Cybersecurity Awareness Campaigns. Why Do They Fail to Change Behaviour?
This paper, published in the journal of the International Conference on Cyber Security for Sustainable Society 2015, focuses on Cyber Security Awareness Campaigns. The authors, Dr Maria Bada, research fellow at the Global Cyber Security Capacity Centre, Professor Angela Sasse from the Department of Computer Science at UCL, and Dr Jason R. C. Nurse, researcher at Cyber Security Oxford, aims to identify key factors regarding security which may lead them to failing to appropriately change people’s behaviour.
Past and current efforts to improve information-security practices and promote a sustainable society have not had the desired impact. It is important therefore to critically reflect on the challenges involved in improving informationsecurity behaviours for citizens, consumers and employees. In particular, this paper considers these challenges from a psychology perspective, as the authros believe that understanding how people perceive risks is critical to creating effective awareness campaigns. Changing behaviour requires more than providing information about risks and reactive behaviours – firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour.
The authors review the suitability of persuasion techniques, including the widely used ‘fear appeals’. From this range of literature, they extract essential components for an awareness campaign as well as factors which can lead to a campaign’s success or failure. Finally, the paper presents examples of existing awareness campaigns in different cultures (the UK and Africa) and reflect on these.