Transcription
Surfing the motivationwave to create securitybehavior changeMasha SedovaMasha@ElevateSecurity.comElevate SecurityELEVATESecurity1
About MeComputer securityCo-Founder ofmeets behavioralsecurity behaviorsciencechange companyBuilt and ranPassionate aboutSalesforce trusttransforming securityengagement teambehaviors from “have to”to “want to”ELEVATESecurity2
“I want my employees to be better at security”This presentation will explore: Myths about influencing security habits The behavioral elements of human beingsthat can get to us to security behaviorchange ELEVATESecurityFocus on motivation as a key element3
Myth #1Training will change behaviorELEVATESecurity4
Training Doesn’t WorkHistorically, the industrysolution has been to insist onterrible “check the box”trainings as an employee’s only95%of breaches arecaused by humanfactors.defense.15%RetentionELEVATESecurity5
Rethinking CommunicationsThe problem must be in themethod of delivering thisinformation - right?!We’ve been creative about waysto get information in front ofpeople: 5 million adults in the United States currently smoke cigarettesELEVATESecurity6
KnowingIsn’tEnoughELEVATESecurity7
BehaviorChangeComponents Motivation Ability TriggersELEVATESecurity8
Behavior Change ModelBy Dr. Bj FoggELEVATESecurity9
Myth #2People have to care about security,all the timeELEVATESecurity10
Unrealistic ExpectationsELEVATESecurity11
Behavior Change ModelBy Dr. Bj FoggELEVATESecurity12
Security Action Can Be SimplifiedHaving securepasswords for all sitesReporting suspiciousactivityHARDRemember 20 uniquecharacters across 40 sitesLook up correct email,reporting guidelines &sendSocial AccountabilityEASYInstall a passwordmanagerInstall a “Report” buttonInstall a man-trap orin/out badgingELEVATESecurityStop tailgating13
What about things that are hard to do?By Dr. Bj FoggELEVATESecurity14
When Does Motivation Occur?Hard thingsrequire highmotivation.ELEVATESecurity15
Naturally Occurring MotivationPredictable EventsUnpredictable EventsEVENTEVENTMOTIVATIONMOTIVATIONTIME Audits Red Team exercisesELEVATESecurityTIME Breaches Incidents News events16
Good leadersseizes crises toremakeorganizationalhabits.Charles Duhigg,The Power Of HabitELEVATESecurity17
Myth #3Money is a good motivatorELEVATESecurity18
Market NormsAssigning a monetary value to an exchangeSocial NormsThe actions among friends that are notbased on money.Dan Ariely, PhDPredictably IrrationalELEVATESecurity19
“Generating” Motivation Connect security to the things peoplealready care about. People are motivated by:Hope/FearSocial oneyPrideInterestAchievementCuriosityPeople will do something because they matter, they areinteresting, part of something more important.Daniel Pink, DriveELEVATESecurity20
Myth #4Shame/blame for bad behaviors is a good tacticELEVATESecurity21
PositivevsNegativeMotivation5:1Positive to Negativeexchanges20%Of security teams havepositive recognitionprogramsELEVATESecurity22
How to Create Positive rdsCapture the FlagFeedback on their impactAwarded pointsRecognition emailsTop performer awardBug BountiesChampion ProgramsAccess to exclusive swagCompany-wide shoutoutsELEVATESecurityAchievement23
Takeaways Motivation is required whensomething is hard to do.First- make it easy. Second- relyon motivation.Leverage naturally occurringevents for motivation.Connect intrinsic motivations tosecurity motivation.Negative feedback should bebalanced with positivemotivation.ELEVATESecurity24
Comments?Questions?Let’s stay in urity25
Daniel Pink, Drive Pride Interest Achievement Curiosity Praise Punishment Money. 21 ELEVATESecurity Myth #4 Shame/blame for bad behaviors is a good tactic. 22 ELEVATESecurity 5:1 Positive to Negative exchanges 20% Of security teams have positive recognition programs Positive vs Negative Motivation. 23 ELEVATESecurity
