How to Foster Positive Behavioral Change

While it may be easy to place the blame on people for data breaches and other cybersecurity incidents, the truth is that people are an organization’s first and best line of defense. Instead of viewing people as the victim, or punishing them for risky cyber behavior, it’s time to change the narrative and instead focus on empowering them through a cybersecurity culture that focuses on positive behavioral change.

Where to Start

The first step in fostering positive behavioral change is creating an aware team that cares about cybersecurity. We recommend implementing a metrics-driven security culture that involves gathering information on your team’s existing cybersecurity habits, such as reusing old passwords, analyzing that information and then teaching safe cyber habits in a positive and human focused way. These steps are repeated and modified as your team grows more cyber aware, and training is adjusted to fit your specific cyber landscape.

The next step is to measure individuals’ perceptions on cybersecurity topics. This can be done through a survey that you can then analyze to understand how people feel about certain cybersecurity practices. Some key questions to include are:

1. Do you think you play an important role in protecting your organization from cyberattacks?

2. Do you believe you receive enough training or education to really be involved and make a difference?

3. Is cybersecurity mostly an IT issue?

4. Is your organization a potential target for cybercriminals?

Always remember when analyzing results that this is not a chance to punish folks for risky beliefs or opinions: it’s an opportunity to recognize areas where more training is required to foster a robust and knowledgeable team that cares about cybersecurity.

How Can Positive Behavioral Change be Accomplished?

We have gathered and would like to share with you 3 of the best methods to help create positive behavioral change that are available within the Beauceron Security Platform.

Personal Risk Score: The Personal Risk Score allows users to understand and visualize where they are on their cybersecurity journey. It provides information on what they have been doing well as well as areas that may need improvement.

When a phish is reported, the Personal Risk Score positively decreases, indicating that the user is engaging in safe cyber behavior and is able to recognize cyber risks. If a phish is clicked, the Personal Risk Score negatively increases, indicating that the user needs to work on recognizing cyber risks and remedial training is assigned to help them learn how to recognize those risks.

The Personal Risk Score can also decrease through completing remedial training as well as other courses when they are assigned. Personal Risk Scores are an important part of fostering positive behavioral change as they aren’t stagnant – even if a user clicks on several phishes at the beginning of their cybersecurity journey, if they complete remedial training and begin recognizing phishes and report them, their Personal Risk Score will positively decrease to reward this good behavior.

Remedial Training: Instead of punishing users for clicking on a phish, assigning remedial training allows them to learn from their mistake and how to recognize cyber risks when they occur. Remedial training consists of assigned courses and their quizzes which educate users in areas where they are struggling. It isn’t a punishment; it’s an opportunity to learn how to better protect themselves and their organization from cyber threats. By recognizing and correcting risky behavior, the team as a whole is able to better understand and implement cybersafe behavior without the associated feelings of shame or humiliation.

Gamification: It’s been proven that gamification helps folks learn and be more productive. By turning assigned learning into a game, or simply increasing the visual elements, you can turn learning from a chore into something employees look forward to and are motivated to participate in. Finding a method that engages people and motivates them to want to learn is a great way to provide essential information in a manner that is both informative and fosters a positive cybersecurity culture.

With the competitions option in the Platform, users can engage in fun and competitive competitions with their peers that positively decreases their Personal Risk Score.

If you’re interested in learning more about how positive behavioral change can benefit you and your team, check out our new whitepaper “Creating a Positive Cybersecurity Culture: Effectively Change Behavior.”