In other words, if you’re already fit, you can just continue to do what you’re doing to stay fit. Otherwise, you have to change and improve something in order to become fit. It’s the same for a security culture: If it’s strong, it’s easier to maintain a strong security culture than to strengthen a weak security culture. Just making people aware of what they should do won’t change their behavior, because the culture reinforces the weak behaviors. You need to consider how to change the culture, and that takes more effort than just attempting to tell people what to do.
Benefiting from Group Psychology
Psychology that focuses on individuals is helpful to relate to people in intimate settings and in generalities, but if you’re trying to change behaviors consistently across a large organization, the study of the individual has limited value. You need to influence an organization as a whole or, more specifically, you need to influence the security culture.
Clearly, to influence the culture, you have to influence the individuals within the organization. However, when you’re trying to influence a culture, you’re not trying to influence everyone — rather, you’re influencing as many people as possible. For example, in the cybersecurity field, everyone ideally has strong and unique passwords. However, as I discuss later in this chapter, perfect security will never exist — only risk reduction.
In many ways, this may sound like an attempt to create a one-size-fits-all strategy. The reality is that you’re creating a one-size-fits-most strategy. Again, ideally, you would be able to meet with all individuals and work with them to have them understand the desired behaviors and convince them to enact the behaviors in a style through communications that are best for their learning styles. Again, that strategy isn’t practical, so you have to look at ways to influence groups of people, regardless of the individual learning styles. Admittedly, you will never get everyone — but, again, your goal is optimized risk reduction.
The ABCs of behavioral science
The ABCs of behavioral science are similar to the ABCs of awareness, but with important differences: The ABCs of awareness lay out a path, and the ABCs of behavioral science define motivation. (See Figure 3-2.)
FIGURE 3-2: The ABCs of behavioral science.
Here’s how to break down the ABCs of behavioral science:
A stands for antecedents. In the context of this book, an antecedent is something that intends to influence a behavior. Antecedents in the security field are usually security awareness efforts. For example, users might see posters reminding them to wear their security access badges.
B stands for behavior. The B is the desired behavior that you’re trying to create. For example, users may be expected to wear their badges at all times while in the building.
C stands for consequences. Consequences are the responses to the behaviors. Users may experience a range of consequences for their behaviors:Negative consequences: The user experiences embarrassment, inconvenience, or correction. For example, a security guard might stop someone who has forgotten their badge, or the person may be unable to enter an area that’s protected by a badge reader.Positive consequences: The user is rewarded for the behavior.Neutral consequences: The behavior happens, and the user experiences no obvious consequence.
To apply this concept using clean desks as an example, consider how you tell people to keep a clean desk and lock computers and hard copy materials when unattended. You provide awareness to tell them what to do and what is expected. Combined with the awareness you provide, they also see what their coworkers are doing. They then either follow your guidance or not. They might partially follow your guidance as well, such as shutting down their computers but not securing hard copy materials.
If the employee fails to follow the guidance and you do nothing, that is a neutral consequence — and their behavior is likely to continue. If, however, a coworker or a supervisor speaks to the employee the next day regarding their failure to follow the clean desk policy, they will likely improve their behaviors the next day. If someone from the security department calls the person in and threatens disciplinary actions, they are most likely to improve their behaviors in the future. Though I don’t advocate threats on the first occasion, any negative consequence is likely to improve behavior in this example. Again, the peer pressure of seeing how coworkers behave is likely to strongly influence the behavior as well.
In the ideal world, you can provide positive consequences for improved behaviors. However, providing negative consequences should not be out of the question, especially if the insecure behavior costs the organization money or other resources.
Consequences should be consistent across the entire organization. Some individuals may rebel against or ignore certain consequences, but your goal is to move the organization as a whole. This doesn’t require everyone to adhere to follow your guidance — just most people.
The Fogg Behavior Model
Dr. BJ Fogg is the Stanford University researcher and widely noted behavioral expert who created the Fogg Behavior Model. In the most general of terms, he studied what caused humans to exhibit various behaviors at different times. Although his model is based on the psychology of individuals, it explains many user actions. If you understand the model, you can design consequences that can impact the entire organization.
https://behaviormodel.org). You can find his book, Tiny Habits: The Small Changes That Change Everything (Harvest, 2021) and other resources on his website, as well.
Fogg broke down the expectation of a desired behavior. The components of a probability of a behavior are motivation, ability, and prompts — or B:MAP, the acronym Fogg created. A relationship exists between ability and motivation. If motivation is high, a person will be more inclined to exhibit a behavior, even if the behavior is difficult. The example typically used to illustrate this idea is that of a mother taking heroic actions to save her child.
Conversely, if motivation is low but the task is simple, you’re generally inclined to do it. An example is putting a dish in a dishwasher.
In the case of saving the child and putting the dish in the dishwasher, you have prompts, or indicators that an action needs to be taken. The prompt for the mother taking heroic actions is the child in danger. The prompt for putting a dish
