Center for Cybersecurity & Data Intelligence

By James Robinson, Ph.D., Professor, Dept. of Communication

Read part one of this series, here and part two of this series, here. 

The final part of this series, which has explored communication's role in IT practices, will examine psychological reactance. Psychologist Jack Brehm coined the term “psychological reactance” to describe the impact of restricting an individual’s freedom of choice.

Commonly Cited Reactance Example

When children are told that they can play with any toy in the room except the red ball, it seems that interest in the red ball dramatically increases. Children often will play with the red ball and report that the red ball is their favorite – even though they have been forbidden to play with the ball. If the researcher takes the red ball with them as they leave the room, children will restore their freedom by increasing the value and desirability of that red ball as a toy. And when asked, they will report that their favorite toy is the one that they were not allowed to play with.

Brehm suggested that restricting choices produces feelings of discomfort within the individual and motivates them to restore their freedom. Sometimes individuals can restore their freedom directly (by playing with the toy), and other times they can restore their freedom symbolically (by liking the toy more).

Psychological Reactance and Cybersecurity Policies

Cybersecurity training offers us an interesting opportunity to study human behavior because IT policies and procedures often restrict freedom of choice. For example, an IT department can decide that people are required to employ two factor authentication (2FA) to gain access to the network. Everyone must comply with this rule, or they can’t access the network. Rather than persuade people to voluntarily adopt the new computer security behavior (2FA), they simply require it.  

When I ask IT friends who work in the private sector how they get people to use strong passwords or avoid phishing scams, they love to say, “We tell the new employees that if they get hacked, we will fire them.” The underlying belief is that nobody will click on a link in an email message if they believe the consequences are severe enough.

Those same IT professionals usually frown when I ask how they encourage their employees to be part of the security process. This question is often confusing because they seldom think of end users as being part of the solution. In their minds, end users are generally the problem, whereas technical hardware is the solution.

• Jack Brehm shows us that forcing end users to follow policies and procedures may work, but it will also produce some unintended consequences.

• These consequences might include:

• Employees hating the security policies
• Employees trying to “work around” the policies
• Employees holding negative feelings toward the organization's IT people
• Employees assuming that computer security is the problem of IT professionals

Instead of forcing compliance, IT professionals should convince end users that computer security is something that everyone contributes to and something that benefits everyone within the organization. Employees are more likely to support security policies when they feel like they’re engaging in them to benefit themselves and others.

Voluntary adoption, personal involvement, and internalization of IT values can result in employees who are frontlines of cybersecurity rather than the weakest links. 

So what did this series (hopefully) teach us? A Cyber-Mindful™ organization is achieved through thoughtful communication strategies - not just strict IT policies.