Why do people forgo online security?

Why, when the risks are so well publicised, do people forgo online security? A behavioural scientist explains

Today, data breaches are commonplace. Recent media headlines reveal that cyber criminals have tricked an unnamed employee into sending them £200,000, that the criminals who hacked into an investment manager’s email account have made off with $US 4.2m, and that 210 million Facebook users have just had their personal data compromised.

Why, then, is the most common password in use today “123456”?

Why do less than 10% of Gmail users use two factor authentication?

More generally, why do we so frequently forgo basic online security?

Set up for failure

As a behavioural scientist specialising in cyber security, the above is a question I’m asked often. The simple answer?

For the most part, it’s the way we’re wired.

Early humans lived in a world unlike our own. Rather than answering urgent emails, evading predators was the order of the day. In risky situations, acting before thinking was a good idea. In fact, it was evolutionarily advantageous. So, as time went on, we learned to respond to risk without contemplation – something we still do when confronted with risk today.

Risky business

Our contrasting reactions to historical and modern risks provide a nice example.

Today, things like snakes pose almost no threat to our wellbeing – yet even pictures of snakes can make our hearts race and our pupils dilate as our subconscious demands we scurry away. By contrast, heart disease has become the world’s biggest killer, yet we instinctively enjoy eating indulgent foods.

Our evolutionary history has left us ill-equipped to properly comprehend modern risk. In fact, people are terrible at understanding risk. No matter how many cyber attack horror stories we read, the threat remains inconceivable. And, as we largely only take steps to protect ourselves from threats when we believe them to be sufficiently likely and severe, horror stories and scare tactics do very little to change our approach to security.

Why is this the case?

Most of us will have seen adverts that try to scare or shock us into reducing our risk of harm – such as shocking portrayals of the impact of smoking. The scare tactics are largely a waste of time.

Unfortunately, simply scaring people almost never changes behaviour. In fact, research (unsurprisingly) suggests that particularly frightening messages are sometimes deliberately avoided. Worse, scaremongering can even lead to risk denial, particularly among those most susceptible to risk.

Sometimes, scare tactics can simply cause us to rely on mental biases to guide decisions – such as our inherent “optimism bias”. The bias, which is central to our mental wellbeing, tricks us into believing the future will be rosy, even when clear evidence to the contrary exists. As an example of the bias, western divoirce rates hover at around 40%, yet newlyweds estimate their chances of divorce to be zero.

Clearly, such biases compound the problem.

What can be done?

More often than not, security awareness training revolves around statistics and scare-mongering. It’s an approach that treats people as a liability, and it goes a long way to explaining why many people frequently forgo basic online security.

To drive behaviours in the right direction, security awareness training really needs to start accounting for human psychology. For example, organisations would be better off taking a positive approach to security awareness training, one that promotes people’s potential for good.

We know from a wealth of research that security behaviour change is much more likely when awareness training builds people’s confidence in behaving securely and helps them feel capable of doing the right thing when presented with a security challenge. Security processes also work best when they are designed to work for people rather than against them.

If the history of security awareness training has confirmed anything, it’s that, as is the case in healthcare and road safety, messages of fear do little to change people’s behaviour.

By contrast, as advanced statistics recorded by the CybSafe security awareness platform show, security awareness training that reinforces people’s potential for good is a great deal more effective.

John is a Chartered Psychologist and Head of Behavioural Science at CybSafe

In partnership with