CHAPTER FOUR - RESULTS | Publications

CHAPTER FOUR: RESULTS

CHAPTER FOUR: RESULTS

A collection of published articles and documents have discussed what environmental and cognitive factors may have an influence on individuals to exercise compliant behavior (D’Arcy & Lowry, 2019; Koohang et al., 2020; Pfleeger & Caputo, 2012; Roberts, 2021). Research has shown that environmental and cognitive factors both have a significant impact on human behavior and whether they comply with security policies (D’Arcy & Lowry, 2019; Koohang et al., 2020; Pfleeger & Caputo, 2012; Roberts, 2021; Union Agency for Network and Information Security, 2018). While both factors are known to have an influence on human behavior, there is more research available that has studied cognitive factors than there are that studied environmental factors (D’Arcy & Lowry, 2019; Pfleeger & Caputo, 2012). An overview of the environmental and cognitive factors found throughout the research are highlighted below in Figure 4.1.

Cognitive Factors and Behaviors

Cognitive factors are internal influences that have been studied with regard to human behavior and compliance. Self-efficacy is one of several factors identified in research that have a significant impact on compliant behavior. In this context, self-efficacy refers to an individual’s belief that they can perform secure behaviors. Studies have shown that higher levels of self-efficacy positively affect employees’ secure behaviors and that they are more committed than those who lack self-efficacy (Koohang et al., 2020; Li et al., 2019; Wood & Bandura, 1989). Earlier research has shown that self-efficacy positively affects an individuals’ intention to comply with security policies (Benbasat et al., 2010). Later studies corroborated those findings and determined that self-efficacy does have a positive impact on compliant behavior (D’Arcy & Lowry, 2019; Li et al., 2019). According to Pfleeger and Caputo (2012), employees that have higher levels of self-efficacy will perform secure behaviors and their peers are more likely to learn from them and engage in those same secure behaviors. Questions regarding methods to increase self-efficacy have surfaced throughout research and it has been suggested that self-efficacy can be influenced and strengthened through experiences, social persuasion, knowledge, and awareness (Li et al., 2019; Wood & Bandura, 1989).

The attitude of the individual towards different aspects of cybersecurity has also been linked as an influential factor for compliant behavior. Studies have linked individuals’ attitudes towards policy adherence to complaint behavior, concluding that individuals with a positive attitude towards policy compliance are more likely to comply whereas those with a negative attitude are less likely to comply (D’Arcy & Lowry, 2019; Howard, 2018). Muhire and Ayyagari (2018) have argued that attitudes have a positive relationship with an individual’s intent to comply with security policies. They found that complaint behavior is a result of an individual’s positive perception of the security policy and non-compliance may be the result if individuals perceive the policies as a nuisance (Muhire & Ayyagari, 2018).

Bauer and Bernroider (2017) showed strong support that information security knowledge has a significant relationship with an individual’s attitude towards compliance. The results suggest that an individual with more knowledge is likely to have a greater positive attitude which increases their intention to actually comply with policies (Bauer & Bernroider, 2017). A later study conducted by Roberts (2021) also concluded that there is a relationship between an individual’s knowledge and the attitude the individual has towards secure behaviors. Attitudes towards cybersecurity may increase when their knowledge of cybersecurity also increases and may reduce risky behaviors that don’t comply with policy (Roberts, 2021). Balozian and Leidner (2017) broke knowledge into two categories and suggested that increasing these areas can result in secure and compliant behavior from the individual: technical and behavioral knowledge. Behavioral knowledge is described as knowing what behaviors are acceptable as described in policies and technical knowledge is an individual’s knowledge of how to perform secure behaviors (Balozian & Leidner, 2017). Individuals that have knowledge of security policies have been seen perform secure behaviors more often than those who have no knowledge of the security policies (Balozian & Leidner, 2017; Li et al., 2019) and individuals that know how to perform secure behaviors are more likely to comply than those who do not (Balozian & Leidner, 2017). Research has provided strong evidence that an individual’s self-efficacy, attitude, and knowledge are contributing factors that influence an individual to perform secure behaviors that are compliant with organizational security policies.

Environmental Factors and Behaviors

Social proximity has been identified as a reason why individuals may or may not behave in a compliant manner (Bicchieri et al., 2021). Social proximity is an environment of people that share a common baseline of traits, characteristics, and identities such that they will behave in a manner that is deemed acceptable by the group and avoid those that are not (Bicchieri et al., 2021). Social environments can play a role in the deterrence or encouragement of exercising compliant behaviors (Balozian & Leidner, 2017). A study using social proximity was conducted to understand its effect on complaint behavior and concluded that observing peer behavior persuades individuals to alter their behaviors based on what they have observed; when compliant behavior was observed within an individual’s social proximity, the individual emulated that same behavior (Bicchieri et al., 2021). Other researchers have also concluded that peer behavior is a significant factor that affects how others behave with regard to cybersecurity, suggesting that individuals learn secure behavior by imitating their peers’ actions (Balozian & Leidner, 2017, Li et al., 2019; Pfleeger & Caputo, 2012).

An explanation to why individuals imitate peer behavior or comply with policies can be the norms that have been established within the environment such as subjective and descriptive norms. Subjective norms are referred to as the users’ belief that significant others, such as managers, approve or disapprove particular behaviors (Balozian & Leidner, 2017). Balozian and Leidner (2017) suggest that if the managers expect compliant behavior, employees are likely to engage in those behaviors. The expectations from significant others creates a social pressure on the individuals to engage in secure behaviors and comply with security policies (Balozian & Leidner, 2017). According to D’Arcy and Lowry (2019), subjective norms have also been considered strong predictors of compliant behavior; if compliant behavior is not a subjective norm, then individuals are unlikely to comply.

Descriptive norms refer to the users’ perception that significant others and colleagues are exercising behaviors that are compliant with policies (Balozian & Leidner, 2017; D’Arcy & Lowry, 2019). Peers that exhibit secure behavior are considered role models that provide positive messages and encourage policy compliance (Balozian & Leidner, 2017). On the other hand, those who exhibit poor behaviors and go against policy are known to negatively impact others’ behaviors (Balozian & Leidner, 2017). According to a report by the European Union Agency for Network and Information Security (2018), individual compliance levels were positively impacted by when individuals believed their peers were complying with policies and engaging in secure behavior. People often conform to social norm behaviors so that they can fit in or be accepted by others within the environment (Barlow et al., 2018). These findings provide evidence that environmental factors such as social proximity, subjective norms, and descriptive norms can influence an individual’s compliance behavior.

Figure 4.1 Factors of Compliant Behavior

Best Practices and Challenges

Case Study 1

The case study involved three large-scale organizations from Australia and was conducted to identify what methods were utilized to create or improve a culture of cybersecurity that influenced employee behavior (Alshaikh, 2020). The organizations were chosen based on their similarities to one another in terms of their culture and being in the early stages of cultural development rather than those who already have one established (Alshaikh, 2020). Five specific initiatives were identified that helped solve their problem and go from an organization without a cybersecurity culture to an organization with a cybersecurity culture that improved employee behavior. These key initiatives will be reviewed in the following sections.

The first key initiative was to identify the top behavioral themes from each cybersecurity-related policy developed by the organization which resulted in the identification of five key behaviors: be differential and respectful when online, “think before you click”, “think before you send”, ensure files and information systems are secure, report suspicious activity (Alshaikh, 2020). The purpose of identifying these behavioral themes was to communicate them to the employees so that they had knowledge of them. When the employees were performing the desired actions and behaviors, they were in compliance with a majority of the policies which was noticed as a significant improvement (Alshaikh, 2020). Another company took the same approach and identified eight behaviors after reviewing their information security policies. Once they were identified, the organization trained their employees specifically on those desired behaviors.

Secondly, there was a significant need to create a champion network given the large sizes of each company (Alshaikh, 2020). The champion network was meant to help engage all areas of the organization, especially since they happened to have multiple geographical locations, and they were also established in each hierarchical layer of the organization (Alshaikh, 2020). The intent for the champion network was to increase cybersecurity awareness by amplifying the messages, encourage and help employees to adopt the identified security behaviors, identify the knowledge, skills, and abilities required from employees, and report the progress so that the security team could determine the effectiveness of the initiative (Alshaikh, 2020). One important note was that the champion did not need to be a cybersecurity expert but needed to be a good people person and be able to communicate effectively (Alshaikh, 2020). Champions were required to have the most up-to-date information so they could be effective in their responsibilities listed above (Alshaikh, 2020).

The third key initiative was to establish a cybersecurity hub, or internal website, that employees can visit to learn more about cybersecurity and ways to improve their behaviors (Alshaikh, 2020; Ling Li et al., 2019). The design of the website mirrored the key cybersecurity behaviors identified by the organization, consolidated policies and procedures, and allowed employees to ask questions that facilitated learning (Alshaikh, 2020). The cybersecurity hub provided employees a method to effortlessly access specific information regarding behavioral expectations, such as the policy-derived behaviors, and also supported the champion network by supplying them with a platform to spread awareness (Alshaikh, 2020). The organizations found that employees were often bothered by visiting multiple sources to find information and noted that having a single point of contact, or cybersecurity hub, was much more practical (Alshaikh, 2020). Providing information regarding at-home secure behavior for employees and their families was also found very useful (Alshaikh, 2020).

Furthermore, the cybersecurity team branded themselves with a mascot and or a logo to enhance their visibility within the organization (Alshaikh, 2020). Logos and mascots were placed on all cybersecurity awareness-related material and training to establish relationships between the activities and cybersecurity so employees could relate the material to cybersecurity, acting as a cue to action (Alshaikh, 2020). One organization mentioned that it was important to involve the employees in the decision and design process for the team branding, giving them a personal connection to the brand (Alshaikh, 2020). Consistently using the cybersecurity team’s visual identity was essential in the development of their cybersecurity cultures (Alshaikh, 2020).

Finally, the fifth key initiative was to align the organization’s cybersecurity awareness program to internal and external campaigns. Using all available resources showed an increase in the effectiveness and overall impact on the employees and influenced positive behavior changes (Alshaikh, 2020). These organizations aligned internal campaigns with external campaigns, such as privacy awareness week and scammer awareness week, to reduce the time and effort required by simply using external campaign information to disseminate to their employees while attaching the organization’s visual identity to the material (Alshaikh, 2020). These actions demonstrated effective methods that were used to encourage secure behavior by engaging employees in a fun and exciting way (Alshaikh, 2020). It also enhanced the collaboration between different units and stakeholders and decreased the time and attention demanded from employees (Alshaikh, 2020). These organizations used their communications teams to develop methods for communicating awareness material using non-technical languages allowing their employees to better understand the message while also collaborating with their marketing teams when designing their visual identity (Alshaikh, 2020).

Challenges. It was clear that the organizations did not have an effective method to measure their success and improvement levels during the early stages of secure culture development. The percentage of completed training for was commonly used as a metric to determine if employees were completing their required education, however, it was not able to measure its effectiveness on behavior change outcomes (Alshaikh, 2020). Employees initially resisted the changes because they were neither engaged nor motivated to participate in training, while some even shared answers (Alshaikh, 2020). As a result, the percentage of completed employee training was only satisfying the compliance of mandatory training and could not be used to gage its effect on behaviors (Alshaikh, 2020). Once the key initiatives were put in action and ongoing, the organizations agreed on three methods of measurement: employee feedback regarding cybersecurity activities, analysis of employee engagement using the cybersecurity hub, and reports of increased collaboration (Alshaikh, 2020). As a result, these organizations were able to measure the effectiveness of their initiatives while noticing an increase of incident reporting which indicated an increase in compliance and secure behavior (Alshaikh, 2020). A noteworthy mention is that each organizational leader expressed the importance of leadership buy-in and that it must be a priority for the executive team, otherwise the initiative is likely to fail (Alshaikh, 2020).

Case Study 2

Liberty Mutual’s case study shows an example of how an organization can minimize their employees’ risky behaviors and reduce vulnerabilities by increasing the use of secure behavior. The case study analyses the mechanisms utilized by the company to create a cybersecurity culture for their organization that instills a set of beliefs, attitudes, values, and effective performance measures to influence behavior (Huang & Pearlson, 2019).

Creating a Chief Information Security Officer (CISO) position and assigning someone with that responsibility was Liberty Mutual’s first action to take place (Huang & Pearlson, 2019). Similar to the previous case study, cybersecurity became a top priority for the leadership team given the extreme importance and value they believed it has to the company (Huang & Pearlson, 2019). The CISO’s overarching responsibility was to drive the organization’s culture towards one that had positive cybersecurity beliefs, values, and attitudes while continuously reinforcing its importance (Huang & Pearlson, 2019). Identifying the core behaviors and concepts from the governing policies, called Pillars of Data Protection, helped leadership identify a set of expected employee behaviors and communicated them to each employee (Huang & Pearlson, 2019). Policies and expectations were written using non-technical language to increase the level of understanding by all employees while also further clarifying and explaining exactly how it is related to the employee (Huang & Pearlson, 2019).

A significant amount of effort was directed towards creating an effective communication strategy that ensured cybersecurity messages were being received by all employees. Associating their messages with cybersecurity was done by branding the cybersecurity team and inserting their logo into every message, with the help of the marketing team, so employees could recognize its significance (Huang & Pearlson, 2019). The CISO regularly published blogs that covered relevant topics currently impacting the organization in some way (Huang & Pearlson, 2019). Additionally, as major cybersecurity news stories broke, leaders used the information to raise awareness within the organization and discussed its impacts, how it relates to the organization, and how employees might take steps to prevent or respond to similar events if they happen within the organization (Huang & Pearlson, 2019). Using slogans became an effective tool for communicating messages that helped employees realize they are part of the solution which began shaping positive employee attitudes (Huang & Pearlson, 2019). Employees began to understand the value of cybersecurity, started paying more attention to the messages, and were more encouraged than ever to participate in cybersecurity activities as a result of observing how much the executive team was involved in spreading the messages (Huang & Pearlson, 2019).

Expanding communication, Liberty Mutual took the initiative to provide employees with learning opportunities to increase their knowledge of cybersecurity. Since they recognized that irregular training classes were ineffective, Liberty Mutual decided to incorporate a strategy of continuous learning through regular training classes and communication campaigns to provide employees with an understanding of cybersecurity risks and how to mitigate them (Huang & Pearlson, 2019). Internal campaigns were aligned with external campaigns to provide fresh, current, and relevant information to the employees which help reinforce the value of cybersecurity (Huang & Pearlson, 2019). Videos, digital displays, newsletters, and events were used as a method for consistent delivery of training and awareness to show the importance of data protection (Huang & Pearlson, 2019). Leadership also implemented an incentive program to help motivate employees, highlighting potential rewards and consequences if employees improved their cybersecurity behaviors or failed to perform the expected behaviors (Huang & Pearlson, 2019). The outcome of these actions began creating an environment with strong social norms and beliefs towards cybersecurity because employees began discussing cybersecurity topics and engaging in activities regularly (Huang & Pearlson, 2019).

Lastly, Liberty Mutual implemented a couple of methods to measure the effectiveness of their cybersecurity culture initiative. They conducted employee evaluations to determine how well they have been doing concerning cybersecurity; if employees were performing as expected or beyond, it was annotated in their evaluation with a possibility for the employee to receive a reward, otherwise, poor behavior was reflected in their evaluation with the possibility of consequences (Huang & Pearlson, 2019). Regular interviews were conducted outside of the employee evaluation process to gain employee feedback so leadership could determine if their initiative is showing success (Huang & Pearlson, 2019). Interview results showed an increase in the employees’ self-efficacy and awareness levels as a result of the employees understanding what behaviors to perform while feeling more confident and empowered to protect the information systems and data (Huang & Pearlson, 2019).

Challenges Specific challenges that Liberty Mutual may have encountered were not identified in this case study. However, there appears to be evidence that potential challenges can arise while enforcing consequences for poor employee behavior. Additional training has been used as a consequence for failing cybersecurity exercises, specifically phishing exercises (Huang & Pearlson, 2019). While it was noted that employees are generally not bothered by taking additional courses, not all employees may react the same way which may lead to cybersecurity being perceived as a nuisance (Huang & Pearlson, 2019). To prevent employees from having a negative perception of cybersecurity, the challenge is to determine at what point should consequences be enforced, and to what extent, so that employees remain engaged and continue to participate in the activities and exercises.