Like precocious teenagers, some employees don’t want to be told what to do when it comes to cyber security. Too many rules about what they can and cannot do with technology can lead to bad decisions that inadvertently put company data at risk. Instead, a more subtle approach is required to help them make better decisions on their own.
But changing employees’ behavior is no easy task. People have an innate need to socialize and share information, says Alessandro Acquisti, professor of IT and public policy at Carnegie Mellon University, and a member of Carnegie Mellon CyLab.
In studies, self-disclosure was found to trigger neural mechanisms in the brain that are associated with reward, showing that people highly value the ability to share thoughts and feelings with others. In one experiment, subjects were even willing to pass up money for the chance to disclose information about themselves.
“The problem is that modern technology has increased our ability to disclose information to such a degree that we no longer realize how much we’re giving and to how many people,” Acquisti says.
Awareness training for employees does help, according to Aberdeen Group. Changing employee behavior reduces the risk of a security breach by 45% to 70%. What’s more, it can be accomplished with less foot-dragging than security leaders might think – if they pull the right behavioral strings.
Here are five sneaky ways employers and researchers are leveraging positive and equally powerful human behaviors to guide employees toward better security decisions.
1. The Hero
Insurance provider XL Group was looking for a way to grab employees’ attention so that they could pass on valuable security information – not only to protect corporate data, but personal information, as well.
The company wanted everyone to work toward a common goal and appeal to their sense of compassion. So it asked employees to accept a challenge -- watch an educational security video and in turn, for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries.
The company created seven educational videos around protecting the company, its data, mobile devices and personal data with topics on spear phishing, phone phishing, bot nets and social media threats. The short videos were delivered monthly through emails and blogs.
“The goal was to have the videos watched by XL colleagues 10,000 times, raising $10,000 for Doctors Without Borders,” says Thomas Dunbar, chief information risk officer. The campaign easily exceeded its goal and Dunbar’s team presented a check to the charity in December.
Equally important to the company, the campaign engaged 4,500 XL Group employees worldwide in protecting their corporate and personal information.
Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab
2. The Nudge
You’ve been pinged, you’ve been poked, now prepare to be nudged. Borrowing a page from economics literature, researchers at Carnegie Mellon are experimenting with “soft paternalism.”
“We’re going to let you make the decision, but we’re going to nudge you toward doing what we think is best for you,” says Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab.
For instance, one tool focuses on avoiding regret and helps social media users make better choices about their posts. As users are typing, the tool randomly selects five people from the writer’s list of contacts who are about to see the post, and it shows their profile pictures on the screen. “People you may have forgotten about may pop up, and it makes you rethink what you’re writing,” Cranor says.
3. The Countdown
To get people to stop and think, CMU built another tool that provides a 10 second countdown timer before a post is published. “You can see it, edit it, or cancel it “ in those 10 seconds, Cranor says. “We found that it was actually a pretty effective way to get people to stop and think.”
Both of these tools could be very effective in the workplace, Cranor says. “You could develop a nudging tool that would be on the look out for things against company policy and provide these hints and suggestions - ‘hey, look again at what you’re about to send and see if it crosses the line,’” Cranor says.
4. The Game
Using interactive gaming techniques to educate or motivate users – otherwise known as gamification -- has shifted from customer-focused applications that are led by marketing, to more employee-focused applications led by IT for security awareness.
These interactive software games usually rely on employees’ competitive nature and involve teaching the player a particular security concept and then putting them into scenarios where they can apply the concept. The player competes against the clock and receives points for every correct behavior scored.
“We’re trying to give them that similar experience that they have at work where they’re multitasking and have to make quick decisions,” says Joe Ferrara, president and CEO of security awareness and training company Wombat Technologies in Pittsburgh.
While some employees play to achieve their personal best scores, some companies organize contests around game-based training between individuals or groups and award prizes, says Ferrara.
EMC used an online game and accompanying Elvis-themed “Suspicious Link” video (a parody of his “suspicious minds” song) to make employees worldwide aware of phishing scams and their impact on the company. Employees had to watch the video and then answer all questions correctly to be entered to win an iPad Air. Centers of Excellence around the globe also competed as teams to win an office party.
“We like to run contests because we know users don’t just want to learn,” says Brian Osterman, risk analyst. “We try to gamify it and increase the competition so it’s actually fun.”
5. The Simple ‘Thank You’
At safety science company UL LLC in Northbrook, Ill., there are no cash rewards for security-minded behavior. But when an employee spots a very high-risk phishing scam and are one of the first people to respond, the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. “That goes a long way,” says Steve Wenc, senior vice president and chief risk officer.
UL developed a behavior-focused security education program designed to help its nearly 11,000 employees recognize phishing messages and quickly report them to UL's security team. The program has created a crowd-sourced "human firewall." On a daily basis, UL employees are spotting new attacks, reporting them -- often within minutes -- and enabling UL's security team to quickly take steps to block the attacks, alert other users and remediate infections.
Since the project’s inception, incident reports have increased from 10 a month to over 1,000, and UL reports a 19% decrease in virus-related incidents.
“We appreciate what they’re doing,” Wenc says. “When they spot [a scam] that has impact on the company, we tell them, ‘You saved your colleagues and our customers from an attack.’”
This story, "Five sneaky ways companies are changing employees’ security behavior" was originally published by CSO.