Rage against the mundane: People need help rebuilding their trust and confidence, and security awareness personalization holds the key
Cynicism towards cybersecurity advice and tools is high. And…so is the threat level.
The gnarliest part? One feeds the other. And vice versa.
It’s a never-ending cycle, or so it seems.
But there is a way out. We can explain. And it starts in people’s minds.
“Frustrated and doubtful”
That’s how many people feel about cybersecurity. The “Oh Behave!” Annual Cybersecurity Attitudes and Behaviors Report 2023 revealed how of its 6,000 worldwide participants:
-
- 39 percent felt frustrated about online security.
- 37 percent were intimidated by staying secure online.
- 32% often felt overwhelmed by cybersecurity information
- 21% of Gen Z and 23% of Millennials are skeptical about the return on investment.
Fixing this is only the beginning. But unless we fix it, other efforts will only ever go so far.
So what works?
Research (like this paper) suggests that interventions are more effective when they account for individual differences.
This means ditching the “one-size-fits-all” approach and tailoring strategies to the specific needs and vulnerabilities of each unique human being.
It’s not easy. But it’s not as hard as you think, either.
And it’s the best way to help people to protect themselves from cyber threats.
It starts with trust. And stopping the cyber-nag.
Nagging gets you nowhere
Wipe your feet! Say thank you! Wash your hands!
These are all reasonable things to do. So why is that rage and irritation rising? Is your inner rebellious teenager taking over your usually rational self?
Yep. That’s how your people feel when you nag them about cybersecurity.
-
- “Always use strong passwords!” (This dictates without explaining why they’re important or offering alternatives.)
- “Never open suspicious emails!” (This one creates fear without providing guidance on identifying such emails.)
- “Clicking on that link could put the entire company at risk!” (This exaggerates the consequences and reinforces feelings of helplessness.)
That feeling you get when someone tells you what to do…especially about things you feel you control?
Psychological reactance. That’s its name. It’s hardwired into all of us. And…it’s a major cybersecurity roadblock. (Want a deeper dive? We like the way this blog post explains it.)
Think about the average security training session on offer. Dry lectures, endless dos and don’ts, and that suffocating feeling of being micromanaged. No wonder people tune out.
And no wonder people don’t trust the interventions. They don’t change people’s risk.
Personalised interventions
for Human Cyber Resilience
How do you rebuild trust and spark change?
Forget the tired lectures and finger-wagging. It’s time to ignite a spark in your people, a spark that turns them from passive listeners to active defenders. Here are some ideas to get you started:
1. Talking “why,” not “what”: Instead of barking orders, it pays to tap into what keeps people up at night. Do they worry about protecting their families? Boosting their careers? You can show people how cybersecurity connects to their personal goals, how safer habits can unlock those doors. Try to lose the security jargon—speak their language, their hopes, their dreams.
2. Ditching the ego, embracing empathy: Showing your humanity is powerful. For instance, sharing your own real-life security snafus. People respond well when you acknowledge their concerns. Show them that you get it—you understand that technology can be frustrating, and that remembering passwords can be a pain.
3. Helping to unleash the inner hero: No one wants to be a cog in the security machine. Help people see themselves as the protagonists, not the damsels in distress.
4. Showing > telling: Where can you use simulations, practical exercises, hands-on demos? How can you give people a playground to experiment, to fail, to learn? Let them see good security practices in action, not just hear about them in theory.
But the ‘why’ and ‘how’ isn’t the same for everyone.
Remember when we said it’s important to think about each unique human being?
We meant it.
Security awareness personalization. It’s vital. Here’s what the Quirks report has to say about why:
-
- People are used to it. As the report points out, they’re accustomed to personalized experiences in many aspects of their digital lives. From tailored movie recommendations to personalized shopping suggestions, we’ve all come to expect granular relevance. Why should people expect security awareness to be any different?
- People don’t have time to hunt for what they need. In a world drowning in information, the report underscores a critical point—people don’t have the luxury of time to sift through masses of irrelevant data. Personalization is a filter. It means people get targeted, pertinent information that cuts through the noise.
- People learn in different ways. The report underscores something known but often overlooked: Not all people respond to the same stimuli, and understanding these behavioral nuances is key. And that makes personalization a necessity, not a luxury.
- People are used to it. As the report points out, they’re accustomed to personalized experiences in many aspects of their digital lives. From tailored movie recommendations to personalized shopping suggestions, we’ve all come to expect granular relevance. Why should people expect security awareness to be any different?
There’s a lot more to this. Of course there is. Humans are complicated. Fascinating. Often underappreciated in cybersecurity.
You might be wondering:
-
- Which elements of security awareness interventions should I personalize?
- How should I group people?
- What are the mechanisms of personalization?
Which is why it’s well worth taking a peep at [LINK: the report] for the full picture. But as well as that, you might find it helpful to check these resources out too:
CybSafe’s guide to security awareness personalization
Blog: Can fun personalization really change security behaviors? Read now
Blog: The three big concepts behind cybersecurity personalization. Read now
How CybSafe helps security teams avoid triggering people’s inner teenager (psychological reactance)
PHISH: No dry drills or theoretical scenarios here. This is about learning by doing. CybSafe PHISH throws realistic simulated phishing attacks at people. It lets them experience the pressure and make choices in a safe environment. This hands-on approach builds their critical thinking and confidence in identifying real threats…without the frustration of receiving a dry lecture.
Alright, let’s wrap it up
In the high-stakes game of cybersecurity, all proven tactics deserve a seat at the table.
That means personalization and gamification deserve a seat at your table.
They push interventions beyond generic one-size-fits-all approaches, and help you craft experiences that resonate with people.
When you do that, good cybersecurity habits stick…like Velcro.
Download the full report for more about personalization interventions—like the 3 key factors that drive every action anyone takes, ever!