Security Awareness Blog

Awareness and Education Changing Behavior - HAI Anyone?

One of the best examples of awareness and education changing behaviors may not be found in our community (security) but in healthcare. As I posted yesterday, we have few examples of security awareness changing behaviors because to be honest so few organizations have tried (most security awareness programs focus on compliance). However healthcare is different. For years now a challenge the healthcare community has been facing is HAI (Hospital Acquired Infections). HAI is when patients become infected during their stay at hospitals, often due to doctors or nurses not following certain procedures. Over the years the health care community has addressed these issues by changing behaviors through education and awareness. In fact, John Hopkins has developed an entire framework (called CUPS) used by healthcare to change behaviors and address issues such as HAI. They are starting to see signifigant results. For example the 2010 Tennesee Center for Patient Safety Annual Report documents how their state wide awareness program saved over 30 lives, 6,2000 patient days and $12.3 milllion in healtcare costs. Or how John Hopkins was able to reduce ICU infections by 90% over an 18 month period. To see just how effective awareness programs can be, perhaps we should be looking at our partners in healthcare.



Posted October 11, 2011 at 5:01 PM | Permalink | Reply

Derek Tonkin

Sounds interesting, so what would this look like? I'm about to begin full deployment of Securing the Human next week. How would it be different if it was more like the HAI iniatives?

Posted October 11, 2011 at 7:23 PM | Permalink | Reply


Derek, the big advantage the medical community has is metrics. They have been actively attempting to change behaviors longer than the security community and have the metrics to demonstrate it. The fundamental concepts are the same, the problem is most security awareness programs in the past have focused only on compliance. Our goal at STH is going beyond compliance and also change behaviors. That is why we are also working towards organizations measuring impact, such as with phishing assessments [1] and awareness surveys [2].

Posted October 11, 2011 at 8:12 PM | Permalink | Reply


I hope this isn't too redundant to my comment yesterday, but I think the analogy to the medical field misses some key difference and is not at all applicable.
-Patient care is the primary mission in the healcare world. Reducing infections contributes directly and obviously to acomplishing the primary mission.
-Secondary infections are relatively simple to detect and have a measurable and highly visible impact on patient health.
-Hand hygiene is one simple step that medical professionals can become proficient at easily, have numerous opportunities to practice each day and one that is easy to observe non-compliance with.
For most of us, information security is not seen as directly supporting the primary mission, which may be manufacturing, sales, etc. Security failures are difficult to detect, the sources are hard to identify and the impacts are not nearly as measurable. We ask our users to understand complex topics and to adopt practices that are not simple and whoch they do not have the occasion of regular practice. If you want to see how well that works, go try to set the clock on your provervbial VCR'' you do this so infrequently that you are not and never will be proficient. Or, listen to the pleasure someone has when they sucessfully transfer a call or do a conference on modern office phones. Moderately complex tasks that are not repeated regularly are not adopted.
Finally, there is the selfish motivation and externaltities. For a Dr, an infected patient means a lot more work _for_that_doctor_. There is then motivation to avoid that work. A security exposure doesn't generally make more work for the person who has caused it(it is a classic externality), but avoiding security exposures causes at least the perception of more difficult tasks. So, compliance is not as naturally incented.
All that said, consider that people have been trying to get medical professionals to wash hands more for 150 years'' so maybe there _are_ some similarities!

Posted October 11, 2011 at 9:41 PM | Permalink | Reply


For many of the awareness programs in the past I would agree that they quickly alienate people, they are boring, complex and focus on the good of the organization. However, nowadays cyber touches everyone, from online shopping and banking, to instant messaging and social networking. One of the most effective ways I've learned to engage people is not to position an awareness program as for the benefit of the organization, but the benefit of individuals. Look at the topics most awareness programs teach, over 70% apply to people's personal lives as well. By focusing on the personal gain I find you get a tremendous response. One of the greatest metrics of success I find is when people start asking if their families and friends can take the awareness training also. As such, in some ways I would say we have an advantage over the healthcare field, not a disadvantage.

Posted October 12, 2011 at 6:20 PM | Permalink | Reply


Some of the problems DS highlights make sense but I think these disappear if you broaden the analogy. Most behavior change work takes place in the public health arena e.g. family planning, HIV prevention, smoking cessation, nutrition, etc. In many of these arenas getting people to change their behaviors is difficult and much work has been done over decades to figure out what works and what doesn't. So public health research is a good field to turn to to better understand what it takes to change behavior. There are theories and models developed by public health practitioners that could readily be adapted to develop and test approaches aimed at changing behaviors that impact information security.
See for example Karen Glanz's "Health Behavior and Health Education: Theory, Research, and Practice". This is the classic text on health behavior change. The models are general enough that they could be used and adapted to think creatively about approaches to behavior change in other domains. See,descCd-tableOfContents.html.

Posted October 16, 2011 at 8:08 PM | Permalink | Reply

Russell Eubanks

Very interesting and thought provoking research. As a former long-term employee of BlueCross BlueShield of Tennessee, seeing these very familiar names brings back good memories. Keep up the great work!

Posted October 17, 2011 at 1:12 PM | Permalink | Reply


Russell, as a former healthcare worker in Tennessee, we would love to hear any other stories or experiences you may be able to share about the awareness and education program. As I mentioned before, I feel that one of the biggest advantages healthcare has is their metrics are more mature then security's when measuring impact of culture.