Security Awareness For Dummies. Ira Winkler

Читать онлайн книгу.

Security Awareness For Dummies - Ira  Winkler


Скачать книгу
3-2.)

      FIGURE 3-2: The ABCs of behavioral science.

      Here’s how to break down the ABCs of behavioral science:

       A stands for antecedents. In the context of this book, an antecedent is something that intends to influence a behavior. Antecedents in the security field are usually security awareness efforts. For example, users might see posters reminding them to wear their security access badges.

       B stands for behavior. The B is the desired behavior that you’re trying to create. For example, users may be expected to wear their badges at all times while in the building.

       C stands for consequences. Consequences are the responses to the behaviors. Users may experience a range of consequences for their behaviors:Negative consequences: The user experiences embarrassment, inconvenience, or correction. For example, a security guard might stop someone who has forgotten their badge, or the person may be unable to enter an area that’s protected by a badge reader.Positive consequences: The user is rewarded for the behavior.Neutral consequences: The behavior happens, and the user experiences no obvious consequence.

      To apply this concept using clean desks as an example, consider how you tell people to keep a clean desk and lock computers and hard copy materials when unattended. You provide awareness to tell them what to do and what is expected. Combined with the awareness you provide, they also see what their coworkers are doing. They then either follow your guidance or not. They might partially follow your guidance as well, such as shutting down their computers but not securing hard copy materials.

      

Both antecedents and consequences influence behaviors; however, they don’t influence behaviors equally. Antecedents have at best a 20 percent effect on changing behavior. Consequences have an impact of 80 percent or more.

      In the ideal world, you can provide positive consequences for improved behaviors. However, providing negative consequences should not be out of the question, especially if the insecure behavior costs the organization money or other resources.

      Consequences should be consistent across the entire organization. Some individuals may rebel against or ignore certain consequences, but your goal is to move the organization as a whole. This doesn’t require everyone to adhere to follow your guidance — just most people.

      

Culture, from the ABCs of awareness, can serve as a form of consequences. Culture provides peer pressure. Peer pressure is one of the most effective forms of consequences and drivers for change. If you can improve the security culture, the culture provides all the consequences you need.

      The Fogg Behavior Model

      Dr. BJ Fogg is the Stanford University researcher and widely noted behavioral expert who created the Fogg Behavior Model. In the most general of terms, he studied what caused humans to exhibit various behaviors at different times. Although his model is based on the psychology of individuals, it explains many user actions. If you understand the model, you can design consequences that can impact the entire organization.

      

To read more about the Fogg Behavior Model, see Dr. BJ Fogg’s website (https://behaviormodel.org). You can find his book, Tiny Habits: The Small Changes That Change Everything (Harvest, 2021) and other resources on his website, as well.

      Conversely, if motivation is low but the task is simple, you’re generally inclined to do it. An example is putting a dish in a dishwasher.

      In the case of saving the child and putting the dish in the dishwasher, you have prompts, or indicators that an action needs to be taken. The prompt for the mother taking heroic actions is the child in danger. The prompt for putting a dish in a dishwasher is the plate being in the proximity of the dishwasher. The action line represents the theoretical point where the combination of the motivation, action, and prompt is likely to have an individual take a desired action.

      Though the intent of the model is clearly based on individual motivation, you can consider this mapping at a group level to determine the abilities you need to create within the overall organization. Abilities are the skills your awareness program needs to create or encourage so that the users have the requisite knowledge to complete the desired behavior. Likewise, you can create consequences to create perceived motivations across the entire organization. Awareness can also make people aware of the prompts to better trigger the desired behaviors.

      For example, food service workers are mandated to wash their hands after using the restroom. This task requires minimal ability, so all that’s required is the appropriate prompt, or nudge (discussed in Chapter 7). The prompt is frequently a sign in the restroom stating that employees are required by law to wash their hands before returning to work. The prompt is simple, and sinks are immediately available. The motivation is a reminder that the workers can be punished for not washing their hands.

      

Prompts (or nudges) should be placed as close as possible to the spot where a behavior should be exhibited. For example, if you want people to lock their desks or computer monitors when their desks are unattended, put a reminder on their computers or desks — or at the exit to the office/cubicle area.

      Relating B:MAP to the ABCs of awareness and behavior

      Culture and consequences also have an impact on motivation and prompts. Peer pressure can be quite a strong motivator. The desire to avoid disappointing peers is a critical motivator, and if peers create a negative consequence for an individual not performing an action, it again incentivizes the action.

      At the same time, your awareness program should provide information and other resources to increase the ability of the individuals to perform the actions. This might be, for example, better instruction on how to detect and report phishing messages.

      

As an awareness professional, your job is technically to create awareness of the desired behaviors. You should also look
Скачать книгу