Ira Winkler - Security Awareness For Dummies

C stands for c onsequences. Consequences are the responses to the behaviors. Users may experience a range of consequences for their behaviors: Negative consequences: The user experiences embarrassment, inconvenience, or correction. For example, a security guard might stop someone who has forgotten their badge, or the person may be unable to enter an area that’s protected by a badge reader. Positive consequences: The user is rewarded for the behavior. Neutral consequences: The behavior happens, and the user experiences no obvious consequence.

To apply this concept using clean desks as an example, consider how you tell people to keep a clean desk and lock computers and hard copy materials when unattended. You provide awareness to tell them what to do and what is expected. Combined with the awareness you provide, they also see what their coworkers are doing. They then either follow your guidance or not. They might partially follow your guidance as well, such as shutting down their computers but not securing hard copy materials.

If the employee fails to follow the guidance and you do nothing, that is a neutral consequence — and their behavior is likely to continue. If, however, a coworker or a supervisor speaks to the employee the next day regarding their failure to follow the clean desk policy, they will likely improve their behaviors the next day. If someone from the security department calls the person in and threatens disciplinary actions, they are most likely to improve their behaviors in the future. Though I don’t advocate threats on the first occasion, any negative consequence is likely to improve behavior in this example. Again, the peer pressure of seeing how coworkers behave is likely to strongly influence the behavior as well.

Both antecedents and consequences influence behaviors; however, they don’t influence behaviors equally. Antecedents have at best a 20 percent effect on changing behavior. Consequences have an impact of 80 percent or more.

In the ideal world, you can provide positive consequences for improved behaviors. However, providing negative consequences should not be out of the question, especially if the insecure behavior costs the organization money or other resources.

Consequences should be consistent across the entire organization. Some individuals may rebel against or ignore certain consequences, but your goal is to move the organization as a whole. This doesn’t require everyone to adhere to follow your guidance — just most people.

Culture, from the ABCs of awareness, can serve as a form of consequences. Culture provides peer pressure. Peer pressure is one of the most effective forms of consequences and drivers for change. If you can improve the security culture, the culture provides all the consequences you need.

Dr. BJ Fogg is the Stanford University researcher and widely noted behavioral expert who created the Fogg Behavior Model. In the most general of terms, he studied what caused humans to exhibit various behaviors at different times. Although his model is based on the psychology of individuals, it explains many user actions. If you understand the model, you can design consequences that can impact the entire organization.

To read more about the Fogg Behavior Model, see Dr. BJ Fogg’s website ( https://behaviormodel.org ). You can find his book , Tiny Habits: The Small Changes That Change Everything (Harvest, 2021) and other resources on his website, as well.

Fogg broke down the expectation of a desired behavior. The components of a probability of a b ehavior are m otivation, a bility, and p rompts — or B:MAP, the acronym Fogg created. A relationship exists between ability and motivation. If motivation is high, a person will be more inclined to exhibit a behavior, even if the behavior is difficult. The example typically used to illustrate this idea is that of a mother taking heroic actions to save her child.

Conversely, if motivation is low but the task is simple, you’re generally inclined to do it. An example is putting a dish in a dishwasher.

In the case of saving the child and putting the dish in the dishwasher, you have prompts, or indicators that an action needs to be taken . The prompt for the mother taking heroic actions is the child in danger. The prompt for putting a dish in a dishwasher is the plate being in the proximity of the dishwasher. The action line represents the theoretical point where the combination of the motivation, action, and prompt is likely to have an individual take a desired action.

Though the intent of the model is clearly based on individual motivation, you can consider this mapping at a group level to determine the abilities you need to create within the overall organization. Abilities are the skills your awareness program needs to create or encourage so that the users have the requisite knowledge to complete the desired behavior. Likewise, you can create consequences to create perceived motivations across the entire organization. Awareness can also make people aware of the prompts to better trigger the desired behaviors.

For example, food service workers are mandated to wash their hands after using the restroom. This task requires minimal ability, so all that’s required is the appropriate prompt, or nudge (discussed in Chapter 7). The prompt is frequently a sign in the restroom stating that employees are required by law to wash their hands before returning to work. The prompt is simple, and sinks are immediately available. The motivation is a reminder that the workers can be punished for not washing their hands.

Prompts (or nudges) should be placed as close as possible to the spot where a behavior should be exhibited. For example, if you want people to lock their desks or computer monitors when their desks are unattended, put a reminder on their computers or desks — or at the exit to the office/cubicle area.

Culture and consequences also have an impact on motivation and prompts. Peer pressure can be quite a strong motivator. The desire to avoid disappointing peers is a critical motivator, and if peers create a negative consequence for an individual not performing an action, it again incentivizes the action.

Also, if the culture regularly prompts the action, you will find the action much more likely to occur. This may include employees policing each other about sensitive subjects to avoid outside of the workplace.

At the same time, your awareness program should provide information and other resources to increase the ability of the individuals to perform the actions. This might be, for example, better instruction on how to detect and report phishing messages.

As an awareness professional, your job is technically to create awareness of the desired behaviors. You should also look for opportunities, however, to suggest technical tools that can be added to increase abilities and prompts. You will likely have to work with other teams to accomplish this task, but it’s worth the effort. For example, adding a button labeled Report Phishing Message to an email client can increase the ability to report a potential danger — while also providing a constant prompt. This would likely involve working with the endpoint support team.