The NCSC recently set a “better engagement” challenge. Their view was that traditional security awareness wasn’t working to drive the secure behaviours it should. Here we explore why that is, digging into what psychology and learning science have to say, and what we could do to improve the situation.
To do this, let’s start with a typical knowledge worker, we will call her Kate. Like all of us, she works hard in her office, meeting deadlines and achieving her objectives. She’s going through a busy period of work just before a well deserved holidays.
Here she is, finally getting around to doing her security awareness eLearning.
You can tell this by the look on her face, the fact that she’s clicking next, next, next… and probably yawning!
After around 45 minutes, she’s done and can return to her work.
To understand what happens next, we can turn to Ebbinghaus' Forgetting Curve. This suggests that within about 5 to 7 days Kate is only going to remember about 20% of what she was taught.
And that’s a problem! Because we need Kate to act securely to protect herself and the business.
Back to the story… Kate is busy for the next few days getting work finished because she is off on holiday. She’s clearly not thinking about security awareness when she’s there!
When she gets back, work has built up, deadlines loom, like the rest of us, she has endless online meetings and, the odd distraction from social media…
Then, perhaps, on one particular day, she’s feeling a bit jaded, she’s been out late the night before, she’s drinking quite a lot of coffee and those distractions are looming large… so many cute kittens…
Then, she gets an email from a client:
“I urgently need you to upload that report to this filesharing site. Can you do it now please?”
It’s been a really long time since Kate did her security awareness training. Do we really expect her to remember what to do?
We can explore what might influence how Kate reacts to this situation through the lens of behavioural science and psychology. This is clearly not an exhaustive list, but rather an example of factors that might impact her decision-making.
Kahneman and Tversky’s work suggests a model of fast and slow thinking. Whilst we might like to think all our decisions are deliberate and well thought through, it’s likely that only about 5% of the decisions we make every day are like this (system 2).
Most decisions, around 95%, are made on semi-autopilot (system 1). That's where heuristics and cognitive biases come into play to help us make decisions.
One of these heuristics is availability. We rely on things that come more readily to mind. It’s the reason that once you start considering buying a type of car, you suddenly see that car everywhere.
So, is there anything that has made security front of mind? Perhaps if Kate had read about a recent breach in the news, the topic of security might be more "available".
Present bias is another influencing factor. We are really driven by rewards that come to us in the short term. Here there is a reward, the satisfaction of helping the client. Kate is more likely to be driven by that than by the longer-term reward of acting securely.
Our brain tends to look for some sort of anchor to make any decision or to act. Fascinating research found that people reading words associated with old age subsequently walked more slowly out of the lab! Is there anything that has primed Kate to be thinking about security?
The context we are working in is a huge driver of our behaviour. If Kate was in the office, the trappings of the context (lanyard/pass, walking through reception, colleagues working at desks, even a security poster on the wall) would influence her behaviour.
Affect and emotion can also drive behaviour, and here Kate will likely be influenced by a desire to keep a client happy or, indeed by her mood.
Spacing is more of a learning science concept, but it is relevant here. When we are trying to learn something, whilst many cram the night before, this is proven to be less effective than spacing our learning out. A little bit today and a little bit the next day. That is what builds on the foundations and embeds the learning.
These are just a few factors that might influence Kate’s, or any of our behaviours as we go about our day-to-day work. And they point to “opportune moments” at which we might have been able to support Kate and help make sure she made the most secure decision.
In our next article, we will explore the concept of an “opportune moment”. Touching on some “less than opportune” moments. And our Goldilocks theory “too soon”, “too late”, and “just right”! Can you bear to wait? 😊