13 June 2022
Multidisciplinary Approach in Cybersecurity Awareness
Cybersecurity awareness (CSA) refers to being mindful of cybersecurity issues that affect one’s personal and professional life. If properly conceived and implemented, this preventive measure can provide a reliable defence against cyber-attacks and -crimes. In reality, however, many CSA initiatives fail to yield the desired results.
One of the key reasons for CSA initiatives’ failure is their limited grasp of awareness concepts. Awareness is commonly misunderstood as an act of sharing security information, traditionally on what to do and what not to do, with the target audience group. While providing information about security risks and threats with the target audience group is definitely necessary for building a conducive environment for change, it is unlikely that doing so alone will influence their security attitudes and behaviour.
In fact, getting people to act in a secure or recommended manner necessitates communicating the complex issues of cybersecurity in such a way that people understand the importance of information, then comprehend the information on how to respond appropriately, and finally develop a determination to act despite a variety of other demands of normal workflow. And such communication requires adopting and leveraging strategies and applications of multiple disciplines.
CyberSec4Europe’s report Awareness Effectiveness Study 2 implemented a multidisciplinary approach to elicit and analyse the relevant factors that can be used or required to address in order to enhance security attitudes and behaviour transformation. To accomplish that, this study explored research studies from different disciplines, namely,
- social psychology— e.g., to understand the impact of cognitive biases, cultural biases, and personal traits on security decision-making,
- behavioural economics— e.g., to understand the impact of incentives on security decision making,
- pedagogy— e.g., to understand suitable learning materials, learning techniques, and effective evaluation for security purposes,
- usability and user experience— e.g., to understand better usability and user experience to facilitate security decision making,
- framing theory— e.g., to understand the influence of information presentation on security decision-making,
- communication theory— e.g., to understand the communication phenomena necessary for effective delivery of security messages,
- the science of persuasion— e.g., to understand persuasion mechanisms that can foster security learning and actions, and so on.
The findings of this study will be useful to CSA professionals, organizations, and individuals who want to design, develop, and implement CSA materials or programmes. The identified factors could facilitate them in designing appropriate awareness messages and conveying the messages effectively. Additionally, the information could be valuable for those who make requests for awareness designers, as well as anyone who analyses the efficiency of security measures already in place.