Ensuring that people are aware of cybersecurity risks while they can respond to those risks in an effective way is challenging. Simple policy campaigns or warning messages, intended to increase their awareness of the risks involved are not always effective as they implicitly rely on users making very informed or rational decisions.
Should we use fear factors (focus on warning them on the harmful consequences) or self-efficacy (focus on empowering them to combat attack)? Which one is better?
A team of psychology researchers studied these questions in 2019 and published a paper "Using protection motivation theory in the design of nudges to improve online security behavior". Their experiment covered 2024 participants in Germany, Sweden, Poland, Spain and the UK.
Major finding was:
"It was more effective to tell subjects how to effectively manage the probability of suffering a cyber attack than to threaten them with the consequences of not behaving safely. "
In psychological terms, “Response efficacy is the effectiveness of the recommended behavior in removing or preventing possible harm.
Self-efficacy is the belief that one can successfully enact the recommended behavior. The coping appraisal process focuses on the adaptive responses and one's ability to cope with and avert the threat.
Coping Appraisal involves the individual's assessment of the response efficacy of the recommended behavior (i.e. perceived effectiveness of sunscreen in preventing premature aging) as well as one's perceived self-efficacy in carrying out the recommended actions. (i.e. confidence that one can use sunscreen consistently).”
We should consider enabling employees protecting themselves when facing cyber attacks, not just by threatening them ! Cybersecurity Awareness Training should provide tools and know-how to users.