One of the primary goals of most security awareness programs is to change human behavior. By changing peoples' behaviors we can reduce risk both to themselves and their organization. As we have documented in the Security Awareness Planning Kit, to change human behavior we need to answer three key questions, WHOSE behavior do we want to change, WHAT behaviors do we want to change and HOW. Within the security community we are pretty good at the first two parts. Where we are weakest is HOW to change those behaviors. Wouldn't it be great if there was a Ph.D somewhere who had been studying Human Behavior Design for the past twenty years and created a simple model on how to do just that? Lucky for us, there is.
BJ Fogg is a Ph.D professor at Stanford who teaches Behavior Design. What makes his research so valuable to our community is he has developed a very simple yet effective model on changing human behavior which we can apply to awareness programs. You can learn more about him and his model at his Behavior Model website. In addition he teaches a two day camp on his behavior model and how to effectively change human behavior, which I recently attended. Bj and his camp really opened my mind to a lot of new ideas. In general, what we as a community have been doing to date is correct, but by applying the concepts of behavior design we have the potential to be much more effective.
I'm still digesting and processing what I learned, but over the coming weeks/months I'll be posting lots of new ideas and thoughts on how we can apply the concepts of behavior design to our field. Meanwhile, if you have a moment be sure to check out his behavior model. Its incredibly simple and if nothing else his work can get you thinking about awareness from a different perspective.