CyberSecPsych

Cognitive dissonance refers to the uncomfortable feeling that occurs when there is a conflict between one’s belief and behavior. This unsettling feeling brings about intense motivation to get rid of the inconsistency. An individual experiencing dissonance has three optional courses of action in order to minimize the dissonance (1) change the behavior, (2) change the belief, (3) create new consonant cognitions to counteract the dissonant cognitions.
 

End users experience a conflict between one’s belief and behavior, resulting in cognitive dissonance.  Examples of end user beliefs:

I am…..

• a good employee
• safe
• cautious
• accountable
• competent
• intelligent
• capable

People frame themselves in the best light possible, and will go to great lengths to ensure they maintain a positive image. When an event comes about that threatens this self imagine, the individual is intensely motivated to remove the inconsistency.

In the case of information security, the threat is an attachment or link in a phishing email. An employee, pressured with the need to get work done at a quick and efficient rate, goes back and forth in his/her head as to whether to click on the link, and oftentimes, curiosity kills the cat. To minimize the dissonance, the user can either:

• Change the behavior: The user stops clicking on links in emails. While this may lead to short-term change, long-term effectiveness is not shown (due to the need to get work done, the power of curiosity, and no alternative behavior suggested).
• Change the belief: The user convinces themselves that they are not at fault because the company’s anti-virus software should have caught the malicious link, or that they don’t really care about their company anyways and it does not matter. If the user can make their negative behaviors seem less important, dissonance is reduced.
• New consonant cognitions formation: I am a smart and efficient employee that historically has been used to being able to click on links and attachments with no repercussions. In today’s threat landscape, however, that is no longer possible and I have the respect and support from my organization to share any thoughts or doubts I have, and we work collaboratively to establish a security culture.

People, in general, do not like to feel unethical, dumb, or cheated, and will go to great lengths to maintain a positive self image.

In the case of security awareness trainings, individuals want to feel like the material they are learning is compatible with their level of intelligence and style of learning. If not, they will disregard the information in order to reduce the cognitive dissonance of feeling like they are not smart.

CHALLENGE: How to we get employees to this new consonant cognition, which accounts for both behavior and attitudes, to create long lasting change?

Behavioral Approach to Change

Studies show that mechanisms such as fear, guilt, or regret are negatively associated with long-term behavioral change. Alternatively, long-lasting change is most likely when it is self-motivated and rooted in positive thinking. Approaches such as Positive Behavioral Support (PBS) trainings, wherein employees are given practical behavioral alternatives to the unwanted behavior, creates a supportive organizational security culture where employees feel respected and responsible.

 
Small and Specific

Studies have shown that goals are easier to reach when they are specific, and when they are reduced to a smaller number of goals to accomplish at one time, to avoid overtaxing one’s attention and willpower. Have too many choices can create dissonance within itself, so setting up your employees with clear actionable steps as the correct course of action when receiving an email with a link or an attachment enables the employee to retain their independence and responsibility, making them feel like a valuable member of the security team.

 
It Comes From Culture

Long lasting behavioral change takes time, and requires a supportive environment to do so. Open communication and environments where collaboration is celebrated allows for individuals basic needs around safety to be met so that they are free to make behavioral choices that align with the company’s mission around security.

Conclusion

Behaviors and attitudes are interconnected. Modification of one influences the other. We need to keep this in mind as we look to security awareness trainings as the “magic bullet” to protect our organizations. Analyzing not only the training platform, but the attitudes within the organization towards these types of trainings, as well as the cultural supports that encourage collaboration and open communication, are the next pieces of the security awareness puzzle.