research-article

Can we sell security like soap?: a new approach to behaviour change

Authors:
Debi Ashenden

Cranfield University, Swindon, United Kingdom

Cranfield University, Swindon, United Kingdom
View Profile

,
Darren Lawrence

Cranfield University, Swindon, United Kingdom

Cranfield University, Swindon, United Kingdom
View Profile

NSPW '13: Proceedings of the 2013 New Security Paradigms WorkshopDecember 2013Pages 87–94https://doi.org/10.1145/2535813.2535823

Published:09 September 2013Publication History

NSPW '13: Proceedings of the 2013 New Security Paradigms Workshop

Pages 87–94

ABSTRACT

Many organisations run security awareness programmes with the aim of improving end user behaviours around information security. Yet behavioural research tells us that raising awareness will not necessarily lead to behaviour change. In this paper we examine the challenge of changing end user behaviour and put forward social marketing as a new paradigm. Social marketing is a proven framework for achieving behavioural change and has traditionally been used in health care interventions, although there is an increasing recognition that it could be successfully applied to a broader range of behaviour change issues. It has yet to be applied however, to information security in an organizational context. We explore the social marketing framework in relation to information security behavioural change and highlight the key challenges that this approach poses for information security managers. We conclude with suggestions for future research.

References

Action Fraud. 2012. The Devil's in Your Details {Online}. Available at: http://www.actionfraud.police.uk/thedevilsinyourdetails {Accessed 11th August, 2013}.Google Scholar
Action Fraud 2013. Pre-Campaign Surveys {Online}. Available at: http://www.actionfraud.police.uk/majority-of-women-feel-falling-victim-to-fraud-is-inevitable-according-to-new-study {Accessed 11th August, 2013}.Google Scholar
Adams, A. and Sasse M. A. 1999. Users are not the enemy, Communications of the ACM. 42(12), 40--46. Google ScholarDigital Library
Albrechtsen, E., 2007. A qualitative study of users' view on information security, Computers & Security. 26, 276--289.Google ScholarDigital Library
Andreason, A. R., 2006. Social Marketing in the 21st Century. California, Sage.Google Scholar
Andreason, A. R. and Herzberg, B. 2005. Social Marketing Applied to Economic Reforms, Social Marketing Quarterly, 11:2, 3--17.Google ScholarCross Ref
Burton, E. 2008. Report into the Loss of MOD Personal Data: Final Report. London, MOD.Google Scholar
Click it or Ticket 2013. Click it or Ticket {Online}. Available at: http://www.texasclickitorticket.com {Accessed 11th August, 2013}.Google Scholar
Coles-Kemp, L. and Ashenden, D. 2012. Community-centric engagement: lessons learned from privacy awareness intervention design, Proceedings of HCI 2012 -- People & Computers XXVI, Birmingham, UK, 12--14 September 2012.Google Scholar
Data Handling Procedures In Government: Final Report. 2008. London, Cabinet Office.Google Scholar
Data Security in Financial Services. 2008. London, Financial Services Authority.Google Scholar
Desai, D., 2009. Role of Relationship Management and Value Co- Creation in Social Marketing. Social Marketing Quarterly, 15:4, 112--125.Google ScholarCross Ref
Drevin, L., Kryger, H.A. and Steyn, T. 2007. Value-focused assessment of ICT security awareness in an academic environment, Computers & Security, 26, 36--43.Google ScholarDigital Library
Fogg, B. J., 2002. Persuasive technology: using computers to change what we think and do, Ubiquity, 2002, December, 5, 89--120. Google ScholarDigital Library
Fogg, B. J., 2009. Creating persuasive technologies: an eight-step design process, Persuasive '09, Proceedings of the 4th International Conference on Persuasive Technology, Article No. 44. Google ScholarDigital Library
French, J. and Blair-Stevens, C. 2010. Key Concepts & Principles of Social Marketing, in French, J., Blair-Stevens, C., McVey, D. and Merritt, R. (eds). Social Marketing & Public Health: Theory & Practice, Oxford, OUP.Google Scholar
French, J., Merritt, R. and Reynolds, L. 2011. Social Marketing Casebook,. London, Sage.Google Scholar
Garg, V. and Camp, J., 2013. Heuristics and Biases: Implications for Security Design, IEEE Technology and Society Magazine, Spring, 73--79.Google Scholar
GCHQ. 2011. IISS Cyber Speech {Online}. Available at: http://www.gchq.gov.uk/Press/Pages/IISS-CyberSpeech.aspx {Accessed 11th August, 2013}.Google Scholar
Gonzalez, J.J. and Sawicka, A. 2002. A framework for human factors in information security, WSEAS International Conference on Information Security, Rio de Janeiro.Google Scholar
Hastings, G. 2007. Social Marketing: Why should the devil have all the best tunes?, Oxford, Elsevier.Google Scholar
Hastings, G., MacFadyen, L. and Anderson, S. 2010. Whose behavior is it anyway? The broader potential of social marketing, Social Marketing Quarterly 6:2, 46--58.Google ScholarCross Ref
Heider, F. 1958. The Psychology of Interpersonal Relations. New York, Wiley.Google Scholar
Helokunnas, T. and Kuusisto, R. 2003. Information Security Culture in a Value Net, Managing Technologically Driven Organizations: The Human Side of Innovation and Change, IEEE, 190--194.Google Scholar
Herley, C. 2010. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, NSPW '09, 133--144. Google ScholarDigital Library
Kotler and Zaltman 1971. Social Marketing: An Approach to Planned Social Change, Journal of Marketing, Vol 35, 3--12.Google ScholarCross Ref
Kotler, P. and Lee, N. R. 2008. Social Marketing: Influencing Behaviors for Good (3rd edn), London, Sage.Google Scholar
Levitt, T. 1960. Marketing Myopia, Harvard Business Review, 38, July-Aug, 29--47.Google Scholar
McKenzie-Mohr, D. 2011. Fostering Sustainable Behaviour: An Introduction to Community-Based Social Marketing, (3rd edn), New Society Publishers.Google Scholar
McVey, D., Crosier, A. and Christopoulos, A. 2010. Evaluation in in French, J., Blair-Stevens, C., McVey, D. and Merritt, R. (eds). Social Marketing & Public Health: Theory & Practice, Oxford, OUP.Google Scholar
Munton, A. G., Silvester, J., Stratton, P. and Hanks, H. 1999. Attributions in Action: A Practical Guide to Coding Qualitative Data, Chichester, Wiley.Google Scholar
National Fraud Authority 2013. Awareness & Behaviour Change in the UK {Online}. Available at: http://korrupciomegelozes.kormany.hu/download/a/15/60000/Budapest%2019%20Mar%20Main%20Pres.pdf {Accessed 11th August, 2013}.Google Scholar
Potter, I., 2007, New Zealand Herald.Google Scholar
Poynter, K. 2008. Review of information security at HM Revenue and Customs: Final Report. London, HMSO.Google Scholar
Prochaska, J. O. 1992. In Search of How People Change: Applications to Addictive Behaviours, American Psychologist, Vol 47, No 9, 1102--1114.Google ScholarCross Ref
Project Bernie. 2013. Project Bernie {Online}. Available at: http://www.bernie.uk.com/ {Accessed 12th April 2013}Google Scholar
Rader, E., Wash, R. and Brooks, B., 2012. Stories as Informal Lessons about Security, Symposium on Usable Privacy and Security (SOUPS), July 11--13, 2012, Washington, DC, USA. Google ScholarDigital Library
Silvester, J. 2004. Attributional Coding, in Cassell, C. and Symon, G. (eds.) Essential Guide to Qualitative Methods in Organizational Research, London, Sage.Google Scholar
Siponen, M.T. 2000. A conceptual foundation for organizational information security awareness, Information Management & Computer Security, 8(1), 31--41.Google ScholarCross Ref
Siponen, M.T. 2001. Five dimensions of information security awareness, ACM SIGCAS Computers and Society, 31(2), 24--29. Google ScholarDigital Library
Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. 2005. Analysis of end user security behaviors, Computers & Security, 24(2), 124--133.Google ScholarDigital Library
Taylor, S. 2007. Attitudes, in Langdridge, D. and Taylor, S. (eds.) Critical Readings in Social Psychology, Maidenhead, OUP.Google Scholar
Thaler, R. H. & Sunstein, C. R. 2009. Nudge, London, Penguin.Google Scholar
Thomson, M.E. and Solms, R. V. 1998. Information security awareness: educating your users effectively, Information Management & Computer Security, 6(4).Google Scholar
Truth. 2013. Truth {Online}. Available at: http://www.thetruth.com/about/ {Accessed 11th August, 2013}Google Scholar

Index Terms

Can we sell security like soap?: a new approach to behaviour change
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

The impact of information richness on information security awareness training effectiveness

In recent years, rapid progress in the use of the internet has resulted in huge losses in many organizations due to lax security. As a result, information security awareness is becoming an important issue to anyone using the Internet. To reduce losses, ...
Read More
Persona-driven information security awareness
HCI '16: Proceedings of the 30th International BCS Human Computer Interaction Conference: Companion Volume

Because human factors are a root cause of security breaches in many organisations, security awareness activities are often used to address problematic behaviours and improve security culture. Previous work has found that personas are useful for ...
Read More
Rebooting IT Security Awareness – How Organisations Can Encourage and Sustain Secure Behaviours
Computer Security. ESORICS 2022 International Workshops
Abstract
Most organisations are using online security awareness training and simulated phishing attacks to encourage their employees to behave securely. Buying off-the-shelf training packages and making it mandatory for all employees to complete them is ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
NSPW '13: Proceedings of the 2013 New Security Paradigms Workshop
December 2013
132 pages
ISBN:9781450325820
DOI:10.1145/2535813
General Chairs:
Mary Ellen Zurko
Cisco Systems, USA
,
Konstantin Beznosov
University of British Columbia, Canada
,
Program Chairs:
Tara Whalen
Carleton University, Canada
,
Tom Longstaff
NSA, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 September 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
behavioural change
information security
security awareness
social marketing
Qualifiers
- research-article
Conference

Acceptance Rates
NSPW '13 Paper Acceptance Rate11of32submissions,34%Overall Acceptance Rate62of170submissions,36%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 16
  Total Citations
  View Citations
- 582
  Total Downloads
- Downloads (Last 12 months)65
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Can we sell security like soap?: a new approach to behaviour change

NSPW '13: Proceedings of the 2013 New Security Paradigms Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

The impact of information richness on information security awareness training effectiveness

Persona-driven information security awareness

Rebooting IT Security Awareness – How Organisations Can Encourage and Sustain Secure Behaviours