Skip to main content
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
A global telecommunications firm strengthened their cybersecurity using BAD’s behavioural insights and creative interventions to reduce risks associated with human error. By uncovering the underlying behavioural barriers, and leveraging behavioural science, BAD helped the firm embed security focused habits into employees’ daily routines, reducing risky behaviours firmwide.
A global telecommunications firm strengthened their cybersecurity using BAD’s behavioural insights and creative interventions to reduce risks associated with human error. By uncovering the underlying behavioural barriers, and leveraging behavioural science, BAD helped the firm embed security focused habits into employees’ daily routines, reducing risky behaviours firmwide.
The importance
The insight
The intervention
The Impact
Global
Telecommunications
98,000
A successful attack can cause widespread service disruption, data breaches and significant financial and reputational damage. In 2021, a large telecommunications firm suffered a data breach affecting over 40 million customers. The firm experienced significant reputation damage as well as $60m in fines.
With human error being the weakest link when it comes to cyber security, relying on training is not enough. Traditional training fails to consider the behavioural aspects to decision making ingrained habits. People will often revert to risky behaviours, particularly if they are under pressure and undertaking routine tasks.
Our client wanted to ‘make security behaviours a habit.’
Taking a behaviour-led approach allows us to create more effective, lasting impacts on security practices. It helps us embed security focused habits into daily routines, making them less susceptible to human error.
We needed to get to the root of the risky behaviours. We took an in-depth analytical approach, applying mixed methods comprising qualitative and quantitative research, while ensuring a representative sample of our client’s employees.
We uncovered that employees underestimated risks due to the availability heuristic and lacked clarity on specific actions required for security.
1. Availability heuristic
A heuristic is a bit like a mental shortcut or rule of thumb that our brains use to make decisions or solve problems faster and with less effort. It does this by just focusing on the most relevant information. While this reduces the time and energy required to make decisions, it can lead to errors and allowing biases to take over.
With the ‘availability heuristic’ specifically, we judge the likelihood of an event based on how easily examples of this event taking place come to mind. This means employees often underestimate risks because they cannot easily think of an instance of the event happening. (“I don’t know anyone who has been hacked so therefore it is unlikely to happen to me.”)
2. Lack of clarity around behaviours
Our research also showed that while employees had undergone training about risks and the consequences, they were still not fully clear on exactly what actions they needed to take and when, to meaningfully reduce risk.
Utilising all this insight, we worked with our client to develop an evidence-based, targeted intervention to influence behaviours and embed better habits. We reframed the challenges through a behavioural science lens to identify the most effective behaviour change techniques and used created design to implement these in the most engaging way.
Combatting the availability heuristic
To work with the availability heuristic, we used authentic storytelling to make cyber threats more relatable. People typically remember more from stories than from facts alone due to greater personal connection and emotional relevance (Lordly, 200&). Using real stories from real people that employees can relate to, increases the connection in their memory, enhancing their perception of risk and bringing it more readily to mind.
We also created key points and activities to encourage self-reflection, helping employees identify areas where they are personally more susceptible to risky behaviours – ie password security.
Clarifying behaviours and embedding better habits
To embed better habits and make it clear and easy for employees to carry out more risk conscious behaviours, we used techniques such as habit stacking. By building associations between existing habits and new behaviours, existing habits can become a cue for the new behaviour (Fogg, 2019; Judah, Gardner & Aunger, 2013). The intervention was designed to mimic an employees’ average day, to help identify where new behaviours could be easily implemented and associate these new behaviours with existing everyday habits and routines.
As people pay more attention to and are more likely to act on information that is prominent, we used design techniques to make the most important behaviours salient, through elements such as ‘Stop and Think’ screens.
The intervention successfully recalibrated employees' risk perception and ingrained cybersecurity habits, leading to a reduction in risky behaviors and strengthening our client’s overall security position.
We'd love to explore the potential for behavioural science to inspire positive change within your organisation.
