Why it’s a waste of time trying to change people’s behaviour -TEISS® : Cracking Cyber Security
8 August 2018
Changing user behaviour often requires you to understand how users internalize certain behaviours in the first place. It’s more effective to modify and evolve users’ habits rather than forcing users to abandon a lifetime of unconscious actions.
Picture this: you’re headed to the office and there’s a colleague just ahead of you as you approach the front door to the lobby. As you pull out your security key to “badge in,” your colleague cheerfully holds the door open, smiles politely, and gestures for you to proceed … skipping the mandatory authentication step. How should you react?
- Graciously accept the offered open door and go about your day
- Admonish your colleague for their polite offer
Realistically, you can make a compelling argument for both answers. I argue that the right answer is neither of them … and both at the same time. The problem in this scenario is that the wrong response can damage employee morale without triggering any corresponding positive change in security compliance. If you accept the offered door, you’re tacitly approving the control violation. If you admonish a well-meaning colleague, you’re spurning his or her kindness and insulting their sense of duty.
Holding doors open for others is a common courtesy. Many children are taught from a very early age that it’s both polite and proper to open doors for their elders, for people carrying burdens, or for people using crutches, walkers, or wheelchairs. Some cultures also expect men to hold doors open for women regardless of context. People frame the act in many different ways, ranging from cultural norms to the kind person helping everyone because courtesy itself is an investment in social harmony.
People are more likely to voluntarily follow security rules when they feel invested in the safety of their co-workers.
The motivation isn’t as much the issue as the way the behaviour was taught: many people had parents, older siblings, and other authority figures train them from a very young and impressionable age via constant instruction and reinforcement. Instructions such as “Hold the door open for the lady, John” train children how to recognize their social duties, what the local rules of engagement are, and what to expect in terms of censure if they fail to meet expectations. This is inculcated behaviour: training by doing. It creates a lasting imperative in the minds of young people who usually keep complying with the social duty well into adulthood out of habit.
Then as adults, we receive a security key from our workplaces, and admonish our colleagues to act entirely against their lifelong standards of conduct. “Everyone has to badge in at every access point!” is one of the most common security controls enforced in a modern workplace. At the same time, it’s one of the most frequently violated rules. Not because of malice or incompetence, but because of people’s instinctive sense of courtesy.
We don’t want to turn our colleagues into rude people. That’s not only counterproductive, it’s insulting. We need to train people to follow required security protocols. So, how do we overcome a lifetime of unconscious behaviour without inflicting unwelcome damage? I argue that we have to reframe the expectation.
Organizations usually have rock-solid reasons for insisting on individual authentication when entering (or when transiting) secure work areas. Unauthorized people should not be allowed to access these areas – this includes former employees. Often, logs of user movement help to establish patterns of travel and timing for behaviour monitoring “big data” solutions that help spot when a spoofed or compromised account is being used to gain unauthorized access to a facility. These defensive controls only work when every user faithfully follows the “individual badging” protocol.
Security professionals often have a blind spot when it comes to security measures. We understand the larger picture so we’re less likely to mind paying the “tax” in time or effort required to make a control work properly. We often forget that others may see our control measures as burdensome interruptions that serve no practical purpose.
At the same time, people are naturally disinclined to reliably follow such rules – not because they’re bad people, but because they want strongly to be perceived as good by their peers and by strangers. People want to be seen as polite and helpful. That’s why the first person to reach a door opens it and holds the door open for others. “Badging in” is often perceived as just a subordinate function of the “open the door” protocol, not an important function in and of itself.
This is why successful behaviour change efforts have to take into account people’s cultural conditioning. When we teach new users our expectations for secure conduct, we should avoid asking people to act against their fundamental nature. Instead, we need to convince them to reconsider common actions so that they will understand and incorporate the desired security control actions to their automatic response.
Given the individual badging requirement, the admonishment “Everyone must badge in individually” goes against most people’s cultural conditioning. Therefore, reframing the requirement as “The first person to the door is responsible for ensuring that everyone behind him/her badges in successfully” yields more consistent compliance. You’re allowing the lead person in a group to do what comes naturally, while adding an additional pro-security step. People are more likely to add a step to an existing standard procedure than they are to change a deeply-ingrained behaviour.
Expand this concept to other security controls that rely on user action and see how well it works for you. I believe that you’ll discover a happier, more cooperative user community when you work within their existing habits rather than trying to change them.