Written: 4th March 2023 – 7 min read
“How information security awareness influence behaviour change?” article is came to life as nowadays more and more people realize big data companies, 3rd party apps, and search engines know “too much” about us.
Even if companies not using our personal data
- to observe us (by the way they do),
- observe our behaviour in a systematic manner to predict human behaviour (by the way they do) or
- to aggregate data to predict behaviour, (because some of them certainly do),
we still have the right to know and exercise our right over our data and data privacy. In that way we are able to ask deletion or withdraw rights from companies to access to our sensitive data.
More and more people and legal services start to take into account that people need to give consent to companies, 3rd party apps, and services in order to be able to exercise their rights over the protection of their data and privacy. This need to be remembered when AI technology will expand more and more. Especially those who understand human speech and might record you to develop their systems fast.
Data protection rules and regulations around the world
These rules and regulations mostly about how personal data needs to be handled and protected.
One of the most important regulations implemented by the European Union in May 2018, is the GDPR (General Data Protection Regulation).
This is a European Union regulation about data handling and protection.
One of the most comprehensive and strict data protection regulations and handling rule in the world regarding a natural person. It applies to all EU member states and organizations that processes personal data of EU citizens. It is a directive made by the EU Parliament and Council of European Union. The title tells a lot: “Regulation on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)”.
California Consumer Privacy Act (CCPA) implemented by the state of California in January 2020. This law is the first data privacy law in the United States. It gives consumers right to know what personal information collected about them and right to have it deleted.
Personal Information Protection and Electronic Documents Act (PIPEDA) implemented by Canada in 2000. It applies to private sector organizations that collect, use or disclose personal information in the course of commercial activities.
The Privacy Act implemented by Australia in 1988. The Privacy Act regulates the handling of personal information by Australian government agencies and some private sector organizations.
General Data Protection Law (LGPD) implemented in August 2020. The LGPD is similar to the GDPR and applies to any organization that processes personal data in Brazil.
Personal Data Protection Act (PDPA) implemented by Singapore in 2012. This law regulates the collection, use, and disclosure of personal data by organizations in Singapore. PDPA implemented by Thailand in May 2020. It regulates the collection, use, and disclosure of personal data by both public and private sector organizations in Thailand.
How data protection rules and regulations influence behaviour?
Obviously in several ways.
New areas of studies and fields emerged
Those rules and regulations influence human, company and corporate behaviour and created new area of studies across the information security and cybersecurity fields. New fields emerged with new rules & regulations as creating laws not always enough. Companies need engineers and experts who are able to supervise businesses. Plus ensure that rules and regulations are appropriately followed.
More attention on sensitive personal data
People started to pay attention more to their sensitive personal information and data. Several times big data and social media companies did not care about data protection and handling. That is why they have been fined by authorities all over the world in the last few years.
Companies fined by authorities
Huge social media and other big tech companies were fined by authorities regarding data handling in the last few years. For example:
- In 2018 fined $5 billion by the US Federal Trade Commission (FTC) for violating users’ privacy and mishandling data. The FTC alleged Facebook failed to properly inform users about how their data was being used and shared with third-party apps.
- In 2020 the company fined €30,000 by the Ireland’s Data Protection Commission (DPC) for failing to provide users adequate transparency and control over their personal data. The fine was small compared to the maximum penalty of up to €20 million or 4% of annual global revenue under the GDPR. It was still significant as the first fine imposed by the Irish DPC under the GDPR.
- In April 2021 DPC launched an investigation over concerns related to the processing of users’ personal data. In Nov 2022 they announced an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, and imposing a fine of €265 million and a range of corrective measures according to the Data Protection Commission.
- In 2019 fined €50 million by the French data protection authority, CNIL, for violating the EU’s General Data Protection Regulation (GDPR). The fine was related to Google’s lack of transparency and inadequate consent mechanisms for users’ personal data.
- In 2020 fined €450,000 by the Irish Data Protection Commission (DPC) for failing to promptly report and adequately document a data breach that occurred in 2018.
- In 2021 fined €750,000 by the Dutch data protection authority for violating the GDPR. The authority found that TikTok failed to properly inform users how their data was processed and stored.
- In 2021 fined €7.8 million by the Irish Data Protection Commission (DPC) for violating the GDPR. The fine was related to LinkedIn’s use of email addresses of non-users to target ads on Facebook.
How behaviour of companies and individuals changed due to laws?
Recent regulations, fines and investigations changed the behaviour of companies and individuals.
- Transparency increased regarding how companies collect and use personal data. Companies required to provide clear and concise information to users about their own personal saved data.
- Consent mechanisms improved by these regulations as now required from companies to obtain valid consent from users before collecting/processing personal data. More user-friendly consent mechanisms were implemented. This allowing users to have more control over their data.
- Accountability increased. Companies required to implement appropriate security measures, conduct regular risk assessments, and report data breaches to regulatory authorities and affected users.
- Increased penalties for non-compliance. Regulations introduced significant penalties e.g.: fines and sanctions for companies that fail to comply with rules. This encouraged companies to take data protection more seriously and invest in appropriate measures to ensure compliance.
- Data protection awareness increased due to enhanced regulations.
Now companies need to implement more privacy-conscious approach to data handling.
Behaviour of people influenced in similar ways as companies regarding data protection regulations, which increased awareness, control, trust, accountability, and right awareness. The awareness regarding risk increased by sharing personal data; moreover people now more likely exercise rights above their personal data or ask the deletion of them.
The report of data breaches to authorities regarding 3rd party apps increased.
If you need more information regarding data protection then the European Data Protection Board (EDPB) provides a list of all Data Protection Authorities (DPAs) in the EU and EEA. The International Association of Privacy Professionals (IAPP) provides a map about Global Privacy Laws and a directory of Data Protection Officers (DPOs) around the world. These can be searched by country or region.
What are further risks regarding information security?
Researches, studies and experiments regarding the psychology of behaviour change can show us what we need to pay attention to to avoid being the victim of manipulation techniques.
This means people who thought their friends or acquaintances did something tried something else more likely than people who have not seen their friends did the same. For example try out a new app or etc. This can be a huge issue regarding raising security awareness.
Secure behaviour experiment
A 2014 experiment sought to explore the effects of increasing the observability of “secure behaviour”.
On a sample of 50,000 Facebook users, researchers targeted individuals with various social proof framed messages (and a control message) designed to convince users to explore security features.
Results of the experiment found that showing people the number of their friends that used the same security features. Users were 37% more likely to be enticed into exploring promoted security features themselves.
Research about adaption decisions without accurate information about the product values
In 2009 a research “Informational Cascades and Software Adoption on the Internet: An Empirical Investigation” written by Wenjing Duan, Bin Gu, Andrew Whinston found that internet users’ choices of software changed dramatically in relation to the total number of downloads. People and users were likely to follow previous adopters’ choices. The reliance on this metric lead to inferior technologies being chosen. This related to social proof too.
Studies about communication on information security compliance
A research paper about “Don’t Even Think About It! The Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance” was published in the Journal of the Association for Information Systems (2018).
In this research multiple studies found that providing information about the compliance of others increases the likelihood of users complying with security policies themselves. It was found that informational (weakly) and antineutralization communication (strongly) decreased violation intentions, but normative communication had no effect.
Social engineering attacks
A term refers to psychological manipulation of people to perform actions or divulge confidential information. This is for the purpose of information gathering, fraud, or system access. Defined as “any act that influences a person to take an action that may or may not be in their best interests.” according to Wikipedia.
Social engineering attacks can happen in a smaller or larger scale to change the behaviour of people. This can happen by writing or showing them something to act in a preferred way. For example, do something, because their friends did that something too.
All social engineering techniques based on specific attributes of human decision-making. These are known as cognitive biases. Examples for them: authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/liking.
This type of manipulation used in several cases for example if someone wants to steal your social media account password.
A case for a social engineering attack
For example, you receive an e-mail to recover your “forgotten password”.
The e-mail might look almost the same as an e-mail from the original company. It can be that only the e-mail address is different. However, when you click the recover the password button, but you will be redirected to a fishing site. This means the e-mail you received is a fishing e-mail. It’s only goal to steal your password and username.
Next to this if you use 2-factor authentication the fishing site might ask your code too. Or the page where you try to “recover” your account might ask further information like an SMS code from you.
In that case when you did not initiate or try to recover your account. This is the stage when you need to stop trying to “recover” your account, otherwise you might lose it fully.
As in that way it can be hacked by others through social engineering. In that way you are the one who give out your precious personal information for example passwords, or security codes. Although in a way that you will led by others to do something what you did not want to do.
Raising information security awareness
To sum up raising information security awareness can help individuals and companies to
- reduce the risk of attacks, and
- protect sensitive personal data with proper techniques and technologies.
Furthermore, it helps you to access, protect or exercise your rights over your own sensitive personal data. Over data what companies can collect from you.