Soft skills are a hot topic in information security. You’ll see a lot of articles, blogs and talks on the subject. I’d like to go a little deeper – beyond the basics of soft skills and talk about a concept from communication theory that can be used to achieve behavior change – efficacy. Efficacy is the ability to achieve a desired effect. In risk communication, the desired effect is the reduction of risks and that’s the approach covered here. I'll be focusing on two types of efficacy: self- and response efficacy. Self-efficacy refers to the audience's belief that they can actually perform the recommended action. Another aspect of this that comes into play for infosec risks is the perception that the action is necessary. People often lack motivation to address their security risks. Increasing self-efficacy may require persuading the audience that they need to address the risks before persuading them that they have the ability to do so. Here's how I see the process from risk perception to high self-efficacy:
You are at risk > This is actually your problem > Here's what you do > You got this (self-efficacy)
Perceptions of self-efficacy are linked to the resources needed to complete a given action. Resources like finances, time, personal qualities, etc. What resources does your audience have, particularly which do they have in abundance, and how can they be used to compensate for resources they lack? It's about empowering your audience to take the action despite the constraints. Perceptions of self-efficacy can be increased by 1) just telling people that they can do it; 2) linking the protective action to things that they've already done; and 3) showing them clearly how to do the protective action (Bandura, 1977; Rimal, 2000). Like an incident response plan to the plans they have in the case of a fire, link regular security audits to quarterly performance reviews. Lessen the uncertainty of information security issues by focusing on similarities to more familiar actions and situations. Response efficacy is the belief that the recommended action will actually reduce the risk or mitigate damage. If you don't think that the recommended action is going to actually protect you from harm, why do it? Think about PSAs using statistics to convince you that wearing a seatbelt will reduce your risk of injury – they’re trying to change your perceptions of response efficacy. Trust is a major factor: trust in the organization or individual advocating the action, trust in the system underlying or supporting the action. Someone who doesn't get a flu shot every year because they say it doesn't actually protect you from the current strain has low response efficacy. When you've successfully made the audience accept that they're at risk, their next question will be, "What do I do?" If you can't clearly answer that question, the audience may lose trust and feel more fear and uncertainty. This is a bit of a problem for infosec. People are not as familiar with the actions for reducing infosec risks, and there are a lot of mixed messages on the topic. To most people, it seems like we can’t even agree on what a “good” password is. This can lower the trust people have in any recommendation they get on how to be more secure. To increase response efficacy, try to reduce the behavior into simpler, manageable bits and focus more what makes the recommended behavior effective. Why is this the best action for the given situation? Put it in terms that resonate with the audience. What is their biggest concern, and how does the protective action address that concern? This has been a quick look at how efficacy might help improve infosec communication and just a peek at how communication tactics and theories can support information security goals. For more, you can find Claire’s blog here. Or, if you are attending BSides Delaware on November 11, you can hear me talk about this subject in more detail. Find out more here.
About the Author: Claire Tills recently received her M.A. in Communication from the University of Maryland. With a professional background in technology and security public relations, her research focuses on the communicative side of information security. She applies communication theories to InfoSec issues with the goal of advocating security to a variety of endusers and improving resilience after InfoSec crises like data breaches. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
