We sent you on a course…
Traditional security awareness courses are generally seen as pretty grim. David Lacey once summed up the average course as not much more than a “broadcast of facts”. Study after study finds the usual evidence of zero planning and appalling delivery, and no effort made to follow up.
It’s that last point that sticks out a bit. There’s no interest in checking on whether or not the training actually worked. Which implies that the cyber team’s objective is met by just running people through the course.
Because…? Well, at the end of a standard security awareness course, attendees will have been fully responsibilised. They will have been told what’s expected of them, and like as not, they will have been required to sign to agree that they’ve been told. That requirement has nothing to do with awareness. It’s about controlling user behaviour through future, threatened sanctions.
Which might explain why the traditional approach is a big fail. There’s a ton of evidence saying that when people perceive security rules as lacking in legitimacy, or when they think that the degree of monitoring of their actions is excessive, then they tend to either get round, or actively break those rules.
Whereas in general, not just in cyber, when people are involved in the creative process, you see a greater level of buy-in. The outcome also tends to be more useable. So might a collaborative approach be more effective?
Sydney Dekker is a well known authority within the safety field. His book “The Safety Anarchist” is a brilliant read. He suggests the idea of ‘freedom in a frame’ – a small number of red lines that should not be crossed, although within that framework, you’re free to work as you please. Agency (the feeling that you can make your own decisions and choose how to work) has been shown to have a positive effect not just on workplace contentment, but also on workplace behaviours. And at the very least, a collaborative approach that gives users the right to make their own decisions would lead to learning through experience, which is surely more effective than learning by rote.
However, this is cyber security. Let’s not get carried away.
Don’t bother me with the details
Instead, it’s becoming more and more difficult these days to avoid the words ‘nudge’ and ‘nudging’ in the field of cyber. Just about everyone claims that their psychology-based approach to user behaviour will improve security. The usual model put forward is the dual-process idea, which says that we have two ways of making a decision: one based on instinct and intuition, the other based on reasoning. By default we use the intuitive approach (because it’s quicker) and we only switch to the rational approach when the intuitive path fails to come up with an answer.
Credit: Canstockphoto
That’s the standard model anyway – intuitive (System 1) vs rational (System 2). Nudging uses System 1 shortcuts to steer decisions in a particular direction. It’s a helpful way to think about it, but as pointed out by a number of people, it’s unlikely to be so straightforward. And if someone tells you that it is, ask them to explain how come System 2 knows when to step in. It’s more likely that those two routes aren’t mutually exclusive options – they’re more like opposite ends of a spectrum, and our behaviour sits somewhere between the two, depending on circumstances, and depending on the way in which the problem has been presented to us.
There’s also the inconvenient reality that nudging tends to be aimed at a single behaviour, whereas cyber practitioners would rather sell you a generally applicable solution. If you look through the literature on nudging, you’ll come across the tax letter example. Sending out a letter from the tax authority (in the UK, that’s HMRC), implying that most people in that postcode pay their tax on time, increases the proportion of people that pay their tax bill on time, because nobody wants to stand out. The evidence is that the letter did work, and I’m not calling it into doubt. But the cyber equivalent would be to claim that just sending people a letter makes them more honest.
On the other hand, this is cyber, so there’s an inevitable move to ignore inconvenient details. Such as the study by Szaszi et al., which examined a large number of nudging experiments. Their findings showed a tendency towards small sample sizes (smaller samples give less reliable results), and suggested that the number of successful experiments was remarkably high, all things considered. That implies a “file drawer effect”, where experimenters bin those findings that don’t show something novel and therefore newsworthy. That sounds like a detail, but it’s critical. It means that the measured effect sizes in the successful experiments lack any context. When those non-results are added back in, it’s not unusual to find that there’s no effect at all. That doesn’t mean nudging doesn’t work. But it does mean that nudging isn’t guaranteed to work.
The cyber proposal also usually involves a one-off behaviour change course, or the use of a single product, whereas in practice, developing and applying a nudge often requires a process of iterative refinement. That’s a lot of effort, obviously, so the reality of that gets reduced to a convenient pre-packaged solution. There may be other real-world issues if you try to employ iterative refinement in cyber by the way, since the process usually involves two groups, one that has had the nudge, one that hasn’t, and you then compare the results. Best check with Legal before you deliberately withhold security training from a set of employees. Just saying.
Why do companies exist?
All in all, it may be that the application of cyber psychology has been oversold. But there you go. Welcome to cyber. The more worrying aspect has been pointed out by Professor Angela Sasse, in a report for ENISA, the European Network and Information Security Agency. The report examined a number of initiatives in the area, and concluded that there was a strong feeling amongst cyber practitioners that the application of psychology would “fix the stupid user”. That is, it wasn’t being seen as a new approach, just a new tool to achieve the same outcome. In terms of the preceding discussion, that outcome relates to the exercise of control over users.
And that’s the attractiveness of nudging applied to cyber. It offers the promise of control.
If you doubt that, please do look at the proposals for personalised nudging. The idea is that people should go through profiling on entry into the organisation, so that specific security nudges can then be tailored to their personality. Think of it as fixing tags on cattle. One suggestion goes so far as to say that people with high levels of impulsivity (there’s some weak evidence that it’s linked to unwelcome security behaviours) shouldn’t be recruited at all. That ignores the wider evidence of course, that high levels of impulsivity can be associated with high levels of creativity, which perhaps the organisation might welcome. And what do you do with those that can’t or won’t comply? Get rid, obviously, “even if they are your best salespeople”. Hmmm… ditching 20% of your revenue because one person won’t do what the security team tell them to do. Let me think about that. Or is it that the purpose of the company is to support the security team?
There are better approaches, if you’re willing to accept that collaboration might work. Isler for example, found that by openly explaining cognitive biases, providing advice on countering them, and then issuing a call to action, people were more considered in their decision-making. The best thing being that there was nothing hidden. The purpose and the intent were all out in the open. You know, people being honest with each other.
We used these principles to develop an induction course that described two key biases (confirmation bias and optimism bias), and examined their relevance to security decision-making. We then offered a ‘top tip’: if you’re not sure whether or not you should press ‘send’, imagine that you have pressed it, and things have gone a bit awry. How would you explain your choice? If you can come up with a credible explanation, then the chances are it was a reasonable decision. If not, then you might want to look for a second opinion. You can see this technique described in other places as a ‘pre-mortem’. It takes a couple of seconds, and it tends to work. The session was rounded off with a couple of slides noting that the standard security model relies on a very clear split of ownership between security people and users. Under that approach, security people own security, which means that users tend to leave them to it. So you end up with ridiculous levels of technical controls, and no dialogue, whereas in reality it’s a shared problem. The ‘call to action’ was in the form of a statement saying that if security is getting in the way, please don’t work around it. Let us know, and we’ll see if we can find an option that doesn’t get in the way. Engage with us.
Using a different, more collaborative approach, we saw much higher levels of user engagement, and much less reliance on the assumption that ‘security has my back’ – that it will catch all my mistakes. The only warning note I would sound, if you choose to go down the same route, is that refresher sessions are essential. We did that in the form of bite-sized lessons offered online (so that people could do them when it was convenient), with just a hint of gamification to avoid a tick-box approach.
Bottom line
The ‘us and them’ approach isn’t working. It never will work.
At this point I could do the usual plea for common sense, why can’t we all just get along, etc., but that approach been tried any number of times before, and it’s always come up short. So instead of appealing to the security team, I’m going to try the management team. Book yourself onto the next routine awareness session (i.e. not the shortened management version). If you’d be happy to put a customer through it, and you feel that your attitude to security has been changed, all well and good. I’m genuinely happy for you. But if not, what are you going to do about it?
Selected Sources
- Stewart, G. and D. Lacey, Death by a thousand facts: Criticising the technocratic approach to information security awareness. Information Management & Computer Security, 2012. 20(1): p. 29-38.
- Thiel, C., et al. Monitoring Employees Makes Them More Likely to Break Rules. 2022. Available from: https://hbr.org/2022/06/monitoring-employees-makes-them-more-likely-to-break-rules.
- Dekker, S. (2017). The safety anarchist: Relying on human expertise and innovation, reducing bureaucracy and compliance. Routledge.
- Szaszi, B., et al., A systematic scoping review of the choice architecture movement: Toward understanding when and why nudges work. Journal of Behavioral Decision Making, 2018. 31(3): p. 355-366.
- ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity: Available from: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity.
- Isler, O., O. Yilmaz, and B. Dogruyol, Activating reflective thinking with decision justification and debiasing training. Judgment & Decision Making, 2020. 15(6)
First published 8th April 2024
Updated to selected sources 27th May 2024