In their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance.
The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off their smallest debts first – regardless of interest rates. Although this flies in the face of conventional financial wisdom, it is a lot easier for people to remain focused by paying off a $200 debt than it is to pay off $200 of a $20k debt. It’s easier for our brains to process manageable changes, and when we feel like change is manageable, we’re more likely to implement it.
How can we apply this concept to security awareness? The debt snowball example doesn’t apply perfectly, but luckily our challenge is easier. In security, rather than ask people to focus on the small changes first, we can simply focus on the essential changes while eliminating many of the changes we are asking them to make. Security awareness programs often attempt to throw the kitchen sink at employees by providing training on a variety of security topics ranging from password complexity to USB policies to physical security. It’s no wonder recipients feel overwhelmed. If we can shrink the change we’re asking our users to make, security awareness will be significantly more effective.
Do we really need to train our users on all of these topics? In the case of password complexity, this is something we can effectively defend through technical controls, as any mature application can set rules to enforce strong passwords. Having secure passwords is a vital element of security, but teaching your employees why complex passwords are important is both unnecessary and a waste of time. This kind of training risks overloading recipients, since even the most effective password training won’t be better than a technical control.
“Teaching your employees why complex passwords are important is both unnecessary and a waste of time.”
The same is true of physical risks such as USB drives. Yes, malicious software on a USB drive can compromise your network, but this isn’t a tactic we are observing from the latest threats. Carrying out social engineering attacks is easier and more cost-effective, with a higher probability of success and equal amount of damage. Furthermore, a simple registry key setting can disable USB drives. If using a USB drive is unavoidable for an employee’s job function, then deliver the appropriate training. Unless it’s essential, why distract employees with it?
This logic applies to physical security as well. Don’t get me wrong, for some organizations physical security is crucial. If your most valuable assets can only be compromised by an adversary gaining physical access to your facility, then of course training employees to be cognizant of physical security is a big concern. However, the vast majority of sensitive information and intellectual property can be accessed by adversaries over the Internet, and the easiest way for them to break into your network is through email.
Training focused on specific topics enables a streamlined approach to security awareness. Just as the debt snowball encourages people to pay off debts by focusing on smaller, manageable payments, recipients will absorb and retain more of the training material when presented in bite-sized chunks. Delivering relevant training in 60-90 second training modules periodically over the course of a year will be more engaging and memorable than hour long training once a year.
Asking users to participate in security is asking them to make a change in their routine. By focusing security awareness on only the most relevant concepts, you can shrink the change without sacrificing the utility of your program.