Behaviour and Risk Selection Oz Alashe MBE CEO, CybSafe Dr. John Blythe Head of Behavioural Science, CybSafe
Why are interventions failing? Message fatigue Fear and scare tactics Scatter gun approach Lack of meaningful metrics Interventions not addressing the right barriers
Why are interventions failing?
Understanding behaviours
What is the problem?
What are the relevant behaviours?
What is influencing the target behaviour?
Behavioural Risks The behavioural problem Being specific about: What risks you are tackling The mitigating behaviour(s) The target individual or group
Account Compromise
Malware Infection
Data Leak
Fraud & Identity Theft
Data Theft
"Systems" of behaviour
Information security officer Restricts use of password managers
James
Manager Not using password manager
Using a password manager
Colleague Shares password through password manager
Needs access to work system
Individual Target behaviour Influencing behaviour
Prioritising Behaviours Primary Criteria 1. Impact (on security risks) 2. Likelihood of change Supporting criteria 1. Behavioural spillover 2. Suitability 3. Ease of measurement Adapted from Michie, S., Van Stralen, M. M., & West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation science, 6(1), 42.
The security behaviours database v1
Behaviour categorisation &
risk mapping.
Security behaviour
prioritisation support.
Case studies
V1
How was SebDB developed? Co-designed & continually developed. Academic literature review. Reference to guidance and standards, published by NCSC, ISO & others. SebDB panel of academic, government and industry experts. Iteratively designed.
Using SebDB: Behaviour <> Impact
70+ behaviours Group by: Category Risk-related outcomes Ranked by priority (impact on risk) See how behaviours link to different risks
Account Compromise
Malware Infection
Data Leak
Fraud & Identity Theft
Data Theft
Example
Example
Using SebDB: As part of your behavioural toolkit
What is the problem?
What are the relevant behaviours?
What is influencing the target behaviour?
Using SebDB: Design interventions
Produce a step by step video guide Prize draw Free password manager service for use at home Intuitive password manager Tone from the top
Using a password manager
Michie, S., Van Stralen, M. M., & West, R. (2011). The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implementation science, 6(1), 42.
Using SebDB: Iterate
UNDERSTAND
EVALUATE & REFINE
DESIGN
SebDB: Coming Soon Behavioural metrics and data sources Behavioural insights Industry and role specific insights
What the community are saying?
"Using SebDB as a way to help us make sure it's up to date and relevant for our planning of next years awareness offering. Having one place to see all the behaviours does help focus the mind".
"I really like the community aspect".
"I like how it includes physical risks, as well as, cyber as some CISOs don't consider the physical side".
"The body of knowledge is fantastic...".
Community For the community, by the community. Join us.
Any Questions? https://www.cybsafe.com/research/security-behaviour-database/