The Explain The Humans series takes a look at common components of psychology and makes sure your security awareness program is aligned with the way real people work, learn and interact. The series will be heavily supported by the expertise of Jenny Radcliffe the ‘People Hacker’ as she guides us through some key areas – including how the boffins are not always correct!
Follow along with the series by checking out this page as we release new topics.
1. Positive Reinforcement
- Reward employees when they do something security focussed.
- Let the reward be seen, build your ethos and make it clear that something is good.
- keep mindful of bad behaviours, ensure there is no confusion why you are rewarding someone.
- Ensure your processes have no hidden shocks like complex forms people have to fill in to report phishing.
- If your security awareness program is a big long lists of ‘do not do this’ you are likely to receive some pushback.
- Could we use this concept to our advantage and pitch cyber security as a way to give people more options, something to enable them.
- Training stating things like ‘Do not click on links’ could trigger reactance – change it up.
- Make sure people understand the “why” behind the instruction so that their reasoning is satisfied and reactance doesn’t make them rebel!
- Create calm and order in your brain! Make sure people sleep, rest and keep healthy.
- Don’t let the cobwebs take over, periodically refresh memories to keep information factually correct and undo some of the errors with our memories.
- Make security concepts easy to process for people. relate new concepts to existing knowledge & memories people have.
- There is no use in someone learning security concepts like spotting a potential phishing email if they aren’t very clear on what to do next, and this shouldn’t be something they have to struggle to remember. Give clear advice frequently and make it very accessible, so that people know where to look for what to do next, rather than decide for themselves.
- Create one central place people in an organisation can turn to for cyber security help.
4. The Cocktail Party Effect
- Make sure your security awareness training is worth tuning in to.
- People are going to use several quality checks to quickly decide if your message benefits them and decide if they are going to listen to you.
- To increase the likelihood of you message being heard amongst the thousands of other business processes – be consistent, be personalised, be frequent.