For any of us who have lost hundreds of pounds over the years through multiple yo-yo diets will tell you, willpower does not produce lasting change. That’s because willpower requires consistently high motivation over time. Unfortunately, motivation is rarely consistent and certainly not over long periods of time. Willpower is dynamic and episodic. Relying on motivation can perhaps get you started, but not to stay on the path.
Security Awareness programs that focus on punitive approaches to digital behaviors, basically stating that “the beatings will continue until the morale improves” are demonstrating the mirror side of change via motivation, which is intimidation. Like motivation, intimidation is not static, but is dynamic and often yields unintended consequences that damage not only the individual but the enterprise.
Instead, look to increase your ability around the behavior you want to change. Begin by making it easy to do. Help people feel good about themselves when they do it. Build it into their routine.
If you don’t ask for promises, you won’t get pretense. Instead, you will get results.
We’ve talked about the human factors of cybersecurity and the importance of exposing employees to social engineering scams and other attacks that exploit human vulnerabilities. However, when we look at how to improve our organization’s digital practices, we have to do more than train and simulate phish. We have to take a look at what we are asking staff to do and make sure that the cybersecurity behaviors we want them to do are easy, not difficult. Otherwise, those behaviors will become hard to sustain in the long term.
When you’re trying to create new behaviors — for yourself or for your employees — it’s essential to remember that motivation is not a constant. You might be energized and excited to spot phishing emails when you first learn about it, but overtime that could fade. You might get stressed about other parts of your job, or you might be distracted by friends and family, and overtime your interest in your new habit may start to fade. But that is okay! According to behavior scientist BJ Fogg, instead of trying to keep yourself motivated, focus on creating behaviors that are so easy you can do them without worrying about motivation at all.
So, when it comes to fostering cybersecurity behaviors in your employees, it’s essential to keep things short and easy to do. And the truth is, there are a number of super easy cybersecurity behaviors that will help keep you, your employees, and your businesses from being vulnerable to cyber threats. Here are just a few:
Automated Security Scanning
One example of a simple behavior for your software security is to run applications through an automated security scanning tool. Automation is becoming more and more helpful for relieving some of the burden off your IT and security staff. Now, many scanning tools can be set to run automatically, and will highlight potential vulnerabilities with your applications, systems, and even websites. This will leave your security team to evaluate and patch vulnerabilities, instead of wade through your entire system looking for any holes.
Another important and easy cybersecurity tool is single sign-on (SSO). Essentially, SSO allows employees to use one set of credentials to access a variety of separate services and applications. While it may seem safer to have different credentials for every applications, single sign-on can actually create stronger authentication processes across the enterprise. As companies began to rely on more and more services, each requiring different credentials, it became hard for employees to keep track of all their log in information, leading to worse password hygiene. By combining all credentials into one, it is easier for employees to use smart and secure credentials.
One other easy cybersecurity behavior you can implement is a phish reporting button within your email provider. It’s essential that your IT department is aware of any phishing emails being sent around the office, and in many cases it’s up to the employees to report any phish they receive. While simply forwarding an email to your IT help desk might not seem like a lot, using a simple button to report potential phish is that much easier. Implementing a feature as simple as a report button can increase your reporting and help your IT department keep the network safe.
There are plenty of additional cybersecurity behaviors that you can make easy. All you have to do is first look at what people do, find out what is making the behaviors you want to see difficult to accomplish, then work to make them easier.
This may seem obvious, but when you are trying to develop new habits and behaviors, one of the biggest areas to consider is your ability to actually do that new habit. If it’s too hard, you won’t be able to sustain the new habit unless highly motivated to do so —which, as we’ve mentioned, is not the right area to focus on. However, the point isn’t that you’ll never be able to learn new skills. The point is to think about ability differently. Instead of thinking that either you can do something or you can’t, breaking ability down into pieces will help you figure out what makes the new habit difficult to do.
When it comes to developing new behaviors, BJ Fogg breaks ability down into six categories that he called the “ability chain”:
Time Do I have the time to devote to this?
Money Can I afford to do this?
Physical Effort Can I physically do this?
Mental Effort Do I have the mental energy to do this?
Routine Does the habit fit into my routine or will it require an adjustment?
Social Is this behavior consistent with my social environment and values?
Once you’ve broken down ability into small chunks, you can start to figure out what exactly your are struggling with. Fogg says to ask the “Discovery Question:” For each link on the ability change ask yourself if that makes the new habit hard to do. Once you identify the ability (or abilities) that make doing this behavior hard, look for ways to make it easier.
Take running as an example. Do you have the time to run a couple times a week? Do you need to buy new shoes or clothes? If so, do you have the money to buy those things? Are you physically able to run? How much mental energy will going for a run take? Does going for a run change your routine too much? Is running consistent with my values? Once you go through the list, you can probably narrow the problem areas down to one or two of the links in the chain and focus on those. So, if my issue is that I can’t physically run for 30 minutes straight, maybe I start by trying to run for 5 minutes straight, then walk for a few minutes, then run for another 5. Then, over time, I’ll build up the strength to run for longer and longer stretches.
At the end of the day, it’s always better to start small in ways that addresses each link in the ability chain. Then you will be in a better position for sustained change over time.