Standard economic theory used to hold sway in its suggestion that we make decisions in a purely rational, selfish, way. It is now well established, however, that the reality is somewhat more complicated than that. The field of Behavioural Economics provides multiple theories that can begin to predict these less-than-rational behavioural choices.
Protection Motivation Theory
At ThinkCyber, we are currently exploring new approaches to delivering security awareness in a project supported by Innovate UK. As part of this work, Protection Motivation Theory is one of the most thought-provoking theories we’ve come across.
The theory suggests that we make two assessments when making a decision under threat. The first assesses the threat in terms of perceived severity and our perceived vulnerability to it. The second assesses our capacity to cope with the threat in terms of our ability to respond effectively, and also the cost to us of making that response.
While it is interesting to consider security decisions with this threat/coping framing, of far greater relevance is the fact that the most recent research into the application of this theory in the security context suggests the importance of accentuating coping over threat. As Pam Briggs, Professor and Chair of Applied Psychology at Northumbria University puts it, “we shouldn’t focus on the threat (scaring people), but instead focus on building up people’s confidence and knowledge in knowing what action to take (the ‘coping appraisal’ part)”.
Current approaches to security awareness
Clearly Protection Motivation Theory is just that: a theory. It’s a simplification of the complex realities of human cognitive processes. However, that doesn’t mean it’s not useful, and the idea of placing greater emphasis on the coping component is not only interesting from an academic perspective but can also be directly applied to how we think about influencing people’s security behaviour.
Considering the theory against our experience of current approaches to security awareness, we observe that:
In short, getting the approach and emphasis wrong risks removing people’s motivation to do the right thing – increasing the likelihood that they just (for example) cross their fingers, click the link and plead ignorance after the fact!
Applying Protection Motivation Theory
So, what does this mean for practitioners developing security awareness training courses? For us the theory suggests the following:
We believe the focus should be on creating an enduring, but appropriate, level of security awareness. We would advocate thinking hard about the degree of expertise we expect people to have and whether it is realistic; and then making sure it goes hand in hand with effective, simple and memorable coping mechanisms.
Image copyright scottff72 / 123RF Stock Photo