The Role of Psychological Safety in Republic

What is psychological safety?

Psychological safety refers to the perception held by members of a group, that individuals within that group can express their honest thoughts, ideas, and concerns without fear of negative consequences, such as ridicule, reprisal, or ostracism. Perceptions of psychological safety can be fragile and must be continually fostered and carefully protected.  

Psychological safety is directly informed by: 

  • The representation of social constructs and models. This refers to both the overt and  discrete ways in which social behaviours are positioned. For example, if something is represented in the group as scary, confusing, burdensome, or inaccessible (particularly amongst key influencers such as leadership, experts, or other social nodes), then there is unlikely to be the basis for psychologically safe decision-making.   
  • The state of the social fabric as represented by the collective adherence to a psychological contract, wherein observed and personally experienced breaches reinforce that those around them cannot be trusted. 

 

In social conditions that prioritise psychological safety, individuals feel more comfortable taking interpersonal risks, sharing diverse perspectives, and contributing openly to discussions. 

What is the psychological contract?

The psychological contract refers to the unwritten expectations, beliefs, and perceptions that individuals hold regarding the reciprocal obligations between themselves and a power group they are involved with, such as an employer. In many cases it operates in parallel to written contracts and legal obligations but specifically refers to the phenomena which operates at the socio-behavioural level. Thus, whilst this includes many fundamental social rules that range from expectations to be protected from physical harm and undue psychological distress to general politeness, civility, and inclusivity, it also includes expectations attached to overt contractual obligations such as expectation of timely pay, sanctity of leave, and respect for work/life balance.  

Wherein the terms of this unwritten contract are breached, psychological safety sharply declines and negative sentiment increases. This results in: 

  • Deviant behaviours. Staff may intentionally ignore or break rules, likely under what they interpret as a justifiable basis. For example, if given an overly complex process for a task with limited time or resources without a reasonable, rational, and internalised justification, this represents a psychological contract breach in the form of undue and avoidable psychological stress. In this case the staff member may vocally express discontent (thus influencing those around them) and may choose to ignore all steps of the process, taking an economised best-guess approach or by applying workarounds to achieve the objective. In terms of security, this could expose significant vulnerabilities.     
  • Avoidant behaviours. A psychological contract breach almost always precipitates a negative impact on psychological safety. Thus, staff may take steps to avoid the perceived cause of the breach in future. With regards to security, this stands to have a significant impact as staff may defer or abdicate key responsibilities. This can occur at the conceptual layer too, in which the individual attributes the experienced harm resulting from a breach to a much broader category rather than just the direct cause of the harm. For example, a driver who is unfairly awarded a parking fine may establish an enduring perception that they are uncomfortable parking in cities, and as a result may do all they can to avoid being placed in an analogous position even if the city, the car, the parking environment, and operator all differ from the original event. Moreover, this event could contribute to a general distaste for driving in built-up areas lest they find themselves in a position which calls them to park. Even if this has no objective correlation to the breach itself, it still could be part of the associated subjective experience for the individual. The breach has resulted in a general avoidance of a much wider set of behaviours than the original event had observable influence over.  

 

Finally, it is essential to note that the interwoven nature of psychological safety and the state of the psychological contract is compounded by social influence. It is well known that a single member of staff who has experienced a psychological contract breach can have wide reaching influence on other member of staff. Those who are exposed second-hand now have a prototype of how their own breaches might occur, which in itself can result in second order deviance and avoidance. It is worth nothing however that this is typically less extreme that those who are directly involved.  

Why is this relevant in cybersecurity?

Cybersecurity has historically been presented to staff as a set of rules to abide by. Failure to comply results in staff being conceptualised as ‘offenders’. It also establishes a mindset amongst those who are responsible for security outcomes that the only way to achieve socio-behavioural security is to attempt to keep their staff under control, often leading to coercion and punishment-based controls. In many cases staff experience these controls and admonishments as unfair. Therefore, while each instance appears to be an effective step towards enhanced security among security professionals, it  represents a small breach of the psychological contract from the perspective of staff, often worsening psychological safety and resulting in deviant behaviours and avoidance. 

The most significant version of this is observable within phishing tests, wherein staff are deceptively exposed to an inert malicious email. Staff are expected to identify the deception and report in accordance with organisational policies. This has become the prevailing method for determining staff cyber-security efficacy, normally underpinned by statistics which cite that phishing remains the most common method employed by genuine malicious actors. Those staff who report the phish are understood to have complied with the standard and have achieved the minimum expected behaviour whereas those who fail to report, or those who fall victim to the deception, have failed and are often exposed to some form of remedial training as a result. When understood through the lens of psychological response, it is self-evident that such a process falls clearly within the scope of a psychological contract breach. Deception without a consent framework is exceedingly likely to be interpreted as such. Therefore, whilst staff may appear to comply with organisational phishing tests, the psychological outcomes can be frustration towards the activity itself including vocal dissent, deviant behaviour such as conscious link-clicking to adversely impact statistics, or a deliberately liberal approach to labelling emails as suspicious. Worse, it can breed avoidance at the conceptual level for security practices. Symptomatically, staff may report that “security is not their job”, or that they “aren’t good with technology”. They may delay or fail to complete annual security training. These, and other indicators, can be subtle cues of general avoidance. Simply put, someone who psychologically avoids security, is more likely to make mistakes and thus more likely to expose themselves and their employer to security vulnerabilities.    

A significant body of research across numerous contexts strongly supports the case that degradation in psychological safety, whether through psychological contract breach or deformed and unhelpful social constructs, significantly reduces the likelihood that staff will communicate concerns. In the context of security, this means that staff are unlikely to report incidents. Given that each person has the potential to identify anomalous system behaviour, strange phone calls, or even unusual connections through social media, accessing this level of situational awareness could be the biggest tactical advantage when responding to threats. It therefore stands to reason that increasing propensity to report should be one of the most important objectives of cyber-security behavioural change, and that doing so without paying close attention to psychological safety is unlikely to attain optimal results.  

The collective impact of both psychological safety and the psychological contract cannot be overstated. Those who fail to effectively account for even minor breaches and losses of trust can find a rapidly growing number of people who avoid security tasks, act in ways that seem contrary to security outcomes, and demonstrate lost trust through fewer and fewer reports. However, the social impact is relevant in both directions. Those organisations that champion psychological safety and take steps to effectively operate with attention to the psychological contract find that they will initially develop a small number of staff who role-model ideal security behaviours. These individuals have a profound influence on those around them and through this mechanism, it is possible to sow the seeds of an autonomous security culture.  

Given the potential for impact if uncontrolled and potential benefits for enhanced security if mobilised, Recyber have made these themes  foundational in the creation of not only the Republic technology, but also in all of the Recyber service offerings.  

Ethics and Republic

Alongside the methodological and technical controls build into the Republic platform, which have been meticulously designed to safeguard the psychological contract and foster a sense of psychological safety, we also interpret ourselves as a provider of psychologicallyorientated services rather than as an educator or corporate services offering. As a result, we take every step possible to align to the code of ethics as defined by the British Psychological Society. This means that we opt to treat those people who use our technology with the same ethical underpinnings of a provider of therapeutic services.  

  • Respect. We place the privacy and confidentiality of our users at the forefront of our responsibility. Whilst there are use cases for sharing the performance data of individual users, our position is that it is far more vital to protect those who use our service. Our focus is on helping people be as secure as possible, not identifying so-called ‘weak links’. Beyond this we consider our impact on individuals, the potential to wield unethical influence, and issues of consent and self-determination. This theme is best summed up by our general approach which starts from a place of empathy for the end-user and motivates what steps we can take to support the likelihood of them making a secure decision. 

 

  • Competence. The Recyber behavioural science team is a group of diversely skilled and experienced behavioural scientists. They are lectures, thought leaders, and researchers in their own right. To maintain professional competence, the behavioural science team continually undertake individual and collective research projects, present at national and international industry and academic conferences, and seek to publish in peer-reviewed journals, all to ensure our expertise is not just current today, but continues to be so as we develop.   

 

  • Responsibility. We hold ourselves to impeccably high standards of professional conduct and ensure corporate and technical controls are established which ensure we are focused on delivering an unparalleled service. These include: 
    • Our refusal to share individual user data in order to uphold the respect of our users. 
    • Our in-house ethical review process for the commission of new research, services, and platform features.  
    • Our separation of ideation, critical review, and approval processes when conducting research and methodology development.  
    • Our commitment to the open publication of our research for the betterment of the field of cyber-behavioural development.  

 

  • Integrity. We strive to build honesty, openness, and candour into our approach, both with customers and their userbase. Under no circumstances will we deviate from these core principles and are always content to explain their rationale to anyone who contests them.  

 

Aside from the moral obligation to our service users, this approach helps to ensure an effective trust relationship which makes the terms of the psychological contract held between us and our users as transparent as possible. This in turn feeds into the individual psychological safety of our users, and thus helps encourage secure decision-making.