So you’re an IT geek and you’ve just been put in charge of your organisation’s security awareness? If only there was a manual or a white paper about how to program those tricky humans to be more reliable. Unfortunately, there’s no such batch job as fix_humans. The next best thing is to build your understanding of workplace psychology and behavioural influence.
Managing human behaviour in the workplace can be challenging, but for those interested in a structured approach to influencing user risk taking there are frameworks that can help. Behavioural frameworks allow us to understand behavioural problems in a formal, repeatable manner. Previously, we’ve covered Operant Conditioning, which is the premise that behaviour is a function of it’s consequences. This simply predicts that behaviour which is rewarded is likely to grow and continue. Conversely behaviour which is punished is likely to reduce or extinguish. This kind of behavioural engineering happens all the time in the workplace when we give bonuses for reaching sales targets or issue warnings for misconduct.
Antecedent, Behaviour and Consequences (ABCs) is a central tenet of Applied Behaviour Analysis which builds on our understanding of the way reward and punishment works. Operant Conditioning focuses on the Behaviour and Consequences components. When we add the Antecedent component it helps us understand the environment that the behaviour took place in and the stimuli that triggered the behaviour. Basically, it introduces a further dimension to the relationship between behaviour and consequences by stating that the Consequences (C) dictate the relationship between behaviour (B) and the environment (A).
From a systems design and process point of view, the introduction of environmental considerations is vital since it allows us to understand that it’s not always the behaviour that needs to change through the application of incentives. Sometimes, it’s the environment that needs to change. As we move beyond our stereotypes of idiotic users we start to understand that not all security breaches are created equal. For example, they can be deliberate or accidental and you can’t manage behavioural risk effectively without being clear on the difference between the two. There’s no point punishing someone for a mistake – you’re more likely to create anger, mistrust and a culture of non-reporting than to create positive behaviours. Non-intentional security violations come in many forms. There are ‘Slips’ which are actions deliberately carried out but performed wrongly. For example, attempting to encrypt a file but only using trivial encryption. The person concerned thinks that they have carried out the task successfully but actually the task has effectively failed. ‘Lapses’ are actions not carried out because of distraction or a lack of prompting to start the task. For example, forgetting to install anti-virus. ‘Mistakes’ are when the wrong action is carried out by someone thinking it was the correct course of action at the time. Mistakes usually occur at the planning stage, Lapses prior to the implementation stage and Slips at the task execution stage.
If security software is difficult to use then the result will be an increase in usability task failures (Slips). If people forget to carry out an action or are because they are busy or are distracted then the result will be missed tasks (Lapses). Misunderstanding the nature of the problem or the effectiveness of response options can lead to the wrong task being performed (Mistakes).
Training is primarily useful to help reduce Slips. It can also help with Mistakes but is unlikely to help reduce Lapses. Lapses are more of a consequence of the environment and the tools being used. For example, if an administrator forgets to do an important security backup, before assigning them to extra awareness sessions on the importance of backups, consider their environment and the triggers that may or may not exist for their tasks. Are they in an open plan office with large amounts of noise? Are they next to a busy corridor and subject to frequent interruptions? Do they have other important tasks competing for time and attention?
While it’s tempting to think that more training is a panacea for all behavioural problems, this isn’t always the case. It is vitally important to understand why a behaviour is occurring before trying to incentivise it or train the individuals concerned. Tax collectors aren’t normally known for cutting edge ideas, but when UK HM Revenue and Customs starts investing in Antecedent, Behaviour and Consequences thinking to help get people to pay their taxes on time then we should be thinking of how we might learn from them about our own compliance issues.