Enhancing cybersecurity is a challenge for organizations of all sizes. Even companies with robust security programs fall victim to attacks involving phishing, weak passwords or SQL injection techniques. And while your team may just simply lack the skills or education to avoid these pitfalls, the underlying issue can often be traced back to motivation.
This is where security awareness programs and influence techniques come into play.
Security awareness programs differ from standard security training courses. Training provides a set body of knowledge and tests learners for short-term comprehension, while security awareness programs are intended to motivate and change behavior entirely.
So, what are these “influence techniques” and how can you use them to instill a culture of security awareness at your organization? Let’s explore.
The primary purpose of cybersecurity awareness is to change your teams’ behaviors. While training and education tactics give your teams the information they need to behave safely at work, getting people to act differently is a skill.
A study performed by the Sans Institute sought to identify what tactics can successfully drive people to change their behaviors. The results found that by exploring personal, social and environmental sources of motivation, employees can be challenged to improve the efficacy of their security practices through personal engagement.
In other words, you just can’t change someone’s behavior with lectures alone. While often a powerful technique, if cybersecurity education isn’t driving change or improving security awareness at your organization, it may be time to add other tools to your teaching arsenal and adapt with influence techniques.
When it comes to instilling a security mindset for your team, you need to influence both their conscious and unconscious decision-making.
People consciously base their decisions on whether they have the ability to do what is required and whether the effort will be worth it. Simultaneously, these conscious decisions are also motivated by unconscious thoughts.
Unconscious choices act as a sort of shorthand to decision-making. To really enact change in another person’s decision-making, you need to identify someone’s sources of influence. These could be personal, environmental or social. Let’s explore what the influences entail:
- Personal motivations involve feelings associated with the action, whether this be pride in a job well done, anger at being forced to do something or satisfaction at accomplishing a difficult task.
- Social motivations come from peer pressure and interactions with others in a group, whether believing in the wisdom of the crowd or following an established leader.
- Environmental motivations can be more difficult to distinguish, coming either from physical environment or the ways the culture of an organization rewards and punishes certain activity.
When you take these various unconscious influences into account, it’s important to explore a variety of tactics to instill stronger security habits within your team.
Teaching New Skills Effectively
What is perceived as a lack of motivation is usually just a lack of ability. Best practices like spotting a phishing email, choosing strong passwords or preventing SQL injection are simple things for your team to perform — if they’ve learned the proper security techniques.
As a teacher or influencer, you need to break down complex goals into short, clear and achievable steps for your team. For instance, a basketball coach doesn’t tell their players to “score more points” — instead they remind their team of fundamentals like keeping your elbows in on jump shots.
Likewise, if you want to reduce virus infections at your organization, pick a specific, teachable solution to your team and enable them to apply that knowledge throughout their work.
Educators who find the most success teaching new skills alternate between teaching and testing the new knowledge — then reward any sign of improvements with positive feedback. Positive reinforcement not only helps learners remember the information, it motivates them to put it into practice.
What you’re trying to create is a state of ongoing challenge that pushes your learners to achieve more while constantly validating their success. By creating achievable goals and rewarding accomplishments with positive feedback, you’ll create a positive learning environment and make the experience more like a game for learners. Once you complete a learning path, you’ll have tangible proof of progress that your security goals have been instilled.
In cases where individual progress can’t be quantified, it’s helpful to measure how the organization’s behavioral changes may have impacted key security metrics like numbers of virus infections or security incidents. Sharing these metrics with employees throughout your organization can also give your team something to aim for and adding social influence into the mix.
The most fundamental reason security awareness programs fail is a lack of basic understanding as to what security awareness really is. There’s a major difference between security awareness programs and security training.
The mere act of providing information in a security training program doesn’t change behavior. With the ongoing support and validation found in a security awareness mindset, you give your employees the tools to change and put them in control of their improvement.
The goal of your security awareness program is to deliver information in various formats over time to effect change. It’s rare for an organization to understand and implement these sorts of awareness campaigns, but they’re fundamental to driving change.
To develop your security awareness program, start by reviewing the 4 questions every CEO should ask about cybersecurity and consider what high-level goals your team can be practicing at an individual level.
Author: Rick Phipps, Vice President of Operations