A laptop lies open on a modern, gray desk, accompanied by a smartphone, stacked books, headphones, a camera lens, and a coffee cup in a bright, minimalist office space.

Cybersecurity and data privacy: How to build smart cyber habits with employee training

Why is it so hard to change behavior?

No matter whether it’s New Year’s resolutions, eating habits, or cybersecurity, people generally maintain the habits they’ve always had - unless they have the proper resources and an ecosystem that facilitates change.1

Old habits die hard

When thinking about cybersecurity practices for long-standing employees, it isn’t too different, even when considering the shift to working from home throughout the COVID-19 pandemic. Though employees are at increased risk of cyberattack because of WFH, they still often prefer to do things the same way they’ve done them in the past.2 Mandate training simply isn’t very effective at changing this.3

In fact, according to a 2021 investigation, 60% of companies (ranging in size from less than 500 employees to more than 1,500) have 500 or more employee accounts that use non-expiring passwords - meaning they likely haven’t changed their password since the day they joined the organization.4

Using behavioral science to break our dangerous habits

While the onboarding process provides an excellent opportunity to form cybersecurity habits (more on that here), what can be done for people whose methods have been shaped by months or years with the same employer? In order to understand the solutions, it’s important to discern how three behavioral tendencies - social loafing, habituation, and status quo bias - play a role in employee negligence. Once the reasons behind these mental shortcuts are understood, leadership can then enact efficient and effective countermeasures.

References

  1. Breaking Bad Habits. (2012, January). NIH News in Health. https://newsinhealth.nih.gov/2012/01/breaking-bad-habits
  2. Blau, A., Alhadeff, A., Stern, M., Stinson, S., & Wright, J. (2017). Deep Thought: A Cybersecurity Story. ideas42. https://www.ideas42.org/wp-content/uploads/2016/08/Deep-Thought-A-Cybersecurity-Story.pdf
  3. Cisco Systems, Inc. (2008). Data Leakage Worldwide: The High Cost of Insider Threats [White paper]. https://www.01net.it/whitepaper_library/Cisco_DataLeakage.pdf
  4. 2021 Financial Services Data Risk Report (2021). Varonis.
  5. Hoffman, R. (2020, June 22). Social loafing: Definition, examples and theory. Simply Psychology. https://www.simplypsychology.org/social-loafing.html
  6. Darley, J. M., & Latane, B. (1968). Bystander intervention in emergencies: Diffusion of responsibility. Journal of Personality and Social Psychology, 8(4), 377–383. https://doi.org/10.1037/h0025589
  7. Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165. https://doi.org/10.1016/j.dss.2009.02.005
  8. Meyer, J. P., & Allen, N. J. (1991). A three-component conceptualization of organizational commitment. Human Resource Management Review, 1(1), 61–89. https://doi.org/10.1016/1053-4822(91)90011-Z
  9. Thompson, R. F., & Spencer, W. A. (1966). Habituation: A model phenomenon for the study of neuronal substrates of behavior. Psychological Review, 73(1), 16–43. https://doi.org/10.1037/h0022681
  10. Furnell, S., & Thomson, K.-L. (2009). Recognising and addressing ‘security fatigue.’ Computer Fraud & Security, 2009(11), 7–11. https://doi.org/10.1016/S1361-3723(09)70139-3
  11. Amran, A., Zaaba, Z. F., & Mahinderjit Singh, M. K. (2018). Habituation effects in computer security warning. Information Security Journal: A Global Perspective, 27(4), 192–204. https://doi.org/10.1080/19393555.2018.1505008
  12. Bravo-Lillo, C., Cranor, L. F., Downs, J., & Komanduri, S. (2011). Bridging the Gap in Computer Security Warnings: A Mental Model Approach. IEEE Security & Privacy, 9(2), 18–26. https://doi.org/10.1109/MSP.2010.198
  13. Boutros, N., & Davis, T. (2022). Habituation: Definition, Examples, & Why It Occurs. The Berkeley Well-Being Institute. https://www.berkeleywellbeing.com/habituation.html
  14. Pignatiello, G. A., Martin, R. J., & Hickman, R. (2020). Decision fatigue: A conceptual analysis. Journal of Health Psychology. https://doi.org/10.1177/1359105318763510
  15. Salvagioni, D. A. J., Melanda, F. N., Mesas, A. E., González, A. D., Gabani, F. L., & Andrade, S. M. de. (2017). Physical, psychological and occupational consequences of job burnout: A systematic review of prospective studies. PloS One, 12(10), e0185781. https://doi.org/10.1371/journal.pone.0185781
  16. Samuelson, W., & Zeckhauser, R. (1988). Status quo bias in decision making. Journal of Risk and Uncertainty, 1(1), 7–59. https://doi.org/10.1007/BF00055564
  17. Fallahdoust, M. (2022). Nudges and Cybersecurity: Harnessing Choice Architecture for Safer Work-From-Home Cybersecurity Behaviour [Text, Carleton University].https://curve.carleton.ca/92b0cf7c-8751-4587-be25-8baa920f4ea8

About the Authors

Lindsey Turk's portrait

Lindsey Turk

Lindsey Turk is a Summer Content Associate at The Decision Lab. She holds a Master of Professional Studies in Applied Economics and Management from Cornell University and a Bachelor of Arts in Psychology from Boston University. Over the last few years, she’s gained experience in customer service, consulting, research, and communications in various industries. Before The Decision Lab, Lindsey served as a consultant to the US Department of State, working with its international HIV initiative, PEPFAR. Through Cornell, she also worked with a health food company in Kenya to improve access to clean foods and cites this opportunity as what cemented her interest in using behavioral science for good.

A man in a blue suit and red tie smiles while standing indoors, surrounded by office plants.

Dr. Brooke Struck

Dr. Brooke Struck is the Research Director at The Decision Lab. He is an internationally recognized voice in applied behavioural science, representing TDL’s work in outlets such as Forbes, Vox, Huffington Post and Bloomberg, as well as Canadian venues such as the Globe & Mail, CBC and Global Media. Dr. Struck hosts TDL’s podcast “The Decision Corner” and speaks regularly to practicing professionals in industries from finance to health & wellbeing to tech & AI.

A man in a blue, striped shirt smiles while standing indoors, surrounded by green plants and modern office decor.

Dan Pilat

Dan is a Co-Founder and Managing Director at The Decision Lab. He is a bestselling author of Intention - a book he wrote with Wiley on the mindful application of behavioral science in organizations. Dan has a background in organizational decision making, with a BComm in Decision & Information Systems from McGill University. He has worked on enterprise-level behavioral architecture at TD Securities and BMO Capital Markets, where he advised management on the implementation of systems processing billions of dollars per week. Driven by an appetite for the latest in technology, Dan created a course on business intelligence and lectured at McGill University, and has applied behavioral science to topics such as augmented and virtual reality.

About us

We are the leading applied research & innovation consultancy

Our insights are leveraged by the most ambitious organizations

Image

I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.

Heather McKee

BEHAVIORAL SCIENTIST

GLOBAL COFFEEHOUSE CHAIN PROJECT

OUR CLIENT SUCCESS

$0M

Annual Revenue Increase

By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.

0%

Increase in Monthly Users

By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.

0%

Reduction In Design Time

By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.

0%

Reduction in Client Drop-Off

By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%

Read Next

Notes illustration

Eager to learn about how behavioral science can help your organization?