Behavioral Theories in Security Compliance – Defining the People Problem

19th February, 2019


The concept of Information security has been interchangeably used with that of Cybersecurity inrecent times to analyse and elaborate on various cybercrimes that are a major concern in society today. However, owning to the subtle difference, the two interconnected fields pose to the study of risk, the variance of the term “data” in information security and cybersecurity are pivotalto the core of the discussion.

For example, Information security aims at securing any form of “data”, whether it is electronic or on paper by implementing measures and systems designed to protect and safeguard “data” through various forms of technology. Conversely, the precautions and measures taken to guard against internet crimes that involve the access to unauthorised “data” in its electronic form is known as Cybersecurity.

The figure below illustrates the relevance of Cybersecurity as a subset of the larger area of information security.

(Source :

Core Concepts – People, Process and Technology

A recurring misconception about Cybersecurity is that it is all about technology, both hardware and software. Despite being an integral part of cybersecurity, technology alone cannot safeguard against recent cyber threat vectors and landscapes.Cyber security consists of technologies, processes and measures that are designed to protect individuals and organisations from cybercrimes. Additionally, effective cybersecurity requires a robust information security management system (ISMS) consisting of three pillars: People, Process and Technology.

The figure below briefly outlines the interaction between the three pillars of cybersecurity. It assumes that despite investing in technology, if an organisation has not implemented effective processes such as management systems and IT audits, nor has it sufficiently allocated resources in training staff and employees about the technology and processes, the risk of a potential cybersecurity incident significantly increases.

(Source :

Processes- Cybersecurity strategies ideally should be aligned to the organisation’s processes as they are crucial in defining how the organisation’s activities, roles and documentation are used to mitigate the risks to the organisation’s information. Processes also need to be continually reviewed as the nature of cyber threats are continuously evolving and therefore require the people to be aware and up to date with the changes.

Technology is an important aspect of cybersecurity. Cyber risks that are uniquely identified by an organisation allows for relevant controls to be put in place and are further assisted by integrating technologies that prevent or reduce the impact of cyber risks.

People aspect of the PPT trinity has conveniently been divided into two key components.

Firstly, it is important for all stakeholders in business to be aware of their role in preventing and reducing cyber threats, whether it’s handling sensitive data, understanding how to spot phishing emails or the use of BYOD.

Secondly, in the case of specialised technical cyber security staff, updating their skills and qualifications to ensure that appropriate controls, technologies and practices are implemented to prevent cyber threats are essential to an organisation’s ability to mitigate and respond to cyber-attacks.

In both cases, security awareness programs help individuals and teams to respond to cyber threats. However, a growing body of literature asserts that a more effective means of reducing information risk within an organisation is to address the behaviour of computer users in parallel with, and not instead of, addressing hardware and software vulnerabilities

Also known as the Behavioural Approach to managing Information security (InfoSec), the study by Schneier’s (2004) claims that ” …the biggest security vulnerability is still that link between keyboard and chair “.

Human Element(People) – The weakest Link

Report by American Law firm, Baker Hostetler had analysed more than 450+ incidences in 2016 (2017 Data security Incident Response Report) and attributed “Network Intrusion and Data Theft” as key reasons behind incidences. The following statistics were recorded:

(Source : tps://

Phishing/hacking/ malware are the leading causes, accounting for about 43% of incidents. Non-healthcare entities accounted for 69% of these incidents, and healthcare entities accounted for 31%.

Phishing/hacking/malware were combined in one category because they are often used simultaneously. For example, opening an attachment to a phishing email often installs malware that facilitates initial access to the network. Approximately 22% of all incidents were due to computer network intrusions and malware. These incidents involved individuals or groups finding a way to gain unauthorized access to clients’ computer networks, conducting reconnaissance across the networks to identify valuable data and then attempting to exfiltrate the data. The attackers targeted payment card data in 38% of these attacks and health information in 20%. However, 32% of the incidences that have occurred are attributed to Employee Action /Mistake, emphasizing the “people problem” and the “human element” in the mix.

Discovery to notification of threat

(Source :

According to the Report (Baker Hostetler,2017), 62% of the network penetration intrusion and malware attacks were notified by organizations to individuals. This indicates that not all network intrusions result in notification and the number of individuals notified in all incidents are not standardized (i.e., ranging from one person to over 8 million). A greater source of concern is that 61 days were required to discover that a breach had taken place resulting in an average of 8 days to contain the threat and a further 41 days after the discovery of a network penetration intrusion and malware incident to mail notifications. The increased lead time in the Incident Response Timeline also strengthens the argument that preliminary detection and identification of the threat should be initiated by users at the end-point. Detecting the incident soon after it happens is a critical first step and can significantly reduce the time taken fromoccurrence to discovery stage if incidents are detected by the entity than by third parties.

The human element in Ransomware (SamSam Ransomware)

Although automationdominated the discussion in disruptive technology for the last couple of years, with the autonomous capability of Wannacrybeing a major source of concern in cybersecurity, “Progressively savvier cybercriminals, like the group or individual behind the SamSam attacks, are now adding a human element to their already devious mix of evasive techniques to keep even some of the most advanced security software from detecting it.”Samsamransomware leans heavily on manual techniques to work its malevolence.

Initially pegged at $8,50,000, gradually, with more attacks getting reported, the aggregate amount shot up to $6.5 million.Majority of the victims (about 74 per cent) were in the United States, the United Kingdom (8 per cent), Belgium (6 per cent), Canada (5 per cent) and Australia (2 per cent) occupied the subsequent positions. India, along with a few other countries, shared the sixth rank with one per cent share in payouts to the hackers.

According to a report by Sophos (2018), Samsamattackers break in the old-fashioned way and use tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit thus exploiting operating system vulnerabilities. In line with previous reports and observations, SamSam attacks usually succeed when the victim chooses a weak, easily guessed password, clearing indicating a lack of awareness of end-point users.

User Awareness and Security Hygiene

A report by Akamai Technologies (2017) claimed that mobile and Android phones were subject to majority of the attacks globally. The inability of users to discriminate between benign looking applications running on android phones and unsafe nodes connected to a larger botnet rendered the users susceptible to attacks. For example, applications disguised as an ordinary app of a video player or another application claimedto make phones more efficient, served a more malicious purpose. Unfortunately, majority of the devices belonged to India and served a huge user base online from tier II and tier III cities. Most of the users lacked the cybersecurity awareness and were not conscious about the consequences prior to downloading various applications on their mobiles. According to Mr. Mathur, investing in technologies will not safeguard organizations against cyber attacks unless it is synchronized with user awareness.

Behavioural Theories in Security Compliances

It has been previously stated in various reports and literature that Cybersecurity is fundamentally a “people problem”. Various aspects of the “people” problem has been analysed through the lens of user awareness of the human-to-technology interface, overarching awareness of the consequences of information breach, user competence and compliance in identifying, containing and notifying cyber incidences if the situation demanded. According to Benson (2017), Cybersecurity professionals agree that security depends on people more than on technical controls and countermeasures. Recent reviews of the cyber security threat landscape clarified that most industries, including the public sectors are at risk of cyber-attacks, due to the weaker cyber security mindset of employees.

Cognitive and Behavioral aspects of End user Security Compliance

According to studies, Security compliance refers to the behavior of users in accordance with security polices when accessing and using the IT network and services. As a result, behavioral theories have been used widely in security compliance literature to understand factors that motivate user security compliance (Sommestad, Hallberg, Lundholm, & Bengtsson, 2014 ).

The two broad aspects in predicting how a user responds to security compliance. Firstly, being cognizantof the controls, countermeasures and consequences that may result in a cybersecurity breach are paramount in setting the baseline for compliance. Secondly, the behavioral response that would ensure that users follow the suggested security policies when accessing corporate IT networks and services. For example, automatically scheduled password changes together with password complexity checks can minimize reliance on users to regularly update and use difficult-to-guess passwords. Hence, users may change passwords repeatedly and have to create difficult-to-guess ones. However, some users may resort to writing down passwords on a sticky note and attaching the note to their computer for easy access. These types of unsafe practices can defeat even the most sophisticated security systems. As a result, the User’s failure to follow security procedures is the most common cause of security problems rather than deliberate harmful external attack events.

Theory of Planned Behaviour

The TPB is one of the most influential frameworks for studying human behavior as it explains behavioural antecedents. Theory of planned behaviour suggests that actual behaviour is determined by intention to perform the behaviour and that this intention is, in turn, is determined by three components: (1) their attitude towards the specific behaviour, (2) the subjective norms about the target behaviour, and (3) their perceived behavioural control.

(Source :

1.     Attitude toward the behavior is the individual’s overall evaluation of the behavior. The two components that work together in forming in the attitude are:

(a) beliefs about consequences of the behavior

(b) and the corresponding positive or negative judgments about features of the behavior

(outcome evaluations: If I were to engage in this behavior, will the results be desirable?).

2.     Subjective norms are an individual’s own estimate of the social pressure to perform the target

behavior. Subjective norms are assumed to involve beliefs about how other people, who may

be in some way important to the person, would like them to behave (normative beliefs).

3.     Perceived behavioral control is the extent to which the individual enacts the behavior. It has two aspects:

(a)   how much a person has control over the behavior. In this case, “control” describes one’s self-confidence in one’s ability to mobilize motivation, cognitive resources, and actions needed to successfully complete a specific task within a given context.

(b)   how confident a person feels about being able to perform or not perform the behavior. In this case, “confidence” is defined as Self-efficacy of an individual that influences the amount of effort, initiation, and maintenance of coping efforts in adverse situations.

For example, according to TPB , a customer may have an strong purchase intent toward a car if he/she has a positive impression of some aspects of the car, has received favorable feedback from acquaintances that have purchased the same or a similar vehicle and knows how to drive it. Therefore,a strong purchase intention towards the car is a strong indication that the customer will buy it.

In the context of security compliance, the TPB explains that if an employee(1) holds a favorable attitude towards performing it, (2) observes other people in the organization are also actively performing the practiceand (3) perceives sufficient capacity to complete the security task, he/she will likely comply, which can result in actual security compliance. In a similar vein, Security self-efficacy describes individuals’ security knowledge and expertise that enables them to perform their security tasks, as well as cope with changing security requirements.

In conclusion, it is important to assess how these factors influence the training methodologies in organisations, specifically on how managers design awareness programs with the object to engage employees in best security practices.




Benson, V. (2017) The State of Global Cyber Security: Highlights and Key Findings. LT Inc, London, UK DOI: 10.13140/RG.2.2.22825.49761

Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 22(1), 42–75. doi:

Schneier, B. (2004). “The People Paradigm.” CSO Security and Risk Newsletter Retrieved June 23, 2011, from

Pham, H-C., Brennan, L., & Richardson. J. (2017). Review of behavioural theories in security compli-. ance and research challenges

Leave a Reply

Your email address will not be published. Required fields are marked *