Perry Carpenter is lead evangelist for KnowBe4 Inc.supplier of the popular Security Awareness Training & Simulated Phishing platform.
IT and cybersecurity teams often spend a lot of energy providing the right controls and user training in an effort to evade network threats. The belief is that if we give people, in this case employees, the right information, they will make the right decisions.
Unfortunately, humans are not rational beings. Influencing their behavior is much more complex than just making policy and providing annual training.
Traditional security awareness training programs have fallen prey to this erroneous assumption: they assume that if an employee simply knows what to do, he will do the right thing. Unfortunately, in most situations, they won’t.
Why? Because humans are not simple calculators.
Laziness leads to automatic, often wrong decisions
People can be lazy. We all have a finite amount of mental energy at our disposal to get through the day – at work and at home. When confronted with decisions we have to make, we tend to take the easy road, which is to resort to reflexive, automatic behaviors.
Daniel Kahneman, behavioral economist and Nobel laureate, calls this in his book ‘System 1 thinking’ or thinking that relies on previously learned shortcuts that lead to automatic decisions. Thinking, fast and slow† Unfortunately, those automatic decisions may not be the right ones. And in certain situations, such as when you are faced with a potential phishing attack, for example, this can lead to potential (or real) risk.
We are on autopilot about 95% of the time. When it comes to preparing employees to be on the front lines defending against cybersecurity threats, being on autopilot is not a good thing. We need to move them along the path to what Kahneman calls System 2 thinking.
Encouraging Employees to System 2 Thinking
System 2, or slow thinking, leads to better reasoned and more accurate decisions. However, we will not get there by ourselves. Our minds tend to stay in System 1 mode. We must consciously move to System 2 thinking and consciously encourage our employees to do the same.
That calls for taking human nature into account when writing policies, designing processes, or sourcing and deploying technology. It is important to look for opportunities in process and technology-based controls that provide just-in-time learning opportunities, provide learning opportunities, or create pattern breaks to capture employees’ attention and move them to System 2 thinking and more conscious decision-making .
For example, colorful banners can tell users that an email is potentially dangerous. These prompts in the moment can help interrupt System 1’s automatic response and lead to more thoughtful, accurate, and appropriate System 2 responses.
Of course, over time, even these clues are ignored. They become part of the general ‘background noise’ that our minds learn to filter out. So we need to constantly find new ways to grab employees’ attention to help them avoid automatic responses that can lead to organizational risks.
The power of social pressure
Another factor that influences employee decisions is social pressure. We tend to mirror the behavior of the people around us. Sometimes we even do that automatically. So, for example, from a security standpoint, if people around us don’t log out of their computers when they leave their work area, we probably will do the same. If we see our supervisors and managers sharing passwords, why not think we can do the same?
Humans are multifaceted creatures that are constantly influenced by the world around them. They are constantly picking up sensory cues from multiple sources — cues they may not be aware of.
Implementing behavioral controls that lead employees to do the right thing at the right time is a great goal, but getting there takes a multifaceted approach. That requires:
• Understand employees’ knowledge of their cybersecurity role, identify any gaps, and fill those gaps with information over time. This can be a combination of just-in-time learning opportunities, learning moments, or creating pattern breaks to grab users’ attention.
• Harness the power of colleagues to support, coach, and model the behaviors needed to protect business systems and data. Proactively recognize and acknowledge those employees whose efforts are aligned with your cybersecurity culture.
• Protecting data through technology. Firewalls and other technology solutions will always be an important part of data protection and system security. The point is, however, that they are not the only option.
Keep in mind that these efforts have to happen over time – it’s a process, not an event. Knowledge, social pressure and the right technologies all play a role. You can even use System 1 to your advantage if you design for it and help your employees build safe habits. Starting with a solid understanding of social science and how it influences behavior, this can help businesses build and support a security infrastructure that minimizes risk.