In the last blog, I wrote about my experience attending Re-Thinking the Human Factor security awareness workshop and talked about the basics of information security and the importance of education and awareness.
This blog looks at the human element; what it means to be human, and awareness and behaviour around info security.
The SABC™ approach is ground-breaking and I can see why.
Here we were at the security awareness workshop, learning about information security and Bruce started explaining how our brains work. By then I understood the importance of educating and training a workforce around security. And it makes sense that for it to be as effective as possible, it helps to understand how our brains work and use that knowledge in the design of security awareness programmes.
What it means to be human
I’m interested in behavioural economics and psychology, so I’d learnt that we have two different cognitive systems before. What I didn’t know is the differences in their energy consumption and how to make sure you get your audience to use the right one so that they actually learn.
Aeons ago, humans didn’t have too much to worry about. Our basic needs were the same as they are now, food, water, shelter and a mate, but we also had to be ready to spot the threat and react to it quickly. That threat’s largely disappeared from our everyday lives (thankfully), but we still use the same method for assessing risk and taking prompt action today.
That’s all well and good when it comes to significant of bodily harm but a primal reaction’s not going to help your employees learn about security risks at work on a wet Tuesday afternoon. An understanding of our brains and our thinking systems will do, however.
What even is ‘awareness’?
I don’t know about you, but I’ve never given ‘awareness’ much thought, I’ve always assumed I know what it is. But, like so many things, when you start to really look at them, there’s so much more to them.
On the security awareness workshop, we considered what awareness means to us – the attendees, the organisations we work for, and what it might mean to people with different skills and functions from our own.
You need to go to the workshop to find out about this, but it won’t ruin it if I say that some of the examples were fascinating. And Bruce has a very engaging way of sharing them. For example, we’ve all heard that positive feedback is good, and we think we know how to use it, but I had no idea how effective it really is.
We also looked at different learning methods and how well they work, the relevance of the learning environment and how all of this can be used to inform your approach and be applied to your organisation. Which led on very nicely to the next section of the day: behaviour.
Using what we’d covered previously, we looked at the issue of behaviour in reference to cybersecurity.
- How can you encourage people to make certain choices?
- What is ‘behaviour’?
- How do you drive it?
- How does understanding the brain help with understanding how people select which behaviour to exhibit?
- Do we behave logically and rationally?
Well, that depends!
When I went on the security awareness workshop I had no idea it would be (a) this fascinating, or (b) this much about psychology.
The day takes you beyond the useful ‘do this, do that’ advice you see more often.
This workshop isn’t concerned with ticking boxes, it’s about understanding how to reach people, and getting them to understand and do what it is you need them to do – bearing in mind our failings as human beings with brains that have evolved to do all sorts of crazy things and are still scanning the horizon for the next threatening mammoth.
An introduction to heuristics & cognitive biases
Bruce took us through a number of heuristics and cognitive biases (anyone who says, ‘trust your instincts’ only knows part of the story!), the interplay of values and emotions, the role of rewards – and that one isn’t what you think it will be.
I was the only non-information security professional there so my starting point may have been different but my aims for attending were the same as everyone else’s on the workshop: to gain a better understanding of security awareness, behaviour and culture.
What I won’t do, unlike the others, is take back my knowledge and apply it in the same way. I’ll continue learning and writing about it and sharing it, but the others will devise and action strategies, plans and procedures.
The workshop is designed to be applied to real situations and gets attendees to think about the organisations they work for and asks them all sorts of questions to facilitate discussion.
The application of nudge theory
I’ve come across Nudge Theory in my work life and we looked at its relevance for information risk and security management. Nudge, if you haven’t come across it, is the idea that small tweaks in the way that a decision is presented to you can produce big changes in behaviour.
It’s been used to change behaviour in retirement planning, pension contributions, income tax payment, use of male urinals (yes, honestly) and shopping. It can be used anywhere that people make decisions, including behaviour and decisions around information security (and copywriting).
I had so many ‘aha’ moments throughout the day and it began to seem obvious.
Why would you design your security strategy without working out how to make it effective or without taking the time to understand how your audience will receive it, remember it and use that knowledge as and when they need to, whether that’s in day-to-day online activity or to avoid a serious threat?
The workshop is the culmination of several years’ work. Bruce has been in security for over 20 years and spent more than 6 of those researching the human factor and its influence on developing security cultures in organisations and SABC™ is a framework to deliver that change based on his findings.
If you’d like to know more and guarantee your seat at the next Re-Thinking the Human Factor workshop on November 9th in Amsterdam, please pop over here.