“When making a decision, it would be nice to think that people consider all the available information in order to guide their thinking. But the reality is very often different. In the increasingly overloaded lives, we lead, more than ever, we need shortcuts or rules of thumb to guide our decision-making.”
Dr Robert Cialdini
Wouldn't it be great if you could significantly enhance the impact of your security awareness messaging with just a few tweaks to the wording? Well you can...
Dr Robert Cialdini spent his career researching what drives people to say “yes” to requests. The result of his research offers seven principles of persuasion.
Whilst his principles have mostly been adapted to internet marketing, as we have seen before, marketing and security awareness have much in common, and that’s true for these principles too. Just as we want to 'convert to a sale' in marketing, we want to change behaviour when delivering security awareness.
Let’s explore how you can apply these principles to increase the effectiveness of your awareness and behaviour change efforts!
1. Liking
The first principle has much in common with “Attractive” in the EAST nudge framework.
We are more likely to do something for someone we like, and this applies to things we like too.
So, make your awareness look good!
- Build an attractive and recognisable brand.
- Try and make the security team likeable too!
- Be seen as there to help and support.
- Build the sense you are working together toward a common goal.
- Make content personally relevant and relatable.
Offering compliments, feedback and praise also play towards 'Liking', so tell people when they are doing the right thing from a security perspective.
A thank you for reporting a suspicious email goes a long way!
2. Commitment and consistency
Generally, we like to remain consistent with our previous commitments and with our image of ourselves.
Researchers found that people who had previously agreed to put a small postcard advert in their windows were subsequently far more likely to agree to an ugly sign with the same ad - they felt obliged to remain consistent with their earlier behaviour.
So - get your people to actively sign up for small security steps - reporting phishing, for instance, or sign up to be Champions.
You might tell people they are helpful or good at behaving securely in your messaging, and people will try hard to live up to / be consistent with that view of themselves.
Start with small, easy commitments and then build up over time.
3. Social Proof
Forward-looking organisations realise the power of social proof to drive secure behaviours.
We like to do things that others are doing; we follow the crowd and social norms. If everyone else is doing it, then people tend to go along with that.
Famously Cialdini encouraged people to reuse their towels in a hotel; when he told people that most of their fellow guests were already reusing their towels, reuse increased by 26%!
The more specific this proof, the better. When he referred to people in ‘that room’, he saw a 33% increase.
When it comes to awareness, share information like:
- "here’s a phishing email reported by a colleague in your department"
- "75% of your colleagues reported phishing"
- "80% of your colleagues engaged with the latest Redflags® Security Awareness story delivered directly to their desktop"
[And did you notice the use of social proof/unity in the first paragraph of this section, wouldn't you want to be grouped with forward looking organisations?]
4. Scarcity
“Last chance this week to read about a Cialdini influence technique applied to security awareness! 👇Hurry up. Link Below👇”
Don’t worry! It’s not a real time-limit; it’s simply Scarcity at work! A familiar sight all across internet shopping sites and sofa showrooms. “Everything must go!” or “Only two left in stock”.
The good news is you can apply this to awareness!
Perhaps create some small groups to take place in more high-profile or exciting security activities: games, escape rooms, competitions, product trials, focus or champions groups.
Offer rewards for some activities, but limited numbers / for a limited time to encourage involvement.
The aim is to build a sense that people would be missing out if they didn’t get involved.
5. Authority
Essentially, we follow people who know what they are doing.
We see this in use in phishing and social engineering attacks with criminals keen to imitate senior staff and executives.
In awareness, we can highlight/reference expert sources by Name-dropping professors, scientists or leading organisations like the NCSC that back up what we are saying.
We can get senior executives involved - done well, we can get the double whammy of social proof - even the CEO follows these rules.
Even the way you name your security champions could help - Apple call their support staff Apple Geniuses, playing to this technique.
6. Reciprocity
It's what we tell our children that Christmas is NOT meant to be about - giving to receive. But when it comes to persuasion and influence, reciprocity is a useful tool.
The next of Cialdini's principles suggests that we are wired to pay back debts, favours, and gifts, treating others how we have been treated.
In an experiment, a waiter leaving an extra mint "just for this table" with the bill saw 23% higher tips - as with social proof, the more personal the reciprocity, the more powerful. Make it unexpected, and it’ll be even more effective.
In the Security Awareness context, one organisation offered "life hacks" - useful work, home, and IT tips alongside security awareness content.
We can also highlight what the IT and Security teams are doing in our messaging: "We've blocked thousands of phishing emails", for example. Then, ask your people to do their bit to help.
7. Unity
We are more easily influenced by someone with whom we experience a feeling of shared identity. Family ties are the strongest, but any 'tribe' or identity can be effective.
Applied to security awareness, to engage and drive secure behaviours, we can - offer rewards or even guidance that people can share with their family and friends.
If your company has a strong brand and strong values associated with it, then align awareness and positive, secure behaviours with that brand.
Involve people so they feel part of the 'movement'. Ask for feedback and input on what you are developing to gain buy-in.
Create Security Champions groups to create a movement of people more involved in supporting the security team.
Find the things that you share with your people. Emphasise these factors in your communications to draw on a persuasive feeling of shared identity.
Conclusion
So there you have them! Cialdini’s 7 principles of influence and persuasion.
Applying some of these small, practical and often cost free tips to your comms can lead to big behaviour change!
More about Cialdini’s work here: Dr Robert Cialdini | Speaker, Author, Influencer (influenceatwork.com)
If you’d like to know more about how Redflags® addresses these challenges, visit thinkcyber.co.uk or get in touch.