3 keys to designing secure cyber behavior
Increased awareness of security problems doesn’t always translate to more secure behavior.
Cybersecurity is a complex skill to master. And no, this is not because there is a dearth of tools or technology (a common misconception), but because the human element is the most significant and largest root cause of all cyber-attacks.
Organizations can spend all the money they want on technology but eventually, if a crafty attacker picks up the phone, sends a phishing email or manipulates people to perform an action, they’ll easily access what they’re looking for. It’s like building a security fence around the house, locking all windows, but opening the front door to the attacker. Security leaders increasingly recognize this problem and that’s why security awareness is a top security priority. Yet awareness doesn’t always translate into secure behavior, and sculpting that is no easy feat.
Security behavior, behavioral science & human nature
According to Dr. BJ Fogg, chief scientist at the Stanford Behavior Design Lab, human beings are inherently lazy and creatures of habit. From a security context, that means our subconscious mind often takes mental shortcuts (a.k.a. heuristics) and biases while making decisions related to security.
For example, if an email happens to be from someone we know or trust, we have a higher tendency of clicking an embedded URL without verifying the authenticity of the sender’s domain or email address. Socially, we tend to get influenced by others easily. Cultural norms around us help imbibe our default behavior. So if leadership teams are not taking security seriously, chances are, we won’t either.
As creatures of habit we like to do things the same way that we’ve done them before and breaking habits is difficult. Studies show that a small percentage of users repeatedly fall victim to phishing attacks and are responsible for a large share of security failures.
In addition, there is a major gap between knowledge, intent and behavior. Just because I’m aware of something doesn’t mean that I care; just because I care, doesn’t mean I will act on it. I may have competing priorities, pre-established habits…and we can always do that new thing tomorrow. As parents, we may have told our children several times to clean their rooms; they’re aware, but they just don’t care or they may have other priorities. Similarly, employees might have the knowledge, however, in absence of any kind of motivation they won’t prioritize security or exhibit secure behavior.
3 key elements that help design secure behavior
According to the Fogg Behavior Model, three things must happen simultaneously for behavior to occur: ability, motivation and a prompt. Let’s break these three things down from a security perspective.
1) Ability: This is probably the most fundamental element of the three. For a person to exhibit secure behavior, they need to have the right amount of security knowledge. If one is asked to lift 500 pounds without training, they probably can’t. But if one trains extensively, they might be able to. There might even be a point where it doesn’t feel like it was nearly as hard as one might thought it was going to be. Different people have different levels of security maturity in organizations and security teams must therefore find a way to work around it. They might also need to provide some tools that help them remember things or make the process easier for them.
2) Motivation: Motivation is a key component of how people function. Employees may have adequate security knowledge but may lack the motivation to report suspicious activity. It’s like having the ability to follow the speed limit or to throw recyclables in the right bin, but one just doesn’t care enough to do it. Ideally, security teams must build a behavioral system for motivation by approaching it from a reward or a challenge perspective.
Phishing challenges and related simulation exercises can make training more engaging and help measure performance at the same time. Employees that exhibit good behavior can be recognized or rewarded and this helps build excitement, motivation and purpose. Employees that repeatedly exhibit the wrong behavior can have more personalized education along with access to tools and processes that can move them in the right direction.
3) Prompt: There are lots of things we walk around with every day where we are capable and sufficiently motivated to execute a specific behavior. However, in the absence of a reminder like a prompt or a nudge, we generally don’t perform.
Social media platforms do this all the time. They prompt and say, hey, John Doe just commented on your thread. They open a curiosity gap in our minds by telling us that a comment exists, but not showing it to us. Then they entice us over to the social media platform to scratch the mental itch by providing a super-convenient easy-to-click link.
Similarly, organizations can think of similar solutions that prompt users to follow better security hygiene. For example, on the password change portal, one could run a video that instructs on how to create and remember a good password. Then, the system gives immediate feedback on whether the password is strong or not.
Plan like a marketer, test like an attacker
Security teams can start thinking in terms of marketing and product design. From understanding what motivates employees to crafting the messages that cut through the noise; from capturing attention at the right time to connecting with them on a human level; from embedding messages and ultimately getting them to follow through, the more security folks learn about human nature, the better they will be at designing security programs that work with the realities of human nature rather than against it.
Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and the host of the 8th Layer Insights podcast on The CyberWire network. He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.
Related:
Want to boost cybersecurity? Embrace the Attacker Mindset
3 reasons why humans are the strongest defense against phishing attacks
Businesses remain hot targets for phishing and ransomware scams