Abstract
Cyber crime is rising at an unprecedented rate. Organisations are spending more than ever combating the human element through training and other interventions, such as simulated phishing. Organisations employ “carrots” (rewards) and “sticks” (sanctions) to reduce risky behaviour. Sanctions (such as locking computers and informing one’s line manager) are problematic as they lead to unintended consequences towards employee trust and productivity. This study explored how organisations use rewards and sanctions both in their campaigns and specifically following simulated phishing. We also assessed what factors (such as control over rewards, tendency to blame users) influenced security awareness professionals’ use of rewards and sanctions. The findings revealed that organisations use a variety of rewards and sanctions within their campaigns, with sanctions being used across 90% of the organisations. We did not find any factors that influence security awareness professionals’ usage of rewards and sanctions. Our findings suggest the need for a greater consideration of the human element of cyber security. In particular, campaigns should take a more informed approach to use of behaviour change strategies that consider the organisational structure in which they are implemented and the role (and influence) of security awareness professionals within that structure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
HM Government. National Cyber Security Strategy 2016–2021 (2016)
Office for National Statistics. Crime in England and Wales: year ending March 2018 (2018)
Blythe, J.M., Coventry, L.: Costly but effective: comparing the factors that influence employee anti-malware behaviours. Comput. Hum. Behav. 87, 87–97 (2018)
Sasse, A.: Scaring and bullying people into security won’t work. IEEE Secur. Priv. 13(3), 80–83 (2015)
Reinfelder, L., Landwirth, R., Benenson, Z.: Security managers are not the enemy either. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, p. 433. ACM (2019)
Murdoch, S.J., Sasse, M.A.: Should you really phish your own employees?. https://tech.newstatesman.com/business/phishing-employees. (2017)
Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)
Kirlappos, I., Sasse, M.A.: Fixing security together: leveraging trust relationships to improve security in organizations. Proceedings of the NDSS Symposium 2015, no. 1, pp, 1–10 (2015)
Ashenden, D., Sasse, A.: CISOs and organisational culture: their own worst enemy? Comput. Secur. 39, 396–405 (2013)
Adams, A., Sasse, A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Inglesant, P., Sasse, M.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. (2010)
Parkin, S., van Moorsel, A., Inglesant, P., Sasse, M.: A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: Proceedings of the 2010 Workshop on New Security Paradigms, pp. 33–49. (2010)
Zimmermann, V., Renaud, K.: Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. Int. J. Hum Comput Stud. 131, 169–187 (2019)
Coventry, L., Briggs, P., Blythe, J., Tran, M.: Using behavioural insights to improve the public’s use of cyber security best practices. Gov. UK report (2014)
NCSC. The trouble with phishing (2018). https://www.ncsc.gov.uk/blog-post/trouble-phishing
Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of ACM CHI 2007 Conference on Human Factors in Computing Systems, vol. 1, pp. 905–914. (2017)
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10(2), 1–31 (2010)
Siadati, H., Palka, S., Siegel, A., McCoy, D.: Measuring the effectiveness of embedded phishing exercises. In: 10th USENIX Workshop on Cyber Security Experimentation and Test (2017)
Rezaei, A., Allameh, S.M., Ansari, R.: Effect of organisational culture and organisational learning on organisational innovation: an empirical investigation. Int. J. Prod. Quality Manag. 23(3), 307–327 (2018)
McCarthy, B.: New economics of sociological criminology. Ann. Rev. Sociol. 28, 417–442 (2002)
Becker, G.: Crime and punishment: an economic approach. J. Polit. Econ. 76(2), 169–217 (1968)
Bankston, W., Cramer, J.: Toward a macro-sociological interpretation of general deterrence. Criminol. Interdiscip. J. 12(3), 251–280 (1974)
Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organizations. Eur. J. Inf. Syst. 18(2), 106–125 (2009)
Bratton, J., Gold, J.: Human Resource Management: Theory and Practice. Palgrave, London (2017)
Ajmal, A., Bashir, M., Abrar, M., Khan, M.M., Saqib, S.: The effects of intrinsic and extrinsic rewards on employee attitudes; mediating role of perceived organizational support. J. Serv. Sci. Manag. 8(04), 461 (2015)
Burke, W.W.: Organization Change: Theory and Practice. Sage publications, Thousand Oaks (2017)
Jacobs, S., Renard, M., Snelgar, R.J.: Intrinsic rewards and work engagement in the South African retail industry. SA J. Ind. Psychol. 40(2), 1–13 (2014)
Dhillon, G., Backhouse, J.: Current directions in IS security research: towards sociotechnical perspectives. Inf. Syst. J. Blackwell 11(2), 127–153 (2001)
Hardy, C.: Understanding power: ‘Bringing about strategic change’. Br. J. Manag. (Special Issue) 17, S3–S16 (1996)
Walsh, C.: Power and advantage in organizations. Organ. Stud. 2(2), 131–152 (1981)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)
Michie, S., et al.: The behavior change technique taxonomy (v1) of 93 hierarchically clustered techniques: building an international consensus for the reporting of behavior change interventions. Ann. Behav. Med. 46(1), 81–95 (2013)
Rahim, A.M.: Relationships of leader power to compliance and satisfaction with supervision: evidence from a national sample of managers. J. Manag. 12(4), 545–556 (1989)
Nunnally, J.C.: Psychometric Theory, 2nd edn. McGraw-Hill, New York (1978)
Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. Eur. J. Inf. Syst. 18, 151–164 (2009)
Patterson, K., Grenny, J., Maxfield, D., McMillan, R., Switzler, A.: Influencer: the Power to Change Anything. McGraw-Hill, New York, NY (2008)
Siponen, M., Willison, R., Baskerville, R.: Power and practice in information systems security research.” In: Proceedings of the International Conference on Information Systems, pp. 1–12. Association for Information Systems, Paris (2008)
Warkentin, M., Willison, R.: Behavioral and policy issues in information systems security: the insider threat. Eur. J. Inf. Syst. 18(2), 101–105 (2009)
Harris, M., Furnell, S.: Routes to security compliance: be good or be shamed? Comput. Fraud Secur. 12, 12–20 (2012)
Aurigemma, S., Mattson, T.: Deterrence and punishment experience impacts on ISP compliance attitudes. Inf. Comput. Secur. 25(4), 421–436 (2017)
Han, J., Kim, Y.J., Kim, H.: An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective. Comput. Secur. 66, 52–65 (2017)
Kim, B., Lee, D., Kim, B.: Deterrent effects of punishment and training on insider security threats: a field experiment on phishing attacks. Behav. Inf. Technol. 1–20 (2019)
Krebs, B.: Should failing phishing tests be a fireable offense? (2019). https://krebsonsecurity.com/2019/05/should-failing-phish-tests-be-a-fireable-offense
UK Government.: Developing the UK cyber security profession (2019). https://www.gov.uk/government/consultations/developing-the-uk-cyber-security-profession
Hinna, A., De Nito, E., Mangia, G., Scarozza, D., Tomo, A.: Advancing public governance research: individual and collective dynamics in and around the boardroom. Stud. Public Non-Profit Govern. 2, 3–39 (2014)
Baldwin, T.T., Ford, J.K., Blume, B.D.: The state of transfer of training research: moving toward more consumer-centric inquiry. Hum. Resour. Dev. Q. 28(1), 17–28 (2017)
Michie, S., Van Stralen, M.M., West, R.: The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implement. Sci. 6(1), 42 (2011)
Acknowledgements
This work was funded by the Centre for Research and Evidence on Security Threats (ESRC Award: ES/N009614/1).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A
Behaviour Change Strategies Scale
To the best of your knowledge, has your organisation used any of the following within the last 12 months when it comes to managing human cyber risk and resilience? (Yes/No/I Don’t know)
-
Publicly recognised an employee as a security advocate (e.g. in an organisational newsletter, email etc.)
-
Given gifts to employees (e.g. prize draw, vouchers, time off)
-
Informed an employee’s line manager of risky behaviour (e.g. non-course completion, failing a phishing test)
-
Certificates of completion (e.g. awareness course completion)
-
Required an employee to sit/resit e-learning following assessment results
-
Named and shamed an employee for risky behaviour
-
Had a 1:1 with employees who have failed security awareness assessments
-
Required an employee to attend an in-person security awareness workshop
-
Issued an employee with a disciplinary warning
-
Locked an employee’s work station until security awareness training is complete
-
Decreased an employee’s privileged access
-
Other (please specify): ___________________
Appendix B
Attitudes Towards Users’ Scale
Please indicate the extent to which you agree with the following statements (Strongly Agree - Strongly Disagree)
-
It is the responsibility of individual employees to avoid clicking on phishing links
-
Employees who click on simulated phishing links should be punished
-
It is wrong to blame employees who click on simulated phishing links
Perceived Consequences of Simulated Phishing
Please indicate the extent to which you agree with the following statements (Strongly Agree - Strongly Disagree)
-
Our simulated phishing policy is damaging to employee morale
-
My organisation’s simulated phishing policy harms the relationship between our company and its employees
-
Employee satisfaction suffers because of my organisation’s simulated phishing policies
-
Employees feel ‘tricked’ when our organisation sends them simulated phishing emails
-
Our simulated phishing policy is damaging to employee productivity
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Blythe, J.M., Gray, A., Collins, E. (2020). Human Cyber Risk Management by Security Awareness Professionals: Carrots or Sticks to Drive Behaviour Change?. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-50309-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)