Security Awareness For Dummies. Ira Winkler
Чтение книги онлайн.

Читать онлайн книгу Security Awareness For Dummies - Ira Winkler страница 18

СКАЧАТЬ In other words, if you’re already fit, you can just continue to do what you’re doing to stay fit. Otherwise, you have to change and improve something in order to become fit. It’s the same for a security culture: If it’s strong, it’s easier to maintain a strong security culture than to strengthen a weak security culture. Just making people aware of what they should do won’t change their behavior, because the culture reinforces the weak behaviors. You need to consider how to change the culture, and that takes more effort than just attempting to tell people what to do.

      Psychology that focuses on individuals is helpful to relate to people in intimate settings and in generalities, but if you’re trying to change behaviors consistently across a large organization, the study of the individual has limited value. You need to influence an organization as a whole or, more specifically, you need to influence the security culture.

      Clearly, to influence the culture, you have to influence the individuals within the organization. However, when you’re trying to influence a culture, you’re not trying to influence everyone — rather, you’re influencing as many people as possible. For example, in the cybersecurity field, everyone ideally has strong and unique passwords. However, as I discuss later in this chapter, perfect security will never exist — only risk reduction.

      In many ways, this may sound like an attempt to create a one-size-fits-all strategy. The reality is that you’re creating a one-size-fits-most strategy. Again, ideally, you would be able to meet with all individuals and work with them to have them understand the desired behaviors and convince them to enact the behaviors in a style through communications that are best for their learning styles. Again, that strategy isn’t practical, so you have to look at ways to influence groups of people, regardless of the individual learning styles. Admittedly, you will never get everyone — but, again, your goal is optimized risk reduction.

      The ABCs of behavioral science

      FIGURE 3-2: The ABCs of behavioral science.

      Here’s how to break down the ABCs of behavioral science:

       A stands for antecedents. In the context of this book, an antecedent is something that intends to influence a behavior. Antecedents in the security field are usually security awareness efforts. For example, users might see posters reminding them to wear their security access badges.

       B stands for behavior. The B is the desired behavior that you’re trying to create. For example, users may be expected to wear their badges at all times while in the building.

       C stands for consequences. Consequences are the responses to the behaviors. Users may experience a range of consequences for their behaviors:Negative consequences: The user experiences embarrassment, inconvenience, or correction. For example, a security guard might stop someone who has forgotten their badge, or the person may be unable to enter an area that’s protected by a badge reader.Positive consequences: The user is rewarded for the behavior.Neutral consequences: The behavior happens, and the user experiences no obvious consequence.

      To apply this concept using clean desks as an example, consider how you tell people to keep a clean desk and lock computers and hard copy materials when unattended. You provide awareness to tell them what to do and what is expected. Combined with the awareness you provide, they also see what their coworkers are doing. They then either follow your guidance or not. They might partially follow your guidance as well, such as shutting down their computers but not securing hard copy materials.

      

Both antecedents and consequences influence behaviors; however, they don’t influence behaviors equally. Antecedents have at best a 20 percent effect on changing behavior. Consequences have an impact of 80 percent or more.

      In the ideal world, you can provide positive consequences for improved behaviors. However, providing negative consequences should not be out of the question, especially if the insecure behavior costs the organization money or other resources.

      Consequences should be consistent across the entire organization. Some individuals may rebel against or ignore certain consequences, but your goal is to move the organization as a whole. This doesn’t require everyone to adhere to follow your guidance — just most people.

      

Culture, from the ABCs of awareness, can serve as a form of consequences. Culture provides peer pressure. Peer pressure is one of the most effective forms of consequences and drivers for change. If you can improve the security culture, the culture provides all the consequences you need.

      The Fogg Behavior Model

      Dr. BJ Fogg is the Stanford University researcher and widely noted behavioral expert who created the Fogg Behavior Model. In the most general of terms, he studied what caused humans to exhibit various behaviors at different times. Although his model is based on the psychology of individuals, it explains many user actions. If you understand the model, you can design consequences that can impact the entire organization.

      

To read more about the Fogg Behavior Model, see Dr. BJ Fogg’s website (https://behaviormodel.org). You can find his book, Tiny Habits: The Small Changes That Change Everything (Harvest, 2021) and other resources on his website, as well.

      Conversely, if motivation is low but the task is simple, you’re generally inclined to do it. An example is putting a dish in a dishwasher.

      In the case of saving the child and putting the dish in the dishwasher, you have prompts, or indicators that an action needs to be taken. The prompt for the mother taking heroic actions is the child in danger. The prompt for putting a dish СКАЧАТЬ