/
Research
/
Project overview

Applying Behavioural Systems Mapping to enhance cybersecurity and resilience

Ensuring Australians are safe, and that resources are sustainable and productive into the future, requires strengthening resilience to cyber and information security threats. To achieve this, BehaviourWorks Australia was engaged to facilitate strategic coordination and governance amongst managers and employees.

The aim was to promote the adoption of behaviours that enhance cybersecurity, by implementing proactive and widespread improvements.

Challenges like poor or outdated cyber and information security is a complex problem that has many contributing factors. Complex problems are best addressed by taking into account the system in which the problem operates. Interconnected factors and stakeholders involved are key considerations, to develop effective and sustainable solutions.

Thus, we employed Behavioural Systems Mapping - a tool that combines Systems Thinking and Behavioural Science to help analyse a complex system through the lens of human behaviour.

The challenge:
Using Behavioural Systems Mapping to find leverage points to inform behaviour change interventions to enhance cyber capability
Partners:
A network of Australian organisations
When:
2024

What did we do?

First, we conducted an initial document review of existing policies and frameworks. The review focused on identifying:

  1. Cyber and information security risks, including threat, probability, and consequence
  2. Governance actors and processes
  3. Interventions or support to comply with obligations
  4. Behaviours addressed to interventions
  5. Drivers and barriers of each behaviour

Second, we completed the Behavioural Systems Mapping, which involved 3 workshops, and sought to:

  1. Create a map that identifies, defines, and determines relationships between key elements
  2. Interpret the maps to identify opportunities for behaviour change interventions
  3. Brainstorm possible behaviour change interventions to facilitate adaptive change in the system

What did we find?

In our initial document review, we found:

  • Unclear and inconsistent terminology
  • Incomplete information about specific processes
  • Lack of clarity in accountability and undefined responsibilities

In the 3 workshops, participants’ opinions and experiences were collected. We found:

  • Factors such as motivation and capability constraints limited individual staff protective behaviours
  • Organisational cybersecurity behaviours (i.e. that enable individual protective behaviours) face similar challenges, with added constraints from limited resources and guidance
  • Workload issues and lack of resources contributed to a lack of collaboration behaviours
  • Organisational leadership was faced with issues such as insufficient funding and a complex cybersecurity environment

What’s next

By exploring the ‘line of sight’ between individual staff, organisational, and network-wide actions, several potential opportunities emerged as methods of proactively improving cybersecurity. Notably, participants saw solutions as sitting primarily at the organisational and network-wide level, not with individual staff.

Opportunities identified include:

  1. Pre-establishing procedures and templates to guide incident response and management
  2. Establishing protocols to guide communication during incidents 
  3. Increasing cyber capability
  4. Educating boards on cyber support resourcing, roles and protocols

Read the summary report.

Related projects

View all projects
No items found.
No items found.
Circular Economy
Healthcare clinicians
Workplace safety
Evidence review services
Finance
Transport and road safety
Social inclusion
Conservation
Waste
Climate change
Water
Biosecurity
Energy
Organisational change
Pollution
Patient-centred care
No items found.

Have a project for us?

We'd love to help you unpack the problem. Get in touch.