If your cybersecurity training isn’t changing employee behavior, here’s what to do

Cybersecurity education is great, but on its own, it won’t change how employees act. Behavioral psychology has the answer.

Share article

security awareness behavioral psychology

By 2021, cybercrime may be costing the world six trillion US dollars annually. Few industries are immune. A single data breach costs enterprises on average of 1.4 million US dollars. What will your business do?

You can and should upgrade your cybersecurity, but when you do, there will always be holes no technology can fix. They’re called ‘human factors:’ The normal vulnerabilities of normal people.

Cybercriminals are adept at finding and exploiting human weaknesses. Businesses report careless or uninformed staff cause 46 percent of cybersecurity incidents. One in two companies say their employees are the weakest link in their cyber defenses, and 44 percent said their employees don’t follow IT security policies properly. Kaspersky’s report, The human factor in IT security: How employees are making businesses vulnerable from within lays out more evidence on the scale of the problem.

Knowledge isn’t enough to change behavior

Given the added security risk brought by the rapid shift to working from home, cybersecurity training for all employees should come to the front of the queue. The goal is to change their IT habits permanently. They need to understand potential threats, gain IT skills and take care of their devices at work and at home.

Plenty of companies know how important cybersecurity training is and make sure their employees get it. But talking to trainees, there’s a blind spot. They know about cybersecurity – they’ve passed the tests, but they keep behaving in unsafe ways.

Use behavioral psychology to make change

Why don’t employees immediately change their habits after taking a security course? This is where the psychology of behavior change comes in. To turn learning into habit, people need consistent, repeated and reinforced messages over time. They need to know the consequences and what they should do to prevent them, and have the chance to embed each small habit, one by one.

In other words, microlearning: Receiving bite-sized, frequent lessons, simulations and tests. These should come through several channels, like face-to-face or online learning sessions, email reminders and visual cues. It takes time, but it brings results.

Cyberawareness each day keeps the cybercriminals away

When it comes to industrial safety training, people are motivated to learn because they understand the danger – wearing a hard hat protects you from a serious head injury or worse.

Cyberawareness is more like exercise. Everyone knows they should do it, but we often don’t because the consequences are rarely obvious and immediate.

Misconceptions can make employees feel powerless against cybercriminals. Some movies, for example, suggest ordinary people can’t stop cybercrime. It’s better to think of avoiding falling victim to cybercrime as like being chased by a bear. You don’t have to outrun the bear. You just need to be faster than someone else. In other words, you don’t need to be smarter than cybercriminals. Your business needs to act more smartly than others in its cyber hygiene.

Part of Kaspersky’s cybersecurity awareness training works with misconceptions about cybercrime and turns them into positive actions. After completing it with a trainer or self-study online, employees are more interested in cybersecurity and want to change their habits.
security awareness behavioral psychology

Effective structure for cybersecurity learning

Before starting training, we need to know the goal: To change behavior. To change behavior, we must motivate people to learn, know what they should learn (by testing them to find out what they already know and what they must improve upon,) teach them, then reinforce their knowledge and skills.

Gamification is great for motivation. Examples include Kaspersky Interactive Protection Simulation (KIPS) – a 2-hour team simulation game that helps players connect business efficiency and cybersecurity.

You can also gamify assessing their knowledge, which helps employees feel more relaxed and more vividly demonstrates the problems they’ll come across. Casino mechanics are fun and show the trainer how confident learners are in their answers.

After we know what to learn, we start learning. Learning should be informative and divided into small pieces to make it more digestible and comfortable. Make it interactive (not just reading slides) and applicable to their work by using situations they will face, and give clear feedback. ‘Polish’ their new knowledge and skills with tests and simulated phishing attacks.

Now the day-by-day learning starts. Some participants may see repetition and periodic testing as ‘boring,’ but it’s vital to reinforce behaviors, creating instinctive habits.

Adaptive methodology can make learning more relevant and effective. It’s like having a one-to-one personal tutor at scale, so every learner has their own path based on their initial knowledge, abilities and learning targets. It delivers hands-on, practical activities with tests that give immediate feedback. One example of this kind of learning is Kaspersky Adaptive Online Training (KAOT).

Evolving technology brings new threats and ways of attacking. Businesses must keep upskilling their people to meet these challenges head-on. You can persuade your employees to improve their cybersecurity habits with education, if it’s well-structured and -delivered. Learning turns into action when it’s given in bite-sized pieces, repeated and reinforced.

Kaspersky security awareness programs

Teaching employees critical cybersecurity skills, so they act differently, keeping your business safer.

About authors

Mina Yanni is Kaspersky's Head of Enterprise Sales for the UK and Ireland. He develops and executes sales strategy, and manages all enterprise sales, in his dedicated territory.