UPDATE: I gave a talk on this at BSidesDC and Delaware 2017. Here are my slides for that talk.
I've wanted to cover efficacy for a while. When talking with people at conferences like BSides, it kept popping to mind as a solution to some of the problems I kept hearing about. The many conversations about "soft skills" also brought it to mind. The skills mentioned in these conversations (like empathy, professional writing and public speaking, and working with other departments) are fundamental but communication, as a soft skill, can do a lot more.
Efficacy is the ability to achieve a desired effect and is apparently a common term used to discuss medical and scientific procedures. It's probably used in other technical pursuits as well but here I'm talking about the risk communication use of the term. In risk communication, the desired effect is the reduction of risks. Efficacy is broken down into several components in scholarship. I'll be focusing on two here: self efficacy and response efficacy.
Self Efficacy refers to the audience's belief (perception) that they are capable of performing the recommended protective action. Another aspect of this that comes into play for infosec risks is the perception that the actions are necessary. This isn't directly from any scholarly work I've read on efficacy but I think it's particularly important to infosec. There's a lack of motivation for addressing infosec risks coming from procrastination, or decision paralysis, or a lack of urgency, or any host of reasons. Therefore, increasing self-efficacy in these cases may also require persuading the audience that the risks are their responsibility, in addition to persuading them that they have the ability to address them. Last post examined this issue in terms of risk perception and discussed how to make people accept that they are at risk (problem recognition). Efficacy takes us beyond that and gives guidance for getting them to act once they've accepted that they are at risks (constraint recognition). Here's how I see the process from risk perception to problem recognition and constraint recognition.
You are at risk -> Yes, your circus. Yes, your monkeys ->
Here's what you do -> You got this
How do you increase self-efficacy?
Perceptions of self-efficacy are linked to the resources necessary to complete a given action. These resources could be finances, time, personal qualities, or anything else that could be perceived as necessary for action. Research into self-efficacy highlights the importance of "information and preparation to drive implementation" of protective action (Casey, Timmermann, Allen, Krahn, & Turkiewicz, 2009, p.60). The scholarship uses the term training to describe how this information and preparation is transferred to the audience but that term is a little too specific for my taste. It implies a structure and focus that would leave out a lot of effective risk communication.
Perceptions of self-efficacy can be increased by 1) just telling people that they can do it 2) linking the protective action to things that they've already done 3) showing them clearly how to do the protective action (Bandura, 1977; Rimal, 2000). Modelling the behavior (demonstrating the protective action) can be very important when it's an ongoing behavior that the person has to do themselves. If it's a one-time action that requires the audience's permission, support, or funding, modelling isn't as important as empowering them to make the decision or set things in motion by stressing their responsibility for the risk and linking it to something else they've already done. Liken a data breach response plan to the plans they have in the case of a fire, link regular security audits to quarterly performance reviews, etc. Lessen the uncertainty of information security issues by focusing on similarities to more familiar actions and situations.
Also consider the resources your audience has, particularly those they have in abundance, and how those resources can be used to balance any limitations they might have or perceive they have. If your audience is lacking in money, do they have other resources that can supplement it? It's about empowering your audience to take the protective action despite the constraints (whether real or perceived).
Sidebar: What is protective action?
I've used the term "protective action" a lot in the past two posts so I should at least acknowledge the term. Protective action can be a lot of things but is the catch-all term for the actions or behaviors recommended by risk communication. Protective action can include having an emergency kit in your car, getting annual flu shots, or patching and updating systems properly.
Response Efficacy is the belief or perception that the proposed action will actually reduce the risk or mitigate damage. If you don't think that the recommended action is going to actually protect you from harm, why do it? Think about PSAs using statistics to convince you that wearing a seatbelt or quitting smoking will reduce your risk of injury or health problems, those are trying to influence perceptions of response efficacy. Trust is a major factor: trust in the organization or individual advocating the action, trust the system underlying or supporting the action, etc. Someone who doesn't get a flu shot every year because they say it doesn't actually protect you from the current strain, has low response efficacy.
This is a bit of a problem for infosec. A key to effective risk communication is that the recommended actions need to be clear. When you've successfully made the audience accept that they're at risk, their next question will be "What do I do?" If you can't clearly answer that question, the audience may lose trust and feel more fear and uncertainty. This fear and uncertainty may lead to action paralysis. Unfortunately, infosec isn't a a place for simple solutions. People are not as familiar with the protective actions for infosec risks and there are a lot of mixed messages out there.
When the correct protective action is unclear, it increases that uncertainty and makes behavior change even less likely. This uncertainty also hurts the trust in all recommendations about the risk. Think about password strength. There are so many rules and recommendations on how to make a strong password. As I write this, my friend was required to include two numbers in a password because reasons. Not only is this lack of clarity a problem because it leads to bad passwords and confusion but it also means that people are less likely to trust any recommendations for passwords. Do I avoid real words? Should I have "special characters"? How long is long enough?
To increase response efficacy, try to reduce the behavior into simpler manageable bits and focus more what makes the recommended behavior effective. Why is this the best action for the given situation? Put it in terms that resonate with the audience. What is their biggest concern and how does the protective action address that concern?
Efficacy in crisis
Efficacy has also been applied in crisis communication and research has found that both self and response efficacy play an important role in whether people take recommended actions during a full-blown crisis such as a weather emergency or public health threat (Avery & Park, 2016). The main difference between efficacy for risk and crisis is that in risk it's about avoiding threats altogether and in crisis it's more about mitigating damage.
That's your primer on efficacy, a very useful concept for information security that can elevate soft skills to another level. Efficacy can be applied in a variety of situations with a variety of audiences. I plan to cover some of these audiences and situations in future posts.
Avery, E., & Park, S. (2016). Effects of crisis efficacy on intentions to follow directives during crisis. Journal of Public Relations Research, 28(2), 72-86.
Bandura, A. (1977). Social learning theory. Englewood Cliffs, NJ: Prentice Hall.
Casey, M. K., Timmermann, L., Allen, M., Krahn, S., & Turkiewicz, K. L. (2009). Response and self-efficacy of condom use: a meta-analysis of this important element of AIDS education and prevention. Southern Communication Journal, 74(1), 57-78.
Rimal, R. N. (2000). Closing the knowledge-behavior gap in health promotion: the mediating role of self-efficacy. Health communication, 12(3), 219-237.