Influence, it’s one of those things which some have mastered. In the business world influence can be used as an advantage in order to achieve the desired outcome.
Many people in security get locked into the technical realm which is only natural. However, what about learning something new which has to do with people in order to strengthen the security program?
Not too long ago I stumbled upon the book, Influencer: The Science of Leading Change. The Influencer is useful in so many ways…could it be for security, too? After reading, it became evident the book does tie into security, and in particular, security awareness and obtaining behavioral change.
Security awareness is oftentimes focused on the outcome, which is more about statistics (how many people took the CBT and what their score was). Whereas, a program focused on behavioral change will be able to strive for the impact they seek (contacting the helpdesk and not clicking on a phishing link).
I found some key excerpts from the book and wanted to share each one and illustrate its relationship with attributes to security awareness.
The keys to influence are:
- Focus on a small number of vital behaviors
- It’s common to want to try and cover everything with security awareness. However, it makes more sense to step back and look at the top 3 areas of greatest risk and get this covered. It may be passwords, phishing, and portal media. Whatever the areas are, it’s about identifying the vital behaviors you’re striving for and executing. In this case it may be; “contact the helpdesk when a phishing email arrives,” or “not using the same password across all sites.”
- Help them love what they hate
- This is a really good one because talking to people about passwords is sure to bring out emotion. “I have 75 sites to remember a password to and they all have different requirements.” This is where security can step in and show employees how they can create unique passwords and remember them, or at least use a password manager.
- Help them do what they can’t
- Many people are not technical and when they are shown how to do something technical, they feel empowered. With security awareness if they can’t decipher phishing emails, it’s time to sit down with them and help them learn how to identify the more obvious phishing emails.
- Provide encouragement
- Oftentimes this is the little wins. It doesn’t have to be anything big, just something to keep them going. So, when an employee does a good security deed, promote this positive and encourage more of the same.
- Provide assistance
- Encouragement tends to work well to keep morale up, but assistance is the help they need. Generally, people will do the right thing if they know what the right thing is. However, they need help getting there and this is the assistance aspect to changing behavior.
- Change their economy
- The Influencer recommends to modestly and intelligently reward early success and use caution with “punishment.” Punishment in security is such a gray area. If you are going to punish the caller center employee for clicking on the link, will the CFO also be punished when s/he does the same?
A lot of these tips are common sense. The key is to read the book and find ways to match this up with how you promote security within your company and how influence towards behavioral change can be achieved.