The idea for this small grant project came when Jennifer Sheils, the head of partner networks, serious and organised crime for the Home Office’s Cyber Aware Campaign, was told of an experience buying a laptop. “Do I need more software?”, the customer asked. “It’s an Apple, so it should be fine,” they were told. The story led Sheils to wonder: who gives advice to whom? Who should be responsible? RISCS director Angela Sasse (UCL), Simon Parkin (UCL), and Lynne Coventry (Northumbria) set out to study how security advice is delivered in a retail context with a view to creating a model that will establish best practice that can be rolled out to other retailers and sectors. Brands will want to see commercial benefits, but may also see increasing customer trust by delivering good security advice as an incentive.
Cyber Aware is the government’s first and only cyber security public awareness communications initiative. As such, it is intended to deliver official and expert advice to help the public and micro businesses focus on actionable cyber secure behaviours and make good cyber security habits second nature. Its priority advice includes: use a strong and separate password for email; install software and app updates; use a screen lock and don’t send sensitive data over public wifi; keep backups; and use two-factor authentication where possible. This advice is updated and prioritised as needed based on incoming threats. Cyber Aware has more than 300 cross-sector partners. Tracking results for 2016 showed that 11 million people and 4 million businesses were more likely to adopt these behaviours as a result of seeing the campaign, but the campaign needs to scale up and needs the help of industry to do it.
Working with the retail sector seems particularly promising. Research says that trusted brands may have an important role to play, as people expect to receive good advice from the organisations they share data with. Research also says that people are most receptive at the “point of incidence” – a point when individuals are doing something relevant such as buying a device or entering a password. The goal of this project, therefore, was to:
- Establish evidence regarding the power and influence of trusted brands and their sales staff in delivering cyber security advice in the physical retail environment;
- Identify the most effective channels and interventions in physical retail environments;
- Provide retailers with evidence of the commercial benefits.
Lynne Coventry, director of the Psychology and Communication Technology Lab, explained the psychological background using BJ Fogg’s behavioural model, which captures the interaction of motivation and ability to change. When a person’s motivation is high or the behaviour is easy, a behaviour is easier to activate. However triggers – cues to action – have a key role to play as motivation and ease are not always sufficient by themselves to inspire change. Habits also play an important role, in that as much as 40% of our activities are repeated almost daily, usually in the same location. Although habits are slow to develop once they have been established they become automatic, and therefore easy to perform and, subsequently, extremely hard to break, even when the individual is motivated to do so. It’s easiest to change habits at times of transition. The hypothesis for this project, therefore, is that buying a new computer is a transitional moment that has the potential to disrupt established bad security habits, though we must also be careful not to disrupt good security habits. This piece of research, which worked with both customers and retailer, sought to establish the current issues and state of knowledge. For future work, Coventry would like to look at the effectiveness of different approaches to trying to change behaviour. Involving the intended audience in designing these approaches is key, she says, as this involvement has been shown to increase the likelihood that the approach will be effective.
Simon Parkin described the fieldwork, which included 85 customer interviews across four branches of a major UK retailer and 21 interviews with sales staff. The approach was exploratory and qualitative to understand the underlying knowledge, ability, barriers, and motivators. Operating independently of, but with support from, the retailer, the team engaged people at the point of sale, let them express their opinions in their own language, and sought to identify opportunities for improvements. They attended morning staff briefings to introduce themselves and the research, and to establish how to work while minimising disruption.
The customers, who were offered a £20 voucher in return for their time, were purchasing a new computer or mobile device, and in 15-minute interviews the researchers sought to understand:
- Their level of awareness of cyber risks;
- Where they acquire their knowledge;
- What guidance and advice they expect from the sales staff;
- How different forms of advice would be perceived.
The sales staff were interviewed as they were available, and asked about:
- – The queries they get from customers about cyber security;
- How well equipped they feel they are to answer;
- How they might be able to receive up-to-date knowledge and relay it to customers.
The researchers found that customers were often replacing a device, which could potentially be in the region of six to 12 years old; that many of these devices were used for many activities, both work and personal, and use was shared with other household members. One customer wanted an up-to-date computer for visiting grandchildren to use. Customers typically based their decisions on features such as screen size, portability, performance, and brand, and researched their purchases either online or by browsing in-store and talking to staff; a few took the advice of a “techie friend” or an IT service provider, IT staff at work, or a bank or Internet Service Provider (ISP). Anti-virus use varied considerably.
There were a number of opportunities for interventions. The stores sold security products such as anti-virus and external hard drives, and these formed part of the sale conversation. Staff also felt it was important for customers to have some security and keep it up to date, but didn’t want to bog them down with details or scare them out of the purchase. Customers also varied in how amenable they were to advice, and displayed varying levels of ability and motivation.
A representative of the retailer said she saw the research as a great opportunity, both to improve the advice given to staff and to solidify the retailer’s trusted relationships with its customers.
In conclusion, Sasse said the research suggested that the point of sale for a new computer is an opportune moment to ensure computers have appropriate security in place. However, these efforts must not be perceived as an attempt to up-sell; staff knowledge has to be kept up to date via a reliable source; and it will be necessary to ensure that the security chain isn’t broken a year later. The group has obtained follow-on funding to explore further how to fit advice into the sales process.
In answer to questions, the group indicated that they recognise that the model will have to be adapted for different retailers and demographics, though the goal is consistent messaging.