Is cyber risk behaviour neurologically based?

Recently someone asked about using incentives to increase cyber security awareness in the workplace. Over 20 years, we’ve seen the cyber safety messages remain basically the same. I suspect lot of people now know what actions to avoid. However, knowing is one thing... doing is something else entirely.

Fundamentally – and in so many areas for life – humans often don’t do what they know is good for them, nor do they always avoid known risks. Why?

I'm convinced the disconnect between awareness and behavioral change is a function of lack of proximity between risk action and risk consequence which is essentially how evolutionary pressures shaped our cognitive and limbic (fight or flight) response to threats.

A 2014 neuroimaging study* showed that the brains of risk taking teens differed from those of a control group in areas governing the emotional response to danger. To me this is a clue that we need to look way beyond simply the mantra of more awareness raising if we want to modify online behaviour.

Having served on many government taskforces over the years, I became increasingly frustrated with the lack of sophistication in the approach to modifying online behaviours. For the money that’s been spent, and the column inches of media print that have been consumed with each new cyber attack, seriously – if mere awareness raising was going to work, it would have worked by now.

The cyber world is an analogue for the real world. But it’s a poor analogue. One of the reasons it’s poor (and not because it’s digital) is that it fails to ignite what we might call the risk/consequence dynamic. According to my hypothesis, this is because of the absence of proximate (you could say, visible, perceptible or obvious) cause-effect relationships.

This explains why people give away personal information on social media, use weak passwords or many of the other things they know they shouldn't. Often the lack of proximity is also temporal – there’s a delay between the loss of say personal data and a subsequent abuse of that data. So we don’t make the association in a way that can entrench new and safer behaviours. When the dots are too far apart, we fail to see the connections.

Organisations are also analogues – modern day extensions of the physical environment in which we evolved to navigate risk. Organisational environments can definitely affect behaviour, and for a class of personality types rewards and deterrents will work. But now that we demand 100% compliance with security policies (on the basis that a single breach can cripple an entire organisation) how do we align organisation-wide training strategies with individual risk responses and how can training adapt to meet these variations?

More and more I’m coming to the view that until we understand the neurology of risk behaviour we won’t even begin to understand its psychology.

And without a deep understanding of its psychology we cannot hope to see behavioural change of the type and extent that will move organisations out of the danger zone.

So returning to the initial question: Can incentives induce awareness raising, it’s probably too simplistic an approach to rely on completely. It’s one possible strategy amongst a myriad of possible behavioural drivers which will be more or less effective depending on the individuals concerned.

It’s time for a revolutionary shift in our thinking about cyber risk management. Doing more of something that doesn’t really work isn’t the answer. We need to return to the fundamentals of human behaviour and apply the learnings from other disciplines.

I’m not suggesting we subject all internet users to MRI scans to see if they are carrying risky brains. I am saying we have to stop looking at populations as homogeneous and start targeting strategies and messages in a way that is more scientific and effective. We need more and better research on cyber risk behaviour, and accounting for individual risk propensities might just be a good place to start.

*Samuel J. DeWitt, Sina Aslan, Francesca M. Filbey. Adolescent risk-taking and resting state functional connectivity. Psychiatry Research: Neuroimaging, 2014; 222 (3): 157 DOI: 10.1016/j.pscychresns.2014.03.009