Select Page

People don’t trust cybersecurity. And we don’t blame them

CYBSAFE-SebDB Webinar-preblog-221011MS-36

19 April 2024

Rage against the mundane: People need help rebuilding their trust and confidence, and security awareness personalization holds the key

Cynicism towards cybersecurity advice and tools is high. And…so is the threat level. 

The gnarliest part? One feeds the other. And vice versa.

It’s a never-ending cycle, or so it seems.

But there is a way out. We can explain. And it starts in people’s minds.

“Frustrated and doubtful”

That’s how many people feel about cybersecurity. The “Oh Behave!” Annual Cybersecurity Attitudes and Behaviors Report 2023 revealed how of its 6,000 worldwide participants:

    • 39 percent felt frustrated about online security.
    • 37 percent were intimidated by staying secure online.
    • 32% often felt overwhelmed by cybersecurity information
    • 21% of Gen Z and 23% of Millennials are skeptical about the return on investment.

Fixing this is only the beginning. But unless we fix it, other efforts will only ever go so far.

Oh behave report 2023

So what works?

Research (like this paper) suggests that interventions are more effective when they account for individual differences.

This means ditching the “one-size-fits-all” approach and tailoring strategies to the specific needs and vulnerabilities of each unique human being.

It’s not easy. But it’s not as hard as you think, either. 

And it’s the best way to help people to protect themselves from cyber threats.

It starts with trust. And stopping the cyber-nag.

Nagging gets you nowhere

Wipe your feet! Say thank you! Wash your hands!

These are all reasonable things to do. So why is that rage and irritation rising? Is your inner rebellious teenager taking over your usually rational self?

Yep. That’s how your people feel when you nag them about cybersecurity.

    • “Always use strong passwords!” (This dictates without explaining why they’re important or offering alternatives.)
    • “Never open suspicious emails!” (This one creates fear without providing guidance on identifying such emails.)
    • “Clicking on that link could put the entire company at risk!” (This exaggerates the consequences and reinforces feelings of helplessness.)

That feeling you get when someone tells you what to do…especially about things you feel you control?

Psychological reactance. That’s its name. It’s hardwired into all of us. And…it’s a major cybersecurity roadblock. (Want a deeper dive? We like the way this blog post explains it.)

Think about the average security training session on offer. Dry lectures, endless dos and don’ts, and that suffocating feeling of being micromanaged. No wonder people tune out. 

And no wonder people don’t trust the interventions. They don’t change people’s risk.

Cyber security quirks logo

Personalised interventions

for Human Cyber Resilience 

Cyber security quirks report cover

How do you rebuild trust and spark change?

Forget the tired lectures and finger-wagging. It’s time to ignite a spark in your people, a spark that turns them from passive listeners to active defenders. Here are some ideas to get you started:

1. Talking “why,” not “what”: Instead of barking orders, it pays to tap into what keeps people up at night. Do they worry about protecting their families? Boosting their careers? You can show people how cybersecurity connects to their personal goals, how safer habits can unlock those doors. Try to lose the security jargon—speak their language, their hopes, their dreams. 

2. Ditching the ego, embracing empathy: Showing your humanity is powerful. For instance, sharing your own real-life security snafus. People respond well when you acknowledge their concerns. Show them that you get it—you understand that technology can be frustrating, and that remembering passwords can be a pain. 

3. Helping to unleash the inner hero: No one wants to be a cog in the security machine. Help people see themselves as the protagonists, not the damsels in distress. 

4. Showing > telling: Where can you use simulations, practical exercises, hands-on demos? How can you give people a playground to experiment, to fail, to learn? Let them see good security practices in action, not just hear about them in theory.

But the ‘why’ and ‘how’ isn’t the same for everyone. 

Remember when we said it’s important to think about each unique human being?

We meant it.

Security awareness personalization. It’s vital. Here’s what the Quirks report has to say about why:

    • People are used to it. As the report points out, they’re accustomed to personalized experiences in many aspects of their digital lives. From tailored movie recommendations to personalized shopping suggestions, we’ve all come to expect granular relevance. Why should people expect security awareness to be any different?

       

    • People don’t have time to hunt for what they need. In a world drowning in information, the report underscores a critical point—people don’t have the luxury of time to sift through masses of irrelevant data. Personalization is a filter. It means people get targeted, pertinent information that cuts through the noise.

       

    • People learn in different ways. The report underscores something known but often overlooked: Not all people respond to the same stimuli, and understanding these behavioral nuances is key. And that makes personalization a necessity, not a luxury.

There’s a lot more to this. Of course there is. Humans are complicated. Fascinating. Often underappreciated in cybersecurity. 

You might be wondering:

    • Which elements of security awareness interventions should I personalize?
    • How should I group people? 
    • What are the mechanisms of personalization?

Which is why it’s well worth taking a peep at [LINK: the report] for the full picture. But as well as that, you might find it helpful to check these resources out too:

CybSafe’s guide to security awareness personalization

Blog: Can fun personalization really change security behaviors? Read now

Quirks blogs - Can fun personalisation change behaviors?

Blog: The three big concepts behind cybersecurity personalization. Read now

Quirks blogs - 3 concepts

How CybSafe helps security teams avoid triggering people’s inner teenager (psychological reactance)

GUIDE: Tailoring, not dictating: CybSafe GUIDE personalizes security advice based on individual roles, responsibilities, and even risk profiles. This avoids the “being told what to do” feeling. Instead it empowers people to take ownership of their security behaviors.

PHISH: No dry drills or theoretical scenarios here. This is about learning by doing. CybSafe PHISH throws realistic simulated phishing attacks at people. It lets them experience the pressure and make choices in a safe environment. This hands-on approach builds their critical thinking and confidence in identifying real threats…without the frustration of receiving a dry lecture.

RESPOND: Mistakes happen, but CybSafe RESPOND focuses on learning and improvement, not finger-wagging. Reporting suspicious activity is a collaborative effort, not a fear-inducing chore. This positive reinforcement empowers people to actively participate in building a stronger security culture.

Alright, let’s wrap it up

In the high-stakes game of cybersecurity, all proven tactics deserve a seat at the table.

That means personalization and gamification deserve a seat at your table.

They push interventions beyond generic one-size-fits-all approaches, and help you craft experiences that resonate with people.

When you do that, good cybersecurity habits stick…like Velcro.

Download the full report for more about personalization interventions—like the 3 key factors that drive every action anyone takes, ever!

Cyber security quirks logo

Personalised interventions

for Human Cyber Resilience 

Cyber security quirks report cover
Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like

Maximizing security awareness engagement: How the pros do it

Maximizing security awareness engagement: How the pros do it

Ditch mandatory training, starting riiiight…now!Want to boost security awareness? Talk about something else entirelyGet serious about funThe top mic-drop insights from our Cybersecurity Awareness Month engagement webinar We know people whose organizations make a big deal of CAM are much more...