Many security awareness programs fall short because they take a cookie cutter approach and do not consider the complexities of how individuals are motivated to take action. There is an abundance of insight and best practices that can be leveraged from other disciplines to help security practitioners achieve measurable behavior change.
On Wednesday, February 26, 2020, Daniel Eliot, Director of Education & Strategic Initiatives, National Cyber Security Alliance (NCSA) will sit down with leading experts—Lisa Plaggemier, MediaPRO; Masha Sedova, Elevate Security and Perry Carpenter, KnowBe4—who have a wealth of experience designing effective security awareness programs that integrate successful approaches from the fields of behavioral science, advertising and data.
Here is a sneak peek into the broader conversation on “Improving Security Awareness with Psychology, Advertising and Analytics” that will take place at the RSA Conference:
Q: Employees have a lot of competing priorities. What is one insight from the fields of communications and marketing that security awareness practitioners can leverage to cut through all the noise and actually get people’s attention?
A: (Lisa Plaggemier, Chief Strategy Officer, MediaPRO)
I have two pieces of advice that can help you when your awareness program isn’t engaging people.
First, marketers start with understanding their audience through market research and creating something called marketing personas. I think we in security can benefit from adding this research step. We see our goals—protecting the organization, reducing phishing clicks, reducing malware infections, reducing DLP alerts like sending SPI unencrypted, whatever the behavior is—but do we really understand the person, or the “persona”, whose behavior we’re trying to influence? Is there a business goal he or she has to achieve every day that is their guiding motivation that leads them to an insecure behavior, like a client requesting a report containing SPI over email and that’s generating the DLP alert? You won’t know these things unless you talk to people and understand why they’re clicking, what motivates them, how they think. Do your research first, then you will be able to use or create awareness materials that engage because you understand your audience.
Second, I’ll offer one of my all-time favorite quotes. The advertising genius David Ogilvy (1911-1999) said, “When you have written your headline, you have spent eighty cents out of your dollar,” meaning, if you don’t get people’s attention, they won’t see the rest of your message. Eight out of 10 people don’t read past the headline, or the email subject line. Just two stay and read the rest! But “the rest” is where we tend to invest all our efforts, for instance, in writing an article for a company newsletter. If the title of the article or the subject line of the email doesn’t give people a reason to linger a little longer and read our message, our message never gets through. We never get a chance to deliver our well-crafted article because we lost people at the headline. Be concise and use clever headlines that hook people and inspire them to keep reading.
Q: What is one thing security teams can do to motivate and influence employees to actually change their behavior?
A: (Masha Sedova, Co-Founder, Elevate Security)
Start by saying, “Great job, you’re awesome!” I don’t spend a lot of time talking about how we more effectively punish our employees because honestly, we do a great job of that in security and we’ve been doing it for decades. Security teams need to develop the muscle for positive reinforcement and move away from fear. What studies have found is that shame and fear motivate up to a certain point at which point they become overwhelming and demotivating. When something is too big and too scary, it doesn’t actually lead to more action, it leads to numbness and inaction.
Dr. Gottman, a researcher out of Harvard University, studied marriages to try and map couples who had the highest likelihood of staying together versus those that don’t. Gottman studied 700 couples initially and with a 90% probability, he was able to figure out which couple was going to still be married in the next five years; the couples who had five positive interactions to every one negative interaction were the ones who had the greatest chance of staying together. The Harvard Business Review did a similar type of analysis on high and low performing teams and they found that the ratio stayed the same.
You can take those ratios and apply them to the relationship of security teams to your employees and understand that for every one time that you criticize them for policies or missed patches or annual security training conduct there needs to be five times where you say thank you so much for following all of these complex rules and rituals that we formalized. One way to do this is through our digital environment. We help our customers send regular emails to their employees that validate and reinforce positive behaviors, give them badges for good work, use positive, uplifting language, and are designed to positively influence. Seems like a small thing but it makes a big difference for motivating employees to change their behavior.
Q: What is one question security practitioners should begin asking themselves when designing a new cybersecurity awareness program or re-evaluating their existing one?
A: (Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4)
There is one question that should be asked over and over again during the process of designing (or redesigning) your program; and that question is, “Are the expectations that I have for my people consistent and compatible with basic human nature?” My philosophy for security awareness boils down to three realities:
- Just because I’m aware doesn’t mean that I care.
- If we try to work against human nature, we will fail.
- What our employees do is way more important than what they know.
So, with every aspect of a program, I want to bring the reality of human nature front and center. That means being brutal in setting expectations about what is achievable with any given element of an awareness program.
Thinking through this lens leads security awareness leaders to be more deliberate and ask new questions related to how (and why) they deploy traditional information-based elements of an awareness program. And thinking through this lens will often lead awareness leaders to shift their strategy and find more innovative ways to intentionally shape the behaviors they are targeting. It also tends to have the effect of encouraging program managers to measure effectiveness by tracking behavioral, attitudinal, and cultural indicators rather than more traditional metrics.
NCSA will be exploring this topic in depth at the RSA Conference. Mark your calendars for Wednesday, February 26, 8:00 AM – 8:50 AM (PST), Moscone South.