How frustrating is it when you point out the risks to people and they just don’t listen? Every day around the world there are millions of people who smoke, drive too fast and click on strange emails, even though they’ve been repeatedly told about the dangers. They are ‘risk aware’ in the technical sense of the word and yet their behaviour continues. This is a big problem since the mainstream approach to security awareness assumes that all that’s needed to achieve behavioural change is an understanding of the risks. Traditionally when encountering non-compliant behaviour, we security technocrats reiterate the facts and increase the threat of sanctions. But, there is another way.
Luckily for us this is a problem that safety risk communicators have been grappling with for decades. The safety risk communications field has a number of explanatory frameworks to predict how people will react to risk communications. One of the most interesting models to arise is the Extended Parallel Processing Model (EPPM) which seeks to explain why people fail to take action once aware of a threat. This is a goldmine for security professionals looking to apply a more structured, formal approach for promoting behavioural change.
So how does the EPPM model work? Basically, when confronted with a risk of a ‘bad thing happening’ people consider two key elements. Firstly, they consider the likelihood and severity of the danger (which are referred to in the EPPM model as susceptibility and severity). Then, they consider their ability to take action and control the risk. This is their perception of how likely they can perform the risk controlling action successfully and how well a successfully performed action will control the risk (referred to in the model as self-efficacy and response efficacy).
Based on these perceptions, the EPPM model predicts three possible outcomes:
1) A fear controlling response where the risk is perceived as significant but the individual perceives their ability (rightly or wrongly) to control the risk as low. Instead of acting to control the risk they unconsciously attempt to control their fear instead. Fear controlling responses may involve the use of cognitive defence mechanisms to rationalise their inaction such as ‘it will happen to me sooner or later no matter what I do’.
2) No response because the risk is perceived as insignificant due to a perception of low likelihood or severity.
3) A risk controlling response occurs when an individual perceives both the risk and their ability to control it as high. This is a successful outcome from the point of view of the risk communicator.
The EPPM model can help us understand why people fail to take action. For example, one of the interesting findings from the Verizon Data Breach Report is the reported rise in small businesses being the victims of cyber-crime. This is facilitated in part by a lack of anti-virus and patching. Some interesting work from Rick Wash on mental models shows that there is a ‘little fish’ mentality prevalent in home internet users (an overlapping demographic) who don’t see themselves as the target of cyber-criminals. Their relative inaction for patching and anti-virus can be explained in part by a rational (but incorrect) view that they aren’t a target. They’re familiar with the security advice but have reached the mistaken conclusion that it doesn’t apply to them.
As an industry, we need to lift our game. We’ve spent nearly two decades telling people the facts and waiting for them to ‘get it’. They haven’t because we security professionals don’t ‘get’ them. If people aren’t taking action to control risk in response to risk communications then the EPPM model suggests that there are two possible causes. Either they don’t think the issue is significantly dangerous or they lack confidence in their ability to manage it. A very different approach is needed depending on which of these is causing the problem. It’s not enough to know what behaviours exist that are causing information security risk. To be effective, communicators must also understand why the behaviour is occurring. People may be well aware of the risks but feel constrained in their ability to deal with it. Perhaps their tools are too complicated, perhaps they feel constrained by organisational culture? We need to move beyond the ‘lazy user’ narrative which is all too commonly used to explain non-compliance. As frustrating as it is when people ignore our advice, the fault probably lies in us and how we’ve ignored our audiences. To be understood, we should first seek to understand.