Soft skills are a hot topic in information security. You’ll see a lot of articles, blogs and talks on the subject. I’d like to go a little deeper – go beyond the basics of soft skills and talk about a concept from communication theory that can be used to achieve behavior change – efficacy.

Efficacy is the ability to achieve a desired effect. In risk communication, the desired effect is the reduction of risks and that’s the approach covered here. I’ll be focusing on two types of efficacy: self and response efficacy.

Self-Efficacy refers to the audience’s belief that they can actually perform the recommended action. Another aspect of this that comes into play for infosec risks is the perception that the action is necessary. People often lack motivation to address their security risks. Increasing self-efficacy may require persuading the audience that they need to address the risks before persuading them that they have the ability to do so. Here’s how I see the process from risk perception to high self-efficacy.

You are at risk -> This is actually you’re problem -> Here’s what you do -> You got this (self-efficacy)

Perceptions of self-efficacy are linked to the resources needed to complete a given action. Resources like finances, time, personal qualities, etc. What resources does your audience have, particularly which do they have in abundance, and how they can be used to compensate for resources they lack? It’s about empowering your audience to take the action despite the constraints.

Perceptions of self-efficacy can be increased by 1) just telling people that they can do it 2) linking the protective action to things that they’ve already done 3) showing them clearly how to do the protective action (Bandura, 1977; Rimal, 2000). Liken an incident response plan to the plans they have in the case of (Read more...)