How to succeed with security behavior change
To stay safe online, people need to care more about the security decisions they face every day. But unless the obvious gains obviously exceed the required effort, change is often avoided. Luckily, behavior change in general has been subject to a lot of research, and here are some takeaways for information security professionals.
Change can be painful to all of us, in all areas of life. This is only human, as we frequently tend to choose paths of less resistance. The reason for eventually making a change, is that we overall believe the change will make our lives better.
People will however respond and adapt to change with less pain, if:
- the change itself is considered small, and requires little effort;
- the change makes sense, and obviously makes life better.
Switching TV channels (or streams) is easy because it takes a single press of a button. But still, we only do it if we believe in the opportunity for a better show than we are currently watching.
Changing your physical workout habits however, are often a lot more difficult, even if we know it improves our health and well-being. Turning off the TV in favour of exercise, is no longer just a minor change.
So maybe you read this now and spontaneously decide to get your heart pump going for a few minutes. Would this little reminder have helped you form a new and permanent behavior anyway?
Probably not. Even if you already know it would give you a longer and happier life!
So how can we, as security professionals, expect people to just take our advice and actually change their information security behavior?
Motivations for change
It is evident that change cannot simply be yielded from knowledge about a better way.
For example, some people do not immediately see the point of locking their digital device whenever leaving it unattended, despite their employer's information security policy saying that it should be done. Always.
Behavior change is however easier if you are highly motivated to change.
If your physician told you that without a lifestyle change, you will be having a heart attack within the next six months. Excercise would become a matter of life and death. This would probably motivate most people a lot!
On the other hand, people are usually not able to intuitively connect the dots between leaving their device is left unlocked, and potential consequences of somebody abusing their digital identity.
It is difficult to see how an unlocked device can lead to real impact in our physical world, with severe consequences for themselves, customers, colleagues or companies, if it only happened at the wrong place, at the wrong time.
Knowledge can nevertheless increase people's risk understanding, so that they are better able to discover the importance of a specific behavior.
With high motivation also comes the ability to perform more difficult tasks.
Behavior change is also more easily attainable if the change is small and simple.
In addition, the desired change needs to be actionable, something concrete. Not just "excercise more" or "stay safe online", but rather "lock your PC when you leave it".
Unfortunately, some people still believe they need to navigate through three clicks on the screen, via the Start menu, to lock their device. Their workload increases even further if they are not allowed to use biometrics like fingerprint or iris scan to unlock either. Maybe they are also required to change passwords at regular intervals, so they cannot learn to type it fast before having to re-learn a new one.
Locking your device once is one thing, but when doing ten or twenty repetitions each day, taking on a new habit here could indeed require some motivation.
However, if people learned about the keyboard shortcuts for locking the computer (Windows key + L, or Ctrl + Cmd + Q on Mac), at least this part becomes much easier to accomplish.
If we also were able to remove some obstacles to logging back in, the entire routine would require even less motivation to perform again and again.
Triggers for a new habit
Falling back to old routines can still happen to the best of us. Just as with excercise, turning a few repetitions into a lifetime habit is a greater challenge than keeping it up for a week or a month.
Behavior psychology can however teach us something about forming persistent habits, too. Especially when the motivation versus difficulty challenge has been solved already.
Say, you have figured out that doing 10 push-ups every day would be a goal within reach. How would you ensure that this little physical excercise takes place every day for the rests of your life?
The trick here is to connect your new habit with an existing habit you have.
For instance, consider the fact that you are brushing your teeth every day. This is also likely to take place more than once every day, but the mornings can be stressful enough already. So let's avoid the mornings, and consider making a focussed commitment as follows:
"Every time after I have brushed my teeth in the evening, I will take 10 push-ups."
And there you have it, a realistic goal (replace 10 with whichever number suits your motivation), and a clear trigger, free of obstacles, which can easily be remembered.
Apply the same idea to locking your computer when you leave it, and we could end up with something like this:
"Every time I lift my butt from my chair, I press Win + L on the keyboard."
Voila! Learning new habits this way will quickly turn into second nature. In fact, so much embedded in your behavior that you even do it at home, all alone, when reaching for a glass of water.
But with the obstacles to log back in removed, and knowledge about the risk you avoid when not having to worry about forgetting to lock your device anywhere, this routine will not feel like work anymore.
New habits for security professionals
A little twist to summarize this article, is stating the obvious fact that IT and security professionals are human, just like anyone else.
And just like any of our colleagues, we tend to have our own little habits, both in terms of daily routines, and also in how we think about the bigger picture.
Consider how your organization has approached security awareness lately.
Although the threat landscape is changing, has your team considered any change to how you manage human risk in your organization?
Maybe the formula so far has involved some e-learning content on information security, doing some phishing simulations, and creating a little bit of attention during the national security awareness month in October every year.
Your key performance indicators for human cyber risk are mainly the percentage of employees completing the e-learning, and the percentage of people who clicked the phishing simulation link. Sounds familiar?
Maybe you are doing this because this is what we have always done, and what "everyone else" is doing, so why change a "winning team", right?
Yes, change can indeed be difficult to security professionals as well. And yes, trying something new may feel like a bigger risk than sticking with the status quo.
But does that mean we do not need change to keep our organizations secure? Are you considering the alternative risk of not finding a better way, when better ways exist?
This is precisely why Secure Practice was founded five years ago. To find a better way for persistent security behavior change, and to build it with measurable outcomes beyond whatever else is found in the market today.
Therefore, we are happy to launch our very special campaign offer, "Security awareness month – every month", which allows organizations of all kinds to measure and manage human cyber risk over time.
Hopefully, we have motivated you to move beyond the status quo, we have also tried to remove all obstacles for you, and so the final thing remaining is the trigger question:
Are you ready to make the change?
2 July 2022
Contact the author:
Ready to try «security awareness month – every month»?
Your organization can get started with security behavior change today.
Simulated phishing: How to design a suitable scam
How do you prepare the most effective phishing email to serve the goal of your exercise? In the third part of this series on simulated phishing, we describe various approaches to designing phishing content.
Simulated phishing: Communications strategy
How do you prepare an organization for you to try and trick them? In the second part of this series on simulated phishing, we provide the outline for a communications plan.
Simulated phishing: Goals and methodology
Is it okay to trick your own colleagues? With simulated phishing, this is precisely what we do, when sending employees fake emails to increase their cyber awareness.
Ready to get started?
We have written a guide for you to get started with human-centered security. Access our free resource now, and learn:
- How to nurture drivers for employee engagement
- How to avoid common obstacles for reporting
- Practical examples and steps to get started