I talk frequently about the critical difference between ‘awareness’ and ‘behavior.’ This is important because, as a security professional, I actually care more about what people do than what they know. People know lots of things that they don’t care about. What really matters is how they behave.
This naturally begs the question: “How can we influence security-related behaviors?” When it comes to influencing security behavior, it’s helpful to first look at effective marketing strategies. The field of marketing has been working for a looooooong time at influencing behavior, and we can learn a LOT by studying marketing principles and practices.
For instance, a product’s marketing strategy may contain several distinct events, but it would not be successful if there were only one event per year. That’s why we see advertisers hit us again and again with messages, images and stories about their product and how it fits into our lives. In the end, marketing is about effecting hearts, minds and attitudes with the goal of influencing behavior. …and it works.
For this blog, let’s focus primarily on one specific marketing strategy that can (and should) be applied to your security awareness program. This is the concept of “drip marketing.” Have a look here at how this concept is presented to marketers. I’m sure that you’ll find it compelling and relevant in the context of security awareness.
A drip marketing campaign consists of providing a prospect with a set of information, then providing them with additional information depending on how they behaved while in possession of the first set of information (did they read the information, did they perform an action based on digesting that information, etc.).
Raising the security awareness level of a user works in a similar way. If you provide the user with meaningful, engaging security content on a frequent basis, you will help them to better retain the information, while improving the security posture of the organization.
Typically, security awareness training is merely a compliance exercise done once a year and in ways that feel extremely irrelevant to employees. We inundate them with information with minimal context, relevance, empathy or engagement. This approach doesn’t provide a meaningful way for people to digest and retain information, it also does nothing to enhance the security posture of an organization.
Dr. BJ Fogg (founder of the Behaviour Design Lab at Stanford University) created the Fogg Behavior Model, which shows that three elements must converge at the same moment for behavior to occur: motivation, ability and trigger.
When a behavior does not occur, at least one of those three elements is missing. The model delves into whether a task is easy or hard and whether or not it takes much or little motivation.
The model looks at how to increase motivation or decrease how hard the task is to do, and this drives home the point of putting a message out at the right time (a trigger) such as putting a sign about secure shredding near a printer. It’s near the machine which prints potentially sensitive information that could later need shredding.
An additional step such as adding a picture of peers disposing of paper the right way (to create social pressure), or a picture of a baby (to increase motivation by thinking of the future) could serve as motivation.
There are both overt and subtle ways to influence behavior. Some of the more overt ways include simulated phishing exercises, automated blocking of inappropriate behavior and redirection to related training, visible surveillance cameras, login banners letting people know that they are being monitored, etc. When people know they’re being tested and evaluated based on their behavior, they tend to pay more attention.
Content dripping (where you start someone off with a bit of information, then continue sending them similar information depending on what they choose to engage with) can serve as a more subtle, contextual and relational way to influence thought and behavior over time. Just like drip marketing, frequent touch points are the way to go when it comes to security awareness training.
Influencing behavior isn’t easy, but security professionals who think like marketers will be more successful in their security awareness training efforts.