(5 min read)
Habits are the brain's way of automating repeated behaviours to save mental energy.
The process of habit formation is a complex interplay between cues, behaviours and rewards, forming a loop that, over time, becomes automatic.
So, how do habits work, and why does this matter for our approach to cyber security?
A cue or prompt or trigger tells the brain to go into automatic mode. This cue could be a specific location, time of day, emotional state, other people, or an immediately preceding action. It signals the brain to initiate a behaviour that has, through repetition, been associated with that cue. For example, when the phone rings, you pick it up. Or, in cyber security terms, when you see a link in an email, you click on it.
Following the cue is the routine, which can be physical, mental, or emotional. This routine is what we think of as the ‘habit’, although it is actually just behaviour. Whether it’s going for a run at 6 a.m. or reaching for a snack when stressed, the routine is the action you take to respond to the cue.
The third component is the reward, which helps the brain determine if this particular loop is worth remembering for the future. Over time, if the behaviour consistently delivers a reward that is satisfying, the brain starts to associate the cue with the anticipation of the reward. This anticipation can become a craving, which is a powerful motivator for the routine behaviour. Clicking on a link in an email brings the potential of a reward – satisfying your curiosity, for example or finding an answer to a question. It’s exactly this behaviour that ‘clickbait’ social media posts are exploiting – and criminals do it too.
What’s the science behind habits?
Neuroscientific research shows that the basal ganglia, a deep brain structure responsible for motor control and procedural learning, plays a key role in habit formation. While the basal ganglia is involved in the development of habits, the prefrontal cortex, associated with decision-making and self-control, is more active when a behaviour is new.
Initially, new behaviours activate the neural system known as the associative loop, involving several parts of the brain, part of the basal ganglia, mid brain, pre-frontal cortex, which are to do with self-control planning and abstract thought.
As a behaviour is repeated, the activity begins to shift from the prefrontal cortex to the basal ganglia, and to the sensory motor loop (which uses a different part of the basal ganglia, the sensory motor cortices and the mid brain). This means that your actions have actually rewired your brain and your behaviour has transitioned from a conscious action to an automated one – so you don’t need to check what you’re doing, like which computer key to hit, or how to boil the kettle.
You then have a habit loop consisting of the cue, a routine, and a reward, as we talked about at the beginning of this article.
The value of reinforcement
Another factor in habit formation is reinforcement. Positive reinforcement, like the pleasure from a runner's high or the satisfaction of a clean living space after tidying up, strengthens the behaviour, making it more likely to occur in response to the cue. Negative reinforcement, which involves the removal of an unpleasant stimulus, like the relief from anxiety when checking a mobile phone, also strengthens the habit loop.
Habits can form without being intentionally developed. For instance, if someone eats a biscuit every day during their afternoon break because it is available and provides a temporary distraction from work, they may develop a habit around this routine without planning to do so. The repeated action in response to a consistent cue and followed by a reward, intentional or not, is the essence of how a habit is formed.
This reinforcement value is one of the reasons our cybersecurity training is designed the way it is – to constantly check that learners are creating the habits that help to protect themselves and their organisations.
How does stress affect our habits?
Stress has an impact on our cognitive ability. As Wendy Wood points out, stress shifts the balance of habit and conscious thought, which means that habits stay alive even as our cognitive abilities falter. Stress, distraction, mental tiredness, or lack of ability derails the conscious mind. Even slight levels of stress will release adrenalin and cortisol, both needed for our fight or flight response. But they degrade our executive function, and so we fall back to habit and the need to remove the stress.
Why does this matter to cyber security?
It’s human nature to develop habits. Exploiting this is why phishing emails continue to be successful. They play on our inclination to click links or open documents, and they are designed to cause a level of stress, or threat. In this situation, we’ll focus on the ‘stressor’, which hampers our ability to think clearly. This also happens in cases of ‘social engineering’ where a scammer tries to convince people to move money out of their bank account for example.
Step one is to bring this to people’s awareness. But knowing is not doing. Psybersafe is structured to help people break bad habits and develop new ones to take their place. To be that little bit safer. At Psybersafe, our habit-changing online cyber training is based on our expertise in behavioural science. We apply scientific research to create training that helps people think (and do!) differently about the way they approach cyber security, and this in turn makes organisations safer and attacks less likely to succeed.
Will this help your organisation? Of course it will. Contact us today to find out more and get a demo.
 Professor Wendy Wood’s book is worth reading: WOOD, W. (2021) Good habits, bad habits: The science of making positive changes that stick. S.l.: MACMILLAN.
Sign up to get our monthly newsletter, packed with hints and tips on how to stay cyber safe.
Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts. If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.