Editor's Note: This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic Nudging Towards Security.
Making Security Personal
Traditional Approach of Security Communications - Employees behave in a particular way because there is something that motivates them to do so. Traditionally, the information security teams of organizations have relied on fear as a motivator to drive the right behavior. Highlighting the consequences of not following the right process, citing cases where extreme actions were taken on employees, exaggerating situations to scare employees into believing terrible outcomes could occur, information security has always been about locking down things and scaring the hell out of people. Clearly, it hasn't worked.
Why is it ineffective? Fear tends be counterproductive. Our minds have the most spectacular ways of dealing with situations. It does not like to analyze each situation; it likes to save energy as much as possible and take shortcuts while making decisions wherever possible. That's how it has been hard-wired from the ancient days where sources of energy were limited and hard to find.
The culprit in this case is the ?Boomerang Effect'. As long as we perceive that danger and our ability to manage that danger is high, we will take steps to control the risk. However, if the danger is high and our perceived ability to manage it is low, we are likely to develop a ?cognitive dissonance' — a state when a contradiction occurs between two cognitions or thoughts. This might include a contradiction between our attitudes and actual behavior. This is a stressful state.
How do we cope with this situation? We adopt various coping mechanisms to relieve ourselves when in stress. In these cases, surprisingly, instead of taking actions to control the risk, we are likely to invent a new opinion to resolve the conflict. For example the most common rationalization in cases where fear is used too much in communications is denial - the "this won't happen to me" mentality. This is why so many people continue to smoke despite of all the awareness around it. Other disadvantages of fear are that the employees might perceive information security team as bossy (and hence enemy like :)) and too much fear sometime results in users making mistakes. I believe fear should only be used for selective groups or cases.
Make Security Personal - So what should be done to motivate the employees? We as information security awareness professionals should explore other motivations that might nudge the employee to make the right choices. The most basic motivator for an employee could be self-gain, that is users might be interested in your messages, if the messages have something that can help them personally. Our brain is responsible for our own survival only. So it is more likely to be attentive when you talk about its favorite subject — itself. That can be the starting point. An example would be telling employees how they can avoid being scammed on Facebook and Whatsapp. We should tell them how to evaluate an antivirus solution for home computers. We should tell them things to look for when buying a new IOT device.
How it helps in the long run? From there communications should move on to goals mutual to the employee and the organization like avoiding phishing scams, securing BYODs etc. As the program matures employees start to feel connected to the company (and start thinking of information security team as for them and not to scare them) and they become keen to protect the company from security threats. So it is very important to understand what motivates your employees and what turns them off. Once you know that, you know what to communicate. It goes without saying that there has to be some element of curiosity, surprise, humor or shock that has to be used in the communication, else the users might just ignore it completely. In the next post, we will look at things that can be done to make communications more effective. In case you would like to earlier the earlier posts, you can find them here —
- External email tagging to avoid phishing scams
- Reducing data leakage incidents due to employee mistakes
- One click report spam for quicker response
Speaker Bio — Sahil leads the security awareness, training and culture change initiatives at Genpact. He is a B.Tech, MBA and has done courses on Social Psychology, Behavior Economics, marketing and branding. At present, he is helping Genpact information security team to look at the problem from a people perspective. He has also worked with other IT giants like Infosys and HCL Technologies in the past.