“If you don’t like what people are saying, change the conversation.” -Don Draper, Mad Men
When it comes to embedding good security practices into the everyday workings of your employees, it’s not what you say, but how you say it.
However, many security awareness campaigns fail to have a real impact on employees’ security behavior. Why?
For one simple reason: because knowing is not the same as caring.
Let’s look at this idea a bit more closely.
Most awareness campaigns typically assume that if employees are all the risks, stats, and policies relating to why they need to behave in a secure way, then they’ll surely be highly motivated to do the right things, such as spot that phishing email, report the dodgy SMS, and hang up on the callers who say they’re from a previously unheard-of IT provider.
Employees remain your greatest security vulnerability
In practice, of course, it rarely works this way. Indeed, many employees at sophisticated organizations will already know the importance of complex passwords, the need to lock workstations, and the fact that opening links in emails is not always very wise. And yet, employees remain an organization’s greatest vulnerability when it comes to security. Threat actors are clever, and are constantly coming up with new ways to catch employees off guard.
To empower your employees to be your first line of defense against the threat landscape, and to encourage good security behavior beyond attempting to scare them with statistics, you need to actually get your employees to care about security, and get them to want to change their behavior.
The solution? Message modification mixed with good old-fashioned peer pressure.
The power of positive social norms
Message modification is one of the widely researched applications of theory at the behavioral scientist’s disposal. Subtle modifications to messages and modes of delivery can have a surprisingly large effect on their effectiveness; working at a subliminal level to produce changes in social and cognitive processes.
Let’s look at this example from “Influencing behaviour: The mindspace way”:
‘In recycling, when a hotel room contained a sign that asked people to recycle their towels to save the environment, 35% did so. When the sign used social norms and said that most guests at the hotel recycled their towels at least once during their stay, 44% complied. And when the sign said that most previous occupants of the room had reused towels at some point during their stay, 49% of guests also recycled.’
Social norms, and the processes that govern how these are understood, are arguably the most impactful of those things that govern how likely behavior is to change. But how can we apply this to security?
A recent study found that the use of social prompts significantly improved the extent to which 50,000 participants chose to address social media account security settings. Note how in the above example the ‘norm’ is merely implied – just because 108 of your friends performed an action doesn’t necessarily mean the action is ‘normal’ in the strictest sense. Nevertheless, the social proof was enough to make a difference, and the sole expenditure for this ‘gain’ was the effort of typing a few additional words.
Accentuate the positive
Our emphasis is on the positive - it is also imperative to avoid reinforcing negative social norms. For example, we’ve lost count of the number of times we’ve seen those seeking to change password behaviors start by hammering home how unusual it is for people to set adequate passwords. This almost certainly has a counterproductive effect on the chances that an individual will change password behavior, as at a basic level he or she will feel that it is normal to ignore this advice, and therefore justified in continuing to do so.
Changing the security behavior of your employees is both art and science. To find out more about how we apply message modification and social norms to our tailored security behavior programs, get in touch or read our whitepaper Hacking the Mind: A Psychological Approach to the Human Aspects of Information Security.
 Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., & Vlaev, I. (2012). Influencing behaviour: The mindspace way. Journal of Economic Psychology, 33(1), 264–277. https://doi.org/10.1016/j.joep.2011.10.009