How to influence behaviour change in cybersecurity

24 Sep 2019

Cybercriminals are increasingly exploiting people’s psychological vulnerabilities to execute cyber attacks.

The Human-Centre Security report by the ISF identifies the ways in which attackers are using social power to manipulate targets into making errors that can be exploited for malicious purposes.

If one thing is clear, it’s this: people can be either the weakest or the strongest link in the cybersecurity chain.

While an organisation might have the most robust security strategy in place, if its people are not educated on internal security policies or motivated to employ best practice, then the strategy is meaningless.

That’s where cybersecurity awareness comes into play. But awareness is only part of the solution.

Security demands a people-centric approach that puts behaviour change at the centre of the solution.

As a partner, you can help educate your customers on how they can influence behaviour change to create a security culture that mitigates risks associated with human error and manipulation.

Security Awareness Training

People: the last line of defence

To effectively fight against cyber-attacks, it’s important to understand how attackers target the human psyche.

The Human-Centre Security report identifies a number of cognitive biases that can make people vulnerable to attack.

By understanding these biases and the methods by which attackers seek to exploit them, organisations can deconstruct and analyse real-world scenarios to mitigate risk.

In Australia alone, the latest national figures identify human error as the second leading cause of data breaches.

How to make friends and influence cybersecurity behaviour

While malicious or criminal attacks accounted for the largest number of breaches, several incidents exploited vulnerabilities involving a human factor. This included individuals clicking on a phishing email or disclosing their credentials.

People are the last line of cyber defence. And with attackers going to great lengths to exploit human instincts, now is the time for organisations to ramp up efforts to turn their people into their greatest security assets.

The need for visibility

You can’t secure what you can’t see. This mantra rings true, especially in the context of cybersecurity.

Before considering behaviour change, organisations need to gain visibility from an individual user point of view. This means being able to identify who could be attacked, how they could be attacked and the potential risks, so the right-sized controls can be implemented.

Gaining visibility also means being able to identify where users lack the skills required to implement cybersecurity policies.

Download our eBook, Securing the unknown with visibility and control, to learn about Arrow’s approach to security and how you can deliver visibility and control to underpin organisational security.

How to influence change

There are a number of ways organisations can influence behaviour change when it comes to cybersecurity.

Implementing a security awareness training program is critical, but its content and delivery is what really counts.

Here are some tips for delivering an effective security awareness training program to influence behaviour change.

Set realistic goals

Organisations should clearly define the goals of their security awareness training program in order to establish a baseline level of knowledge.

This means defining the goals in terms of behaviour changes relevant to specific security risks.

Organisations should be careful not to list what they want to do (i.e. the security training) but instead focus on the outcome they want to achieve (i.e. the behaviour change).

Know your audience

Influencing behaviour change requires a deep level of understanding of the people you are targeting and their motivational drivers.

When it comes to cybersecurity, the reality is people care more about their personal security than they do about organisational security.

One way to create targeted content in this respect would be to highlight relevant topics around privacy, cyber bullying and internet safety, noting how it affects those individuals and their families.

By understanding a person’s motivational drivers, organisations can humanise cybersecurity to create relatable messaging that strikes a chord and makes people take notice.

Collaborate across departments

Involving other departments in a security awareness training program is a great way to gain extra support, buy-in and influence.

There are countless benefits:

  • Diversity of thought and ideas in relation to the training content
  • Resources to assist with content creation, engagement and delivery
  • Funding and influence, especially if the C-level is involved.

By involving other departments – such as marketing, legal and human resources – organisations can foster collaboration to create a cross-functional team of trusted security advisers.

Master the art of storytelling

It’s one thing to create compelling content, but it’s another thing to deliver it in a way that is engaging and provides long-lasting impact.

By mastering the art of storytelling, organisations can deliver engaging cybersecurity messaging to drive education and behaviour change.

A communications plan is a good place to start. And, with the marketing team on your side, there’ll be more scope to produce creative, engaging and relevant content.

The communications plan could comprise a combination of elements, from screensavers, blogs and posters to real-world phishing simulations, games and video.

Watch your language

Keep an eye on the language and tone used in cybersecurity awareness training.

Aim to be the department of ‘how’ as opposed to the department of ‘no’.

Use language that empowers rather than restricts. For example, rather than telling people what not to do, use language around what they can do to employ safe cyber practices.

Avoid using language that spreads fear or that might insult people’s intelligence. Remember that not all people come from a technical background.

At the same time, be sure to use simple, easy-to-digest messaging that allows for on-the-spot, easy and informed decision making.

Measure success

Last but not least, measure success: pre- and post-awareness training.

This could include anything from surveys, phishing simulation tools as well as the number of security incidents reported.

The partner opportunity

Cybersecurity requires a holistic approach that puts people at the heart of the solution.

As a channel partner, you can add value to your customers by educating them on security awareness training that focuses on people to influence behaviour change.

Not only will you help your customers to raise a strong cybersecurity culture to effect positive change, but you’ll raise your profile as a trusted advisor in the process.


Arrow is playing a key role in helping partners and their customers counter the challenges of cybersecurity.

Our approach to security starts with visibility. After all, you can’t secure what you can’t see.

Download our eBook to learn how you can grow your cybersecurity advantage with visibility and control.