People and Security: Understanding the Psychology of Information Risk

Winning hearts and minds can change behaviors and attitudes among employees and executive staff

Over the past few decades, organizations have spent billions of dollars on information security and risk awareness activities. The logic behind this approach was to take their biggest asset – people – and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do. But instead of simply making people aware of their security responsibilities, and how they should respond, organizations of all sizes need to embed positive security behaviors that will result in “stop and think” becoming a habit.

Continuing to do more of the same, in terms of merely promoting awareness, is not a viable option. But neither is doing nothing. A new approach is required if organizations want their people to become their strongest control. The opportunity to shift away from awareness to tangible behaviors has never been greater. There is an acute focus on good governance and risk management: the C-suite becomes more cyber-savvy everyday, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management.

Moving to behavior change will provide the chief information security officer (CISO) with the ammunition needed to give positive answers to questions that are likely to be posed by the CEO and other members of the senior management team. These include:

  • If the worst happens, can we honestly tell our customers, partners and regulators that we are doing the right thing?
  • Does our program prepare us for the future?
  • Exactly what are we doing to embed the protection of our information assets into our culture?

But before we discuss how to successfully implement organizational behavioral changes, we need to understand the psychology of information risk. There are three types of psychology that impact the way people learn: behavioral psychology, cognitive psychology and neuropsychology.

Behavioral Psychology:

  • Context provides the stimuli for behavior
  • Behavior is everything that people do. This includes actions, thoughts, feelings and attitudes
  • Consequences of behavior increase or decrease the likelihood of that behavior occurring again
  • Understanding context and managing consequences is key to changing behavior

Cognitive Psychology:

  • Working memory has limited capacity
  • Long-term memory stores information in complex networks, which are strengthened by contextual meaning
  • Evaluation processes are required to demonstrate progress and strengthen cognitive networks
  • Key principle is the continued practice of activities which comprise the desired skill coupled with timely feedback


  • The brain is comprised of complex mental maps, which shape how we see and interact with the world
  • Behavioral change requires experiencing “key moments” which change these mental maps
  • Continued focus on the new mental maps makes these more stable over time, which leads to new, stable neural structure

Unfortunately, instituting behavior change is not easy – everyone has their own unique characteristics and habits, some of which are hard to change. Therefore, it is helpful to understand why so let’s take a look at a few of the key principles designed to help businesses embed positive information security behaviors within their organizational structure.

Let Risk Drive Solutions

Solutions should be driven by the need to manage information risk. As a consequence, it is critical to define solutions based on an organization’s risk assessments together with the risk profiles of its people. This will help to target resources at the highest risks, while recognizing that a solution to protect high value information assets and critical infrastructure may not be necessary for those people who do not have access to them.

Using risk to drive solutions also helps with:

  • Measuring progress against a strong baseline. Information can be collected from a number of sources, such as: observed behaviors; responses to exercises such as simulated phishing tests; and what actually happened on the ground if and when an incident did occur. These can all be expressed in terms of business risk and compared to target behaviors
This content continues onto the next page...