ABSTRACT
Many organisations run security awareness programmes with the aim of improving end user behaviours around information security. Yet behavioural research tells us that raising awareness will not necessarily lead to behaviour change. In this paper we examine the challenge of changing end user behaviour and put forward social marketing as a new paradigm. Social marketing is a proven framework for achieving behavioural change and has traditionally been used in health care interventions, although there is an increasing recognition that it could be successfully applied to a broader range of behaviour change issues. It has yet to be applied however, to information security in an organizational context. We explore the social marketing framework in relation to information security behavioural change and highlight the key challenges that this approach poses for information security managers. We conclude with suggestions for future research.
- Action Fraud. 2012. The Devil's in Your Details {Online}. Available at: http://www.actionfraud.police.uk/thedevilsinyourdetails {Accessed 11th August, 2013}.Google Scholar
- Action Fraud 2013. Pre-Campaign Surveys {Online}. Available at: http://www.actionfraud.police.uk/majority-of-women-feel-falling-victim-to-fraud-is-inevitable-according-to-new-study {Accessed 11th August, 2013}.Google Scholar
- Adams, A. and Sasse M. A. 1999. Users are not the enemy, Communications of the ACM. 42(12), 40--46. Google ScholarDigital Library
- Albrechtsen, E., 2007. A qualitative study of users' view on information security, Computers & Security. 26, 276--289.Google ScholarDigital Library
- Andreason, A. R., 2006. Social Marketing in the 21st Century. California, Sage.Google Scholar
- Andreason, A. R. and Herzberg, B. 2005. Social Marketing Applied to Economic Reforms, Social Marketing Quarterly, 11:2, 3--17.Google ScholarCross Ref
- Burton, E. 2008. Report into the Loss of MOD Personal Data: Final Report. London, MOD.Google Scholar
- Click it or Ticket 2013. Click it or Ticket {Online}. Available at: http://www.texasclickitorticket.com {Accessed 11th August, 2013}.Google Scholar
- Coles-Kemp, L. and Ashenden, D. 2012. Community-centric engagement: lessons learned from privacy awareness intervention design, Proceedings of HCI 2012 -- People & Computers XXVI, Birmingham, UK, 12--14 September 2012.Google Scholar
- Data Handling Procedures In Government: Final Report. 2008. London, Cabinet Office.Google Scholar
- Data Security in Financial Services. 2008. London, Financial Services Authority.Google Scholar
- Desai, D., 2009. Role of Relationship Management and Value Co- Creation in Social Marketing. Social Marketing Quarterly, 15:4, 112--125.Google ScholarCross Ref
- Drevin, L., Kryger, H.A. and Steyn, T. 2007. Value-focused assessment of ICT security awareness in an academic environment, Computers & Security, 26, 36--43.Google ScholarDigital Library
- Fogg, B. J., 2002. Persuasive technology: using computers to change what we think and do, Ubiquity, 2002, December, 5, 89--120. Google ScholarDigital Library
- Fogg, B. J., 2009. Creating persuasive technologies: an eight-step design process, Persuasive '09, Proceedings of the 4th International Conference on Persuasive Technology, Article No. 44. Google ScholarDigital Library
- French, J. and Blair-Stevens, C. 2010. Key Concepts & Principles of Social Marketing, in French, J., Blair-Stevens, C., McVey, D. and Merritt, R. (eds). Social Marketing & Public Health: Theory & Practice, Oxford, OUP.Google Scholar
- French, J., Merritt, R. and Reynolds, L. 2011. Social Marketing Casebook,. London, Sage.Google Scholar
- Garg, V. and Camp, J., 2013. Heuristics and Biases: Implications for Security Design, IEEE Technology and Society Magazine, Spring, 73--79.Google Scholar
- GCHQ. 2011. IISS Cyber Speech {Online}. Available at: http://www.gchq.gov.uk/Press/Pages/IISS-CyberSpeech.aspx {Accessed 11th August, 2013}.Google Scholar
- Gonzalez, J.J. and Sawicka, A. 2002. A framework for human factors in information security, WSEAS International Conference on Information Security, Rio de Janeiro.Google Scholar
- Hastings, G. 2007. Social Marketing: Why should the devil have all the best tunes?, Oxford, Elsevier.Google Scholar
- Hastings, G., MacFadyen, L. and Anderson, S. 2010. Whose behavior is it anyway? The broader potential of social marketing, Social Marketing Quarterly 6:2, 46--58.Google ScholarCross Ref
- Heider, F. 1958. The Psychology of Interpersonal Relations. New York, Wiley.Google Scholar
- Helokunnas, T. and Kuusisto, R. 2003. Information Security Culture in a Value Net, Managing Technologically Driven Organizations: The Human Side of Innovation and Change, IEEE, 190--194.Google Scholar
- Herley, C. 2010. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, NSPW '09, 133--144. Google ScholarDigital Library
- Kotler and Zaltman 1971. Social Marketing: An Approach to Planned Social Change, Journal of Marketing, Vol 35, 3--12.Google ScholarCross Ref
- Kotler, P. and Lee, N. R. 2008. Social Marketing: Influencing Behaviors for Good (3rd edn), London, Sage.Google Scholar
- Levitt, T. 1960. Marketing Myopia, Harvard Business Review, 38, July-Aug, 29--47.Google Scholar
- McKenzie-Mohr, D. 2011. Fostering Sustainable Behaviour: An Introduction to Community-Based Social Marketing, (3rd edn), New Society Publishers.Google Scholar
- McVey, D., Crosier, A. and Christopoulos, A. 2010. Evaluation in in French, J., Blair-Stevens, C., McVey, D. and Merritt, R. (eds). Social Marketing & Public Health: Theory & Practice, Oxford, OUP.Google Scholar
- Munton, A. G., Silvester, J., Stratton, P. and Hanks, H. 1999. Attributions in Action: A Practical Guide to Coding Qualitative Data, Chichester, Wiley.Google Scholar
- National Fraud Authority 2013. Awareness & Behaviour Change in the UK {Online}. Available at: http://korrupciomegelozes.kormany.hu/download/a/15/60000/Budapest%2019%20Mar%20Main%20Pres.pdf {Accessed 11th August, 2013}.Google Scholar
- Potter, I., 2007, New Zealand Herald.Google Scholar
- Poynter, K. 2008. Review of information security at HM Revenue and Customs: Final Report. London, HMSO.Google Scholar
- Prochaska, J. O. 1992. In Search of How People Change: Applications to Addictive Behaviours, American Psychologist, Vol 47, No 9, 1102--1114.Google ScholarCross Ref
- Project Bernie. 2013. Project Bernie {Online}. Available at: http://www.bernie.uk.com/ {Accessed 12th April 2013}Google Scholar
- Rader, E., Wash, R. and Brooks, B., 2012. Stories as Informal Lessons about Security, Symposium on Usable Privacy and Security (SOUPS), July 11--13, 2012, Washington, DC, USA. Google ScholarDigital Library
- Silvester, J. 2004. Attributional Coding, in Cassell, C. and Symon, G. (eds.) Essential Guide to Qualitative Methods in Organizational Research, London, Sage.Google Scholar
- Siponen, M.T. 2000. A conceptual foundation for organizational information security awareness, Information Management & Computer Security, 8(1), 31--41.Google ScholarCross Ref
- Siponen, M.T. 2001. Five dimensions of information security awareness, ACM SIGCAS Computers and Society, 31(2), 24--29. Google ScholarDigital Library
- Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. 2005. Analysis of end user security behaviors, Computers & Security, 24(2), 124--133.Google ScholarDigital Library
- Taylor, S. 2007. Attitudes, in Langdridge, D. and Taylor, S. (eds.) Critical Readings in Social Psychology, Maidenhead, OUP.Google Scholar
- Thaler, R. H. & Sunstein, C. R. 2009. Nudge, London, Penguin.Google Scholar
- Thomson, M.E. and Solms, R. V. 1998. Information security awareness: educating your users effectively, Information Management & Computer Security, 6(4).Google Scholar
- Truth. 2013. Truth {Online}. Available at: http://www.thetruth.com/about/ {Accessed 11th August, 2013}Google Scholar
Index Terms
- Can we sell security like soap?: a new approach to behaviour change
Recommendations
The impact of information richness on information security awareness training effectiveness
In recent years, rapid progress in the use of the internet has resulted in huge losses in many organizations due to lax security. As a result, information security awareness is becoming an important issue to anyone using the Internet. To reduce losses, ...
Persona-driven information security awareness
HCI '16: Proceedings of the 30th International BCS Human Computer Interaction Conference: Companion VolumeBecause human factors are a root cause of security breaches in many organisations, security awareness activities are often used to address problematic behaviours and improve security culture. Previous work has found that personas are useful for ...
Rebooting IT Security Awareness – How Organisations Can Encourage and Sustain Secure Behaviours
Computer Security. ESORICS 2022 International WorkshopsAbstractMost organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is ...
Comments