Anyone who has run security awareness programs for a while knows that changing human behaviour is not an easy task. And that sometimes the problem with awareness is that "awareness" alone does not automatically result in secure behavior.
Let’s look at the challenge of building a security culture through the lens of behaviour design. BJ Fogg’s much-quoted behavior design model neatly outlines that behavior happens when three things come together at the same time:
Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behaviour.
Fogg’s Behaviour Model highlights three core motivators: Sensation, Anticipation, and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.
Let's try apply these to cybersecurity:
- Tapping into people’s emotions by using visually appealing content, engaging with humour and story-based techniques, and activating positive sensations.
- Fear can be a powerful motivator too. Show what could happen when. But too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
- Using the power of leadership or celebrity to tell stories and invoke a sense of belonging.
- Making it personally relevant by providing information on how to protect kids or family members
Caveats: Humour is a great technique to grab people’s attention, evoke positive emotions and help with memory retention. However it has to be applied carefully and with a sensitivity to the audience's cultures, else it can backfire. Also, it shouldn’t be used too much, as it could result in the audience not taking the core message seriously enough.
BJ Fogg says that training people is hard work, and most people resist learning new things. That’s just how we are as humans: lazy. Give someone a tool or a resource that makes the behaviour easier to do. A great example is a password manager. This is a tool that takes care of desired behaviour and simplifies the complexity of having to remember multiple different passwords.
The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on and they all have the purpose to remind and tell people to "do it now". A good example are the password strengths meters reminding people to come up with better passwords as and when they create them.
When designing an awareness campaign, it’s important to consider where prompts may be used. For example, in the moment nudges, such as when users look at emails while on the go or when they are about to send a large file to someone externally.
When it is possible to combine the three elements of motivation, ability and prompts, changing behaviour is a much more likely outcome than just spreading awareness content and hoping for a result.
Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!