Human Cyber Resilience
Not the right time to dive into the details right now? Fret not, because we’ve got the highlights reel, the headlines, the key takeaways right here.
“Tons of random data for me, please!” … said no one ever
There is SO MUCH content these days. The only content that has a hope of standing out is the content that is personalized.
It’s not brutal if it’s true. Personalization gets attention and makes an impression.
To reduce human cyber risk we need to change behavior and educate people. Which means they need to be paying attention in the first place.
Personal security awareness training can build confidence and repair people’s broken trust
Sadly many people aren’t starting from a neutral place with cybersecurity. Many have disengaged due to poor quality interventions, or have lost confidence due to media scaremongering.
It’s a big problem. You can read more about it here.
Right, let’s hit the brain-fizzing stats, shall we?
The science of personal security awareness:
What does the Quirks report reveal?
A lot of fascinating stuff. And spoiler: Personalization can make a biiiiig difference to people’s security behaviors.
We can’t cover it all here, so let’s zoom in on password practices as an example. The Quirks findings strongly highlight a link between personalized security awareness interventions and strengthened password practices.
Specifically:
-
- A whopping 87% of participants said they saved their passwords in their browsers at the start. Of the 47 who didn’t, a surprisingly high 25% started doing so after the intervention.
- The most password changes happened when people could practice and plan for crafting stronger passwords.
- Participants’ password hygiene score significantly improved when all three of the study’s intervention components were present.
Eye-opening, no? But you might be asking what are the three behavioral change components we used in the study? Let’s meet them.
Three behavioral change techniques (BCTs) form the backbone of effective personalization
What is a BCT?
A BCT is an ‘active ingredient’ of a behavior change intervention. In other words, they’re the specific components that are responsible for causing the desired change in behavior.
They can influence people to take positive security actions, like crafting robust passwords, being vigilant of phishing scams, and promptly reporting any suspicious activities they spot.
Big three BCTs you need in your strategy
We studied 3 components of personalization that change behavior, and you absolutely need to know about them and use them:
Risk message (RM)
RMs communicate the potential negative consequences of not taking a particular action. They can be effective in increasing awareness of risks and motivating people to change their behavior.
Behavioral practice (BP)
BPs provide opportunities for people to practice the desired behavior in a safe environment. This can help to build skills and confidence, making it more likely that people will adopt the behavior in the real world.
Action planning (AP)
APs help people to break down the desired behavior into smaller, more manageable steps. They also encourage people to identify and overcome potential barriers to change.
This power trio—when used together—creates a potent, effective approach to personalizing behavior change interventions.
You can read our blog post on how they do it, and how they can best be used, right here:
Pro personal security awareness tips for taking it from generic to genius in your org
What should you include in your personal security awareness training?
No two orgs are the same. So starts by asking yourself the right questions, such as:
-
- What attacks are you trying to protect against?
- What vulnerabilities are you trying to fix?
- What numbers will show if you’re doing well?
- What signs will show that your program’s working?
3 ways to win at personal security awareness training
Data-driven: Want to understand people’s behaviors and preferences? Then make the most of your data! Analyze historical incidents, training completion rates, and support tickets to tailor interventions based on specific needs.
Tool tip: This is why we built CybSafe GUIDE to analyze behavior and engagement. It means it’s easy to identify “high-risk” people, or those who may need additional training.
Data-driven: Want to understand people’s behaviors and preferences? Then make the most of your data! Analyze historical incidents, training completion rates, and support tickets to tailor interventions based on specific needs.
Tool tip: It’s no accident that CybSafe PHISH can segment people based on their roles and send them targeted simulations and content tailored to their specific job functions.
Data-driven: Want to understand people’s behaviors and preferences? Then make the most of your data! Analyze historical incidents, training completion rates, and support tickets to tailor interventions based on specific needs.
Tool tip: CybSafe RESPOND can help develop profiles of people’s individual risk tolerance, communication styles, and decision-making processes to tailor interventions accordingly.
Personalization “gimmicks” or gold?
But wait, if engagement and change is the goal, what about the fun stuff? Like gamification, escape rooms and ‘rate my password’ features?
Are they gimmicks, or can they help in your personal security awareness training efforts?
They’re good questions. We evaluate in this blog:
Let’s recap
Personal security awareness tailors content to each individual’s role, responsibilities, and risk profile, ensuring that the information resonates and sticks.
This customized approach fosters engagement, piques interest, and ultimately drives behavioral change in a way that one-size-fits-all approaches just can’t
Ready for even more insight? Download the full Cyber Security Quirks report, which reveals:
- The mystery behind the adoption (or lack thereof) of two-factor authentication (2FA) after targeted interventions – did users embrace the extra layer?
- Why trust issues and perceived ‘hassle’ were stumbling blocks for 2FA adoption.
- How behavioral practice played a pivotal role in reshaping users’ primary email account passwords—uncover the surprising impact!
Personalised interventions
for Human Cyber Resilience
