Is the Locus of Control responsible for our Security Behaviors?

Organizations fail to protect their assets because they rely mainly, if not primarily, on technical solutions that are not sufficient.
Yet many security incidents are due to the exploitation of human vulnerabilities, which are responsible for more than 80% of security incidents.
There are, for example, individual differences which influence the adoption and involvement of employees in security awareness policies. This is often overlooked in favor of technology-related interventions.
Research was conducted by Hadlington in 2018, with others to follow. Among these many theories, there is one based on the locus of control.

What is locus of control?

Most of us lie on a spectrum between internal and external orientations. This locus of control can change over time.
A study conducted by Dr. Popovac showed that the locus of control acted as a "significant predictor of total scores on a measure of information security awareness"; in plain English:

• People who demonstrated more externality had a lower commitment to information security. They have a sense of self-control over their work, and are less inclined (or don't see the point) to adopt cybersecurity behavior. In short, a person with an external locus of control, who attributes their success to luck or fate, will be less likely to make the necessary effort to learn.

• Those with a higher internal locus of control, meanwhile, are more likely to see their actions as a means of protecting themselves and the company against cyber-attacks. These individuals have a greater propensity to adopt appropriate technologies.

The results are not surprising in themselves, but they are the first to be applied to the world of cybersecurity.

In the field, we see that users are limited in their attention to security warnings and guidelines. How can we change this paradigm?

Food for thought & action

The interest of this study is twofold:
- the first is to focus on those employees who could be at the root of an information security breach within their company, and to understand the factors behind unsafe behavior.
- the second is to suggest ways of designing more effective and, above all, appropriate training courses.

Thus, it is important to:

• understand which personality trait is more likely to explain privacy-protecting behavior, for example.

On the cyber side: If company employees believe that tools or the company are responsible for protecting them from cybercrime, then they will be less likely to take steps to protect themselves. The key is to make protection tools available, and to get employees involved.  Protection against cybercrime starts at the personal level.
As we have seen, this trend (internal/external) is not immutable. To foster an internal locus of control, we need to :

• take the time to reflect on how decisions have been made in the past.
• remind employees that they are actors, not observers, in the company's security.
• that luck has no place; every action and success is the result of a person and his or her choices; in the same way, we must accept our failures.

On the cyber side:  here's an example, to foster the internal locus of control: if we say that SolarWinds cost up to $100 billion, it won't have much impact on the employee, but if we remind them that cybercriminals can use social engineering methods on their children, retrieving personal data from social networks and others; they'll probably be more attuned, and make sure they take action to protect their families.

• implement other types or methods of safety training, such as gamification of awareness-raising.

On the cyber side: "get in the game", promoting game mechanisms helps to engage employees in problem-solving, motivate them and consequently achieve better productivity and performance in security policies. 
79% of participants in a survey conducted by Pulse Learning said they would be "more productive and motivated if their learning environment was more like a game".
Price Waterhouse Cooper developed Game of Threats™ to test and reinforce cyber defense skills.
The Digital Guardian developed DG Data Defender, to help other companies involve every employee in data security.

• have a constructivist approach.

The constructivist approach (Piaget) emphasizes the dynamic structure of human experience. We no longer think in terms of categories: similarity and difference, stimuli and responses, but rather in terms of connectivity between all elements.  In this way, unity and diversity are integrated. We are active beings in our own development. Constructivism advocates learning via a socially interactive process, based on experience and discovery.
This approach is opposed to behaviorism (Watson), which in learning, advocates changing behavior by rewarding correct performance (emphasis on the relationship between response and stimulus).

On the cyber side: 

• in terms of awareness, companies need to enable their employees to build knowledge rather than receive and store it
• in terms of the overall cyber threat, we need to take a constructivist approach, i.e. we need to understand the elements as a whole. Specifically, we need to address the context (political, economic, religious), the motivations for cyber-attacks, the influencing factors (social, psychological, cultural, etc.) and the relationship of all these elements to each other. We're not looking at one tree, but the trees that make up the forest!