Photo Credit: Alan Cleaver via Compfight cc
You want security awareness, then don’t pick up the phone!
CISOs constantly strive to improve security awareness and measure their success by tracking the scores of staff compelled to take a test at the end of their annual e-training module. The problem is that ‘security awareness’≠’security behaviour’.
If you want to understand how to influence behaviour then work through this situation…
- Everyone knows that when your phones rings, you are meant to answer it. But in this case, your mobile phone rings and you don’t answer it – think of three reasons why not.
The common answers include – I was in the shower; I was driving; I didn’t reach it in time; it was set to silent so I didn’t hear it; the answer button didn’t work; I pressed hang-up by mistake; I didn’t want to talk to that person; I was in a meeting etc. No matter what reasons you thought of, they can almost certainly be summarised into one of three categories:
- Motivation – you were not motivated to answer the phone, either because of the possible consequences of the call, or the cultural pressure around you.
- Ability – you were unable to answer the phone, perhaps it wasn’t simple enough, or you were unable to reach it in time.
- Trigger – you were unable to recognise the trigger that creates the behaviour, so not hearing the ring-tone.
Next time you are planning to build a program to increase security awareness, stop and think; awareness is not behavior, and its behavior that is the goal. Work through these three aspects to craft a security program that will interest and engage users, and equip them with all the aspects they need to stay compliant with your policies; don’t just send them away better educated about security.
Oh, and remember – this works in reverse too! If your staff have established bad habits, change one or more of the three aspects to reduce/remove it!
For more information on the telephone thought experiment and the three aspects of behavioral change, check out B J Fogg’s excellent ‘Fogg Behavior Model’ here.