10 July 2024

Unconscious incompetence: The hidden challenge in information Security

Imagine being an employee at a company. You think you are following all the rules for information security, but you don’t actually know them. Sounds unlikely? Yet, our recent Culture Scans show that 834 out of 6000 respondents are in this exact situation. This phenomenon is called ‘unconscious incompetence’ and it poses a hidden challenge for information security.

Unconscious incompetence refers to a state where individuals are unaware of their lack of knowledge or skills. In the context of information security, this means employees think they are acting safely while they may unknowingly be taking risks.

Why is unconscious incompetence important?

For us, as social psychologists, unconscious incompetence is a crucial factor in improving information security. It not only hampers the effectiveness of security rules but also creates a false sense of security. Moreover, it complicates the task of awareness programs, as you first need to raise awareness before you can change behavior.

How to address unconscious incompetence?

To tackle unconscious incompetence, organizations can apply the following strategies:

  • Simplify rules: Make rules and guidelines simple and easy to remember.
    • Example: Create a set of 5 ‘golden rules’ for information security that every employee can remember, making it easier for them to check if they are following the rules.
  • Regular repetition: Communicate rules and guidelines consistently and frequently.
    • Example: Highlight one specific security rule each month in internal communications. Concise information is easier to remember, so this way, rules can be clearly and gradually brought to employees’ attention.
  • Training: Train the necessary knowledge and skills through micro-learning modules.
    • Example: Offer training on what the rules and guidelines are and how they can be applied in practice. This allows employees to learn the rules and guidelines at their own pace.
  • Agenda items: Regularly schedule moments to discuss the rules and guidelines in broad meetings.
    • Example: Add a discussion point to the weekly start meeting each month to outline a scenario and ask if everyone knows what to do in that situation. This gives employees regular moments to self-check and express doubts.

By making this group aware that they do not yet know or do everything correctly, they first become consciously incompetent. Then, by learning the correct actions, they become consciously competent until it becomes second nature and they are unconsciously competent.

In conclusion…

Unconscious incompetence is a challenge but also offers opportunities for improvement. By raising awareness and taking concrete steps to improve knowledge and skills, organizations can significantly strengthen their information security. Whether it’s simplifying rules, repeating key information, or offering training, every step contributes to a safer (digital) environment.

Want to know more about unconscious incompetence and how to address it in your organization? Contact Sjoerd van Veldhuizen: sjoerd.van.veldhuizen@awareways.com.