Cyber security training – most IT security people would say that’s the answer to solving the insider threat problem.
But is it? Giving people information is certainly part of the solution. But training rarely changes behaviour.
Peer pressure does.
And that is why socialising safe cyber behaviour is an essential strategy if you want to ensure cyber security.
What does socialising cyber safety mean?
Socialising safe cyber behaviour involves changing an organisation’s culture so that unsafe cyber behaviour becomes as socially unacceptable as bullying and sexual harassment. It uses peer pressure or “social influence” to steer people into an acceptable way of behaving.
One of the reasons that peer pressure works is because most people like being in groups. Being in a group is safer than being isolated and, because humans evolved in a very dangerous world full of nasty predators (including other humans), we are hard wired to want this.
If we want to belong to a particular group it helps a lot to behave like the other people in the group – wearing the same types of clothing, supporting the same football team, looking, sounding, thinking and behaving like them.
In other words, people in a group often think in similar ways. Promote the right way of thinking and you can use the people’s need to be in a group to enhance cyber security and encourage cyber safe behaviour.
Following the herd
The most powerful way of doing this is to make safe behaviour seem to be what everyone else does – the “social norm”. There is lots of evidence that telling people about social norms changes people’s behaviour.
A good example of a company that successfully used social norms to change people’s behaviour is Opower a US energy company. Opower wanted to drive energy use down. It tried several messages to do this such as:
- You can save $54 this month
- You can save the planet
- You can be a good citizen
None of these were particularly successful. So they tried a fourth message along the lines of:
- Your neighbours are doing better than you
The results were amazing: more than 75% of the people who found this out started to save energy. In the same way, a message along the lines of “83% of your colleagues never click on links in emails from unknown sources” is likely to influence people.
Making safe behaviour “visible” is another effective technique. People have a tendency to follow other people, as we have seen. So if one person is seen as behaving in a particular way, then others are likely to follow.
You are in the canteen when the person behind you at the counter sees what you have on our tray and says “That looks nice. I’ll have one of those.” Why do they do it? It might be because they didn’t notice it before. But it is just as likely to be because they want to make a good impression on you by imitating you.
You will see this with body language too. When you are sitting opposite someone try changing your posture: cross your legs, fold your arms, rub your chin. The chances are the person opposite will “mirror” at least some of your changes in posture.
The same with cyber security. If one person acts in a particular way, then people near them may well imitate them. For instance, if you can get someone to claim they always use a complicated password to log on or say “No way I’d log on to our corporate network using Costalotta’s free wi-fi”, then others may well follow their lead.
People follow authority figures. So you want your leaders to act in a cyber safe manner.
There are different sorts of leaders in any group. I’d always suggest that you try to get your organisation’s formal leaders to act in a visibly cyber safe way (or at least avoid obviously unsafe behaviour).
But the CEO might not have much credibility when it comes to technology. One of the new interns may be far more credible, and influential. Or perhaps there are some popular social leaders in your organisation: these too will have lots of leadership power. Empowering your leaders to act as cyber safety role models will pay dividends.
Incentivising the group
Using group rewards that disappear if anyone steps out of line is an interesting idea. With this technique there is a reward when everyone behaves well but no one gains if only one person behaves wrongly. And as most people dislike being unpopular they do their utmost to ensure that others don’t lose out.
Creative agency 23Red used this technique to get people to complete their time sheets.
Of course this technique only works if everyone belongs to the same social group. If there is a clique of people, perhaps in sales, who don’t interact much with the rest of the organisation, then they may well not feel obliged to behave well for the sake of their colleagues.
This is a little controversial, although I have seen it used successfully as a way of keeping the size of email directories down. With this technique bad behaviour is reported publicly – the digital equivalent to being put in the stocks. People may not throw cabbages at you but it still embarrassing to be called out in front of your peers for antisocial behaviour.
It may be practical to start the socialising process off using one or more small groups rather than trying to influence the whole of an organisation. Socialising behaviour in a small group has obvious limitations, but get some people to engage with cyber safety and their behaviour will soon be copied by others.
Cyber security expert Richard Knowlton suggested to me that telling stories in groups is a great way of generating understanding and acceptance of the threats that cyber brings. “My email was hacked…”, “I definitely got a phishing message on LinkedIn the other day…”, “One of my friends was emailed a fraudulent invoice the other day…” Share stories and you bring the problem to life and make it seem relevant for the people in your group.
You can even think about generating solutions as a group. Thinking tends to converge when people are in small groups, especially when people are faced with a hard problem. If you set your group a cyber threat problem they will probably come up with a common view of how to solve it.
Of course you want that view to be effective and practical, so you may want one or two “stooges” in your group who have been briefed about good solutions and who can lead the conversation in the right direction. But once you have arrived at the solution, the whole group are likely to agree with it as they have been involved in uncovering it.
Rewarding good behaviour
Providing public rewards and status can also generate social pressure. If people who have behaved safely – perhaps challenging a stranger who isn’t wearing a visitor’s badge, or politely suggesting to their boss that they shouldn’t use the business centre’s PC to log into the office network – are rewarded, and if the rewards are made public, that will encourage others.
Sales teams often work this way, with the most successful salesperson being publicly rewarded, and applauded by his (no doubt slightly envious) peers. The key to this is to make the reward public: “Cyber Safe Employee of the Month” notices, mugs and mouse mats, special privileges such as being allowed to go home early…
All in all…
Socialising cyber safe behaviour is a very powerful tool. It isn’t the only tool you can use of course, and it’s not a magic wand. You will need the right tools and the right processes in place as well. But used with imagination it can make a big difference to your cyber security as well as helping more general team bonding.
Keep cyber safe!