Cyber Security Awareness Campaigns: Why do they fail to change behaviour?

The present paper focuses on Cyber Security Awareness Campaigns, and aims to identify key factors regarding security which may lead them to failing to appropriately change people's behaviour. Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving information-security behaviours for citizens, consumers and employees. In particular, our work considers these challenges from a Psychology perspective, as we believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours - firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so - and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour. We review the suitability of persuasion techniques, including the widely used 'fear appeals'. From this range of literature, we extract essential components for an awareness campaign as well as factors which can lead to a campaign's success or failure. Finally, we present examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.

[1]  A. Inkeles,et al.  International Encyclopedia of the Social Sciences. , 1968 .

[2]  Johan J. Bolhuis,et al.  The Behavior of Animals: Mechanisms, Function, and Evolution , 2005 .

[3]  J. LaFountain Inc. , 2013, American Art.

[4]  Bruce G. Simons-Morton,et al.  Health Communication in the Prevention of Alcohol, Tobacco, and Drug Use , 1997, Health education & behavior : the official publication of the Society for Public Health Education.

[5]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[6]  M. Kreuter,et al.  The role of culture in health communication. , 2004, Annual review of public health.

[7]  Irving L. Janis,et al.  Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research1 , 1967 .

[8]  Christopher K. Hsee,et al.  Culture and Individual Judgment and Decision Making , 2008 .

[9]  John Fitzgibbon,et al.  The cultural congruency effect: Culture, regulatory focus, and the effectiveness of gain- vs. loss-framed health messages , 2009 .

[10]  Karl Dake Myths of Nature: Culture and the Social Construction of Risk , 1992 .

[11]  C. Palmer,et al.  Risk perception: an empirical study of the relationship between worldview and the risk construct. , 1996, Risk analysis : an official publication of the Society for Risk Analysis.

[12]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[13]  A. Bandura Self-Efficacy: The Exercise of Control , 1997, Journal of Cognitive Psychotherapy.

[14]  Mona Eklund,et al.  The Role of Perceived Control for the Perception of Health by Patients with Persistent Mental Illness , 2006, Scandinavian journal of occupational therapy.

[15]  T. Marshall,et al.  Promoting Success or Preventing Failure: Cultural Differences in Motivation by Positive and Negative Role Models , 2005, Personality & social psychology bulletin.

[16]  G. Hofstede,et al.  Cultures and Organizations: Software of the Mind , 1991 .

[17]  R. W. Rogers,et al.  Attitude Change and Information Integration in Fear Appeals , 1985 .

[18]  Vimala Balakrishnan,et al.  Exploratory Factor Analysis of UserâÂÂs Compliance Behaviour towards Health Information SystemâÂÂs Security , 2013 .

[19]  Pascale G. Quester,et al.  Who's afraid of that ad? Applying segmentation to the protection motivation model , 2004 .

[20]  E. Higgins Promotion and Prevention: Regulatory Focus as A Motivational Principle , 1998 .

[21]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[22]  Bilal Khan,et al.  Effectiveness of information security awareness methods based on psychological theories , 2011 .

[23]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[24]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[25]  R. Petty,et al.  Message Framing and Persuasion: A Message Processing Analysis , 1996 .

[26]  Pamela Briggs,et al.  Using behavioural insights to improve the public’s use of cyber security best practices , 2014 .

[27]  H. Triandis The Self and Social Behavior in Differing Cultural Contexts , 1989 .

[28]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[29]  Kim Witte,et al.  Message and conceptual confounds in fear appeals: The role of threat, fear, and efficacy , 1993 .

[30]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[31]  Rohini Ahluwalia Examination of psychological processes underlying resistance to persuasion , 2000 .

[32]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[33]  V. Balakrishnan,et al.  Exploratory Factor Analysis of User’s Compliance Behaviour towards Health Information System’s Security , 2013 .

[34]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .