You need to overcome two psychological obstacles. In this article, you will learn three ways to overcome them.
I have a confession to make. I have clicked suspicious links in my employer's laptop. I know it is risky, but something made me to click. And I feel bad.
But it goes over soon...
It won't happen to me.
Tali Sharot, a Professor of Cognitive Neuroscience wrote the book The Optimism Bias, where she explores our tendency to have optimistic view on risk. According to her, optimism bias makes you believe your chances to experience a negative event are lower than chances of others.
Optimism bias makes you believe your chances to experience a negative event are lower than chances of others.
Optimism bias is everywhere. It is the main reason why your employees do not worry much, when they click suspicious links.
Rules are for others.
You are familiar with this behaviour. Some people want to be rebellions and some are arrogant. But what is behind it?
Reactance is an unpleasant motivational arousal (reaction) to rules or regulations. Its psychological background is in our fear to lose behavioral freedom.
Reactance is an unpleasant motivational arousal (reaction) to rules or regulations.
Some individuals are higher in reactance than others. Often, management has high reactance.
How to deal with optimism bias and reactance in risk management?
Best Practices to Manage People Risk in Security
1. Steal People's Attention with Facts
In order to resist optimism bias, you need to do two as follows:
Remind of real incidents from the past similar to the employee's everyday work
Explain the potential damage in a way people understand
You can remind people about security risks but you need to do it carefully. And the content needs to be something close to their work.
Email reminders are a great tool for recaps, because you can approach different employees with different content.
If you use examples close to people's work, you can make security interesting. Much more interesting than a yearly reminder about strong passwords.
2. Focus on Management and Change Agents
Management is the key in the fight against reactance.
Employees copy their behaviour from their colleagues, but they also listen carefully what the management wants. If the management are above the rules, the employees copy the behaviour.
Ok, you might irritate your management. Don't care. You are right. And no mercy for them...
Every organisation has influential people, who are not part of management.
In the change management, these people are called change agents. You need to consider change agents carefully, when you create a security awareness program. Persuade them to change their behaviour and your total people risk starts to decrease rapidly.
3. Help Your People to Manage the Risk Themselves
The resistance to use strong passwords, password wallets and multi-factor authentication is strong.
However, once the users learn the new method, they feel safe. Invest a little in microlearning and coaching and it will quickly pay back in lower security risk.
Mix of personal and work matters in corporate laptops and phones is one of the most common risks of every organisation.
Support your personnel financially with their personal devices, because it gives you better arguments to have stricter security in the corporate assets. And even more importantly, it moves risk behaviour out from your devices.
Too large user permissions are not a good for anybody.
If you motivate your users to manage user privileges themselves, you create much better risk control and save management time.
Final Words
In order to decrease security risks in your organisation, you need to overcome optimism bias (it won't happen to me) and reactance (rules are for others).
Best practices to meet the challenge are:
Steal people's attention with facts about real incidents close to their work
Focus on management and change agents
Targeted microtraining of security tools, financial support of users' personal devices and self-management of users' privileges help people to manage risk themselves
You can decrease your security related people risk, but it requires some attention and tailored actions for your company.
If you liked this article, I would appreciate if you give a clap:)