Why we like to lie to ourselves.

People like to fool themselves. They know it’s dangerous to use the same password for multiple accounts. But they do it anyway. The unpleasant feeling that results is called cognitive dissonance. Security-conscious thinking is often not reflected in action, which also increases the risk of cyberattacks. In this article, learn how cognitive dissonance occurs and how you can still encourage employees to adopt secure password behaviors.

It’s 2021, and user password behavior remains poor. A study conducted* in March shows that the majority of people do not observe the most important password rules: 60% of Internet users use the same password combinations for several or all accounts. Compared to the previous year, this figure has actually increased by one percent. What’s also on the rise is the number of accounts: 41% of respondents have more than 15 password-protected accounts, which is probably also related to the Corona pandemic. In 2020, many companies had to allow their employees to work from home, which also accelerated the digitization of the professional field.

More apps = fewer passwords?

More accounts, of course, mean more login combinations to learn. But it’s obvious that Internet users can’t and won’t remember 15 different email password combinations. For them, it’s much easier to come up with a standard password for all applications. Studies show that as many as 76% of employees use the same password for different applications. But that increases the security risk many times over. If a hacker hacks the password for one application, he has direct access to all other accounts. He has the master key to a skyscraper, so to speak, which opens not only the front door, but also all the apartment doors.

Cognitive dissonance: Human is an incomprehensible being

Don’t users know how insecure their passwords are? According to the association sicher im Netz, most users know how dangerous it is to use the same password for multiple accounts, but they do it anyway. When action and knowledge are in harmony, people feel good. Cognitive dissonance occurs when cognitions contradict each other and cause feelings of tension. An example of this is smoking: “I smoke” vs. “Smoking is unhealthy.” When people smoke repeatedly, even though they know how unhealthy it is, they experience negative feelings of tension. To avoid experiencing them, they simply repress or ignore negative aspects such as health consequences.

Cognitive dissonance in password behavior

Password behavior also shows a tendency toward cognitive dissonance, an imbalance between knowledge and action. Internet users know how dangerous it is to use the same password with different applications, but they do it anyway. They neutralize the negative feelings by deliberately suppressing information. For example, they believe they are invulnerable to cyberattacks. This contrasts sharply with the fact that 40% of Germans that have already been the victim of a cyberattack. In the corporate context, an even much higher figure is startling: 96% of all German companies have already suffered a business-damaging cyberattack.

Long-term alleviation of cognitive dissonance: behavioral change!

To overcome cognitive dissonance in the long term, there is only one effective remedy: behavioral change. Both in the private and professional context. And for this, a clear objective is needed. In the company, strategically oriented communication can trigger behavioral change. It is very important that this communication takes place at eye level between employees and the IT department. Authoritarian behavior from IT, such as pressure and orders, often only bring about short-term changes among employees, but then they fall back into their dangerous password behavior. Long-term behavioral change also requires the insight that one’s own actions contain weaknesses. In fact, lasting behavioral change can only be achieved if the desire for change arises from within the employees themselves. Employees need to understand the impact of using the same passwords and realize that their password behavior poses a high risk to the company. Regular security awareness training makes it clear to employees how important complex passwords are.

With pleasure to secure passwords

Another important step on the path to lasting behavioral change is to link the new behavior with positive feelings. Employees should take pleasure in their new password behavior. This can be achieved by introducing password management software that generates passwords independently and stores them securely. Complex passwords are automatically generated and stored without stress or effort, so employees only need to remember one master password. What’s more, logging in takes seconds, making the way they work much more effective. Thanks to the user-friendly interface and ease of use, employees quickly learn that using secure and different passwords with password management software can be simple, efficient and stress-relieving.

66 Days of patience

Behavior change doesn’t happen overnight. According to one study, it takes an average of 66 days before a new behavior becomes automatic. Employees should not be overwhelmed during this transition period. Additionally, all levels of an organization should be understanding and offer support to employees during this transition period. A little trick from psychology can provide additional support to employees during this time: Rewards. If employees have learned better password behavior after an average of two to three months, which should also have an impact on their personal lives, a reward can symbolize appreciation for their efforts. The reward does not have to be financial, but can also be a fruit basket for the office or a cold drink after work. The only important thing is to praise employees for their performance.

Positive error mentality in companies

Just as elementary as proper communication is a positive error culture in companies. Anyone who has ever gone on a diet or quit smoking knows how quickly people fall back into old and harmful behaviors. That’s why IT should never threaten penalties if employees still assign insecure passwords. On the contrary, to give employees a point of contact for their questions and concerns, the CISO and IT should be approachable at all times and actively encourage employees to reach out to them.

With patience, proper communication and the introduction of password management software, employees can be persuaded to adopt better password behavior – even those with particularly high levels of cognitive dissonance.

To learn even more about password policies, download our free whitepaper.

* Bilendi, the market research company, surveyed 1050 German Internet users in February 2020.