Image

You are at risk > This is actually your problem > Here's what you do > You got this (self-efficacy)Perceptions of self-efficacy are linked to the resources needed to complete a given action. Resources like finances, time, personal qualities, etc. What resources does your audience have, particularly which do they have in abundance, and how can they be used to compensate for resources they lack? It's about empowering your audience to take the action despite the constraints. Perceptions of self-efficacy can be increased by 1) just telling people that they can do it; 2) linking the protective action to things that they've already done; and 3) showing them clearly how to do the protective action (Bandura, 1977; Rimal, 2000). Like an incident response plan to the plans they have in the case of a fire, link regular security audits to quarterly performance reviews. Lessen the uncertainty of information security issues by focusing on similarities to more familiar actions and situations. Response efficacy is the belief that the recommended action will actually reduce the risk or mitigate damage. If you don't think that the recommended action is going to actually protect you from harm, why do it? Think about PSAs using statistics to convince you that wearing a seatbelt will reduce your risk of injury – they’re trying to change your perceptions of response efficacy. Trust is a major factor: trust in the organization or individual advocating the action, trust in the system underlying or supporting the action. Someone who doesn't get a flu shot every year because they say it doesn't actually protect you from the current strain has low response efficacy. When you've successfully made the audience accept that they're at risk, their next question will be, "What do I do?" If you can't clearly answer that question, the audience may lose trust and feel more fear and uncertainty. This is a bit of a problem for infosec. People are not as familiar with the actions for reducing infosec risks, and there are a lot of mixed messages on the topic. To most people, it seems like we can’t even agree on what a “good” password is. This can lower the trust people have in any recommendation they get on how to be more secure. To increase response efficacy, try to reduce the behavior into simpler, manageable bits and focus more what makes the recommended behavior effective. Why is this the best action for the given situation? Put it in terms that resonate with the audience. What is their biggest concern, and how does the protective action address that concern? This has been a quick look at how efficacy might help improve infosec communication and just a peek at how communication tactics and theories can support information security goals. For more, you can find Claire’s blog here. Or, if you are attending BSides Delaware on November 11, you can hear me talk about this subject in more detail. Find out more here.
Image
