Psychologie in de praktijk

6 June 2024

“But they also (don’t) do it’’

The social norm in information security

Imagine: you are a new employee at a company. When you enter the office space, you see your colleagues working diligently. Their desks are neatly organized, and everyone is using a password manager. What do you do? Chances are, you adjust your behavior based on what you see happening around you – the social norm. 

The social norm refers to all the rules and expectations within an organization. This can include (1) written behavioral rules in the form of golden rules, for example. But it also involves (2) unwritten behavioral rules within an organization, such as the habit of reporting suspicious situations. These norms can be both (1) explicit and (2) implicit and are shared by the majority of the organization. They influence how individuals behave in different situations and set an example for new employees. For example, if you see all your new colleagues using a password manager, you are highly likely to adopt this behavior. 

Who influences the social norm? 

For us, as social psychologists, the social norm is an important factor when trying to influence behavior and culture. But if you want to work with it, it’s good to know who influences the social norm. Which individuals or groups play an important role? 

Management and leadership: People with significant influence within an organization have a considerable impact on what is seen as the norm. They often determine the direction and culture of an organization. This can be executives or managers. This group primarily influences the explicit, written norm. 

Supervisors: This group plays a significant role in shaping social norms within teams due to their daily interactions with employees, their visibility, and their role as examples. This group primarily influences the implicit, unwritten norm. 

Colleagues: Direct social contacts, such as colleagues, have a strong influence on behavior and norms. People tend to adopt the behaviors and expectations of their direct social environment. This group primarily influences the implicit, unwritten norm. 

How do employees experience onboarding on information security?

Why is the social norm so important in behavior change? 

Social norms have a powerful influence on individual behavior. People tend to adapt to what they perceive the majority is doing or approving (conforming). This is due to the need for acceptance and approval from colleagues or supervisors, and the avoidance of rejection or punishment. But the reverse perspective is also important because if the social norm is, for example, to send personal data via unsecured channels, then this undesirable behavior is only encouraged. Establishing the right social norm is therefore important for both strengthening a program and preventing its undermining. 

How do you influence the social norm?

In behavior change programs related to information security, social norms can be used to promote desired behavior by: 

  1. Setting a good example: Showing examples of all groups (management, supervisors, colleagues) exhibiting the desired behavior can encourage others to do the same. 
    • Example: a supervisor demonstrating to their team how AI resources can be used safely. 
  2. Normative feedback: By informing individuals about how their behavior compares to others within the organization, they can be motivated to adjust their behavior to conform to the social norm.
    • Example: sharing the increase in the use of password managers within an organization. 
  3. Information dissemination: By providing information about what the social norm is or should be, people can adjust their perception of the norm.
    • Example: a communication campaign emphasizing that the majority of employees do report phishing emails can change the perception of a non-reporter to it being normal to report. 
  4. Public involvement: By actively involving employees in developing and supporting new social norms, these norms can be more effectively accepted and adopted by all groups.
    • Example: soliciting feedback from employees on how they want to share files in a secure, non-obtrusive manner. 

In conclusion… 

Social norms are a fundamental part of how individuals behave within an organization. Understanding and influencing these norms can be crucial to the success of a behavior change program related to information security. By using influencing techniques, social norms can be effectively adjusted and utilized to promote the desired, information-safe behavior. Whether it’s using a password manager, reporting phishing emails, or safely sharing files, the right social norm is an indispensable force for achieving desired behavior. If you want to learn more about the social norm, don’t hesitate to contact Sjoerd van Veldhuizen: sjoerd.van.veldhuizen@awareways.com.