The Ministry of Justice and Security developed a behavioural intervention aimed at inspiring individuals to adopt safe cyber practices: 'Valse email? Meld het via de meldknop' (Fake email? Report it using the report button). Thanks to this behavioural intervention, employees are ten times more likely to report suspicious emails internally. Moreover, click rates on links in suspicious emails have significantly decreased.

Why this experiment was conducted: One in five SMEs have been victims of cybercrime
One of the biggest cybersecurity vulnerabilities in SMEs is employee behaviour: all it takes is one mistaken click of a mouse for the company to fall victim to cyber attacks. The pilot study conducted by the Ministry of Justice and Security was aimed at reducing the risk of falling victim. The study was focused on metal company employees. The intended behaviour was that employees should report suspicious emails to an internal reporting centre, and that they should not click on any links in those emails.

Type of intervention: 'Valse email? Meld het via de meldknop'
The 'Valse email? Meld het via de meldknop' intervention was developed, based on behavioural insights:
• Companies set up an internal cyber reporting centre and installed a report button in their email software. This allowed employees to forward any suspicious email to the reporting centre easily and securely.
• In the interest of visibility, posters were put up throughout the companies (see image 31) and all employees received a digital flyer incorporating various behavioural techniques, such as: promoting knowledge and awareness, inducing anticipated regret, providing an action framework, communicating a social norm, creating urgency and altercasting − a technique involving assigning roles to individuals to influence their behaviour.
• 3D stickers were placed on monitors to remind employees of the desired behaviour at the right time.
• All managers received a guide including tips on how to stimulate discussion about cybersecurity in their team, to create a positive social norm.

Method used: baseline and impact measurements
A field trial was conducted to test how frequently employees internally report suspicious emails and how often they click suspicious links. For this purpose, three fake emails were sent to all employees of the SME metal firms taking part in the study: one prior to the behavioural intervention and two following the behavioural intervention. Data from four companies with a total of 160 employees were analysed. A perception survey was also conducted amongst employees.

Result obtained: more than tenfold increase in internal reports of suspicious emails
Roughly one to two weeks after the behavioural intervention was applied, a more than tenfold increase in internal reports of the fake email was recorded compared to the period prior to application of the behavioural intervention: from almost 3% to nearly 30% of employees. Approximately six to seven weeks after the behavioural intervention was applied, this figure was 18%. After the behavioural intervention, there was a noticeable decrease in the number of clicks on links in the fake emails; by contrast, nearly one in five fake email recipients did so prior to the behavioural intervention (2.5-3% afterwards vs. 18% before). See figure 37 In the perception survey, almost 80% of respondents said that the behavioural intervention had made them more aware of fake emails. Respondents also reported finding it easier to internally report suspicious emails using the report button. 60% of employees who internally reported a fake email did so using the report button. As such, the report button is the predominant method for reporting fake emails.

Impact: lower risk of falling victim to cybercrime
The pilot study showed that smart application of behavioural insights helps to raise alertness, awareness and cyber-safe behaviour amongst SME employees. Internal reporting of suspicious emails reduces the risk of falling victim to cybercrime, since it makes it possible for suspicious emails to be investigated, action to be taken and other employees possibly to be alerted. This acts preventively, but also repressively: the company can take action if someone accidentally clicked a link anyway. The behavioural intervention was tested in SME metal firms, but could also be applied more widely amongst SMEs in other sectors.

Source: https://www.binnl.nl/home+-+en/knowledge/publications/bin+nl+publications/HandlerDownloadFiles.ashx?idnv=2719979