Adopt an influence and persuasion strategy to change employee behavior
In today’s increasingly interconnected world, the importance of human-centered cybersecurity strategies cannot be overstated. IT leaders know that cybersecurity awareness programs have not been particularly effective at changing employee behavior. However, this does not negate the need for companies to communicate with their employees about cybersecurity. Instead, it highlights the need to shift focus from awareness to behavior change.
By leveraging proven behavior change models, companies can make impactful communication changes that yield significant results in strengthening cybersecurity. IT leaders must gain an understanding of persuasion and influence tactics and how they can be used to positively impact the cybersecurity risks associated with employee behavior. Here are 4 key considerations for IT leaders to improve cybersecurity and employee buy-in.
Understand the limitations of awareness programs
Cybersecurity awareness programs often fail to produce substantial behavioral changes because they primarily focus on simply sharing information and knowledge. While awareness is essential, knowing alone does not guarantee the adoption of secure practices. Many employees are aware of the risks but fail to apply that knowledge consistently. This highlights the need to move beyond awareness and explore strategies that influence employees’ behaviors directly.
Emphasize behavior change
To foster a culture of cybersecurity within organizations, the focus should shift from simply making employees aware of threats to actively changing their behaviors. By aligning communications with behavior change objectives, companies can create a more effective cybersecurity program. This involves encouraging employees to adopt secure practices – i.e., using strong passwords, regularly updating software and being vigilant against phishing attempts.
Leverage the principles of persuasion
The renowned social psychologist Robert Cialdini identified six principles of persuasion that can be applied to influencing behaviors: commitment and consistency; social proof; authority; reciprocity; scarcity; and liking. By incorporating these tactics into cybersecurity communications, companies can maximize their impact and encourage employees to adopt secure behaviors.
- Commitment and consistency. By encouraging employees to make public commitments to cybersecurity practices, companies can leverage the power of consistency. Employees who publicly declare their commitment are more likely to follow through and align their actions with their stated intentions. Even something as simple as asking employees to sign an agreement, in front of their managers, that they will follow cybersecurity policies can help employees commit.
- Social proof. Humans are naturally influenced by the actions of others. By highlighting positive examples of secure behaviors within the organization, such as success stories or testimonials, companies can establish social proof. This demonstrates that secure behaviors are widely adopted and encourages others to follow suit. It also shows that people who don’t follow cybersecurity policies are the outliers – and not in a good way.
- Authority. It’s always important that top leadership is aligned with best cybersecurity practices and that they’re engaging in those practices themselves. Leveraging those authority figures can enhance the credibility of cybersecurity communications. Employees are more likely to adopt secure behaviors when they perceive that members of the C-suite are engaging in them and that those top individuals expect employees to follow suit.
- Reciprocity. Companies can foster a sense of reciprocity by offering incentives or rewards to employees who consistently practice secure behaviors. For example, providing public recognition or small tokens of appreciation will motivate employees to follow secure practices consistently.
- Scarcity. Creating a sense of urgency and scarcity can drive behavior change. For instance, highlighting the limited number of chances employees have to change their password before getting locked out of the system or emphasizing the potential consequences of a security breach can motivate employees to take immediate action.
- Liking. Building positive relationships between employees and the cybersecurity team can facilitate behavior change. Communicating in a friendly and approachable manner, establishing open channels for dialogue, and, when possible, providing personalized support can foster a sense of liking and trust – ultimately making employees more receptive to cybersecurity messages.
Implement small communication changes
Sometimes, small communication adjustments can have significant impacts on behavior change. Companies can integrate the principles of persuasion into various communication channels, such as emails, training sessions, posters and newsletters. By carefully crafting messages that align with the principles, companies can promote the desired behaviors and influence employees’ decision-making processes.
While traditional cybersecurity awareness programs may fall short in driving behavioral change, it is crucial for companies to continue communicating with their employees about cybersecurity. By shifting the focus towards behavior change and leveraging the proven principles of influence and persuasion, IT leaders can create employee communications programs that drive results.
Ready to evolve your cybersecurity communications away from awareness and toward behavior change?
Pivot Consultants are experts in using communication and change strategies to drive employee engagement and adoption. Learn more about our IT transformation expertise.