When it comes to cybersecurity, our minds usually jump to complicated technical protections that only your IT department understands. And while these safeguards are certainly important, the truth is hackers are increasingly focusing on social engineering attacks to get into our networks. In fact, phishing attacks are now the number one cause of successful data breaches. Employees are therefore often the first line of defense against cyber attacks. That’s why more and more cybersecurity experts are emphasizing the importance of security training for employees. Business owners need to feel confident that their employees are developing online behaviors that keep the organization secure. The problem, however, is that traditional training programs aren’t always successful in achieving these behavior changes. This is, in part, because training programs too often use “gotcha!” methods when employees make a mistake, which only discourages employees instead of motivating them. Organizations should therefore focus on programs that use positive reinforcement in security training.
One popular form of cybersecurity training is phish simulation programs, where employees are spent emails designed to look like popular phishing scams. The problem, however, is that these programs always always rely on the gotcha method. When an employee clicks on a link in a fake phishing email, typically they will see a screen telling them they got caught and are then instructed to watch an informative video. The problem is that this approach causes the employee to associate negative emotions with the training and therefore reduces the likelihood of sustained behavior change. Simply put, this type of training creates a punitive environment that discourages the individual but doesn’t create meaningful change.
Instead, one study has shown that using positive reinforcement in security training actually produces safer, longer lasting online habits. Instead of punishing bad behavior, it’s actually more effective to focus on rewarding behavior you want to see, such as reporting phish: “By focusing on helping people feel successful, the campaign produced a positive result: a 30% reduction in overall phish susceptibility, and for individuals who had already been identified as habitual “phish clickers”, a reduction from 35% susceptivity to 0%.”
The key is the associate positive behaviors with positive feelings. It’s a small thing, but the impact could help businesses save a lot of time and money down the road.
Given that phishing attacks are now the #1 cause of successful data breaches, it’s no surprise that many individuals and organizations are looking for tools to help them get better at spotting phish. The problem, however, is that most of the available education tools reply on “passive” training material: infographics, videos, and sample phish. While this educational tools might teach you a few facts and figures, they don’t always lead to a long term change in how users respond to phish. Instead, educators should be looking for new tools and methods that change the very way we look at our emails. You know the phrase “Give someone a fish, feed him for a day. Teach someone to fish, feed him for a lifetime”? Well, the same is true for phish too.
The idea is simple: Instead of just looking at examples of phish, by engaging in the process of creating a phish you will internalize the tactics and tricks scammers in real life and will be better able to spot them.
There is actually a method that has been proven to work in similar settings, such as recognizing propaganda and misinformation. It’s called inoculation theory. The idea is similar to how vaccines work: by exposing people to small doses of something more dangerous, and by actively engaging them in the process, they can better defend themselves against the real thing in the future. Cambridge University used this theory to create an online game that asks users to create their own fake news.
In a similar way, teaching someone how to make phish creates an engaging way for users to understand how actual phishers think and what tactics they use to trick people. We believe this form of training has the potential to be far more successful in help users create long lasting change and help them stay safer online.
When you want to form a new habit or learn something new, you may think the best way to start is to dedicate as much time and energy as you can to it. If you want a learn new language, for example, you may think that spending a couple of hours every day doing vocab drills will help you learn faster. Well, according to behavioral scientist BJ Fogg, you might be taking the wrong approach. Instead, it’s better to focus on what Fogg calls tiny habits: small, easy to accomplish actions that keep you engaged without overwhelming you.
Sure, if you study Spanish for three hours a day you may learn at a fast rate. The problem, however, is that too often we try to do too much too soon. By setting unrealistic goals or expecting too much from ourselves, new habits can be hard to maintain. Instead, if you only spend five minutes a day, chances are you will be able to sustain and grow the habit over a longer period of time and have a better chance of retaining what you’ve learned.
The Keys To Success
According to Fogg, in order to create lasting behavior change, three elements come together at the same moment need to come together:
- Motivation: You have to want to make a change.
- Ability: The new habit has to be achievable.
- Prompt: There needs to be some notification or reminder that tells you its time to do the behavior.
Creating and sustaining new habits requires all three of these elements to be successful — with any element missing, your new behavior won’t occur. For example, if you want go for a 5 mile run, you’re going to need a lot of motivation to do it. But if you set smaller, easy to achieve goals — like running for 5 minutes — you only need a little motivation to do the new behavior.
The other key factor is to help yourself feel successful. Spending 2 minutes reviewing Spanish tenses may not feel like a big accomplishment, but by celebrating every little win you will reinforce your motivation to continue.
The Future of Cyber Awareness
Tiny habits can not only help people learn a new language or start flossing, it can also play an important role in forming safer, more conscious online practices. Our cyber awareness training program, The PhishMarket™, is designed with these exact principles in mind. The program combines two elements, both based on Fogg’s model:
Phish Simulations: Using phish simulations help expose people to different forms of phish attacks, and motivates them to be more alert when looking at their inbox. While most programs scold or punish users who fall for a phish, The PhishMarket™ instead uses positive reinforcement to encourage users to keep going.
Micro-Lessons: Unlike most training programs that just send you informative videos and infographics, The PhishMarket™ exclusively uses short, interactive lessons that engage users and encourage them to participate and discuss what they’ve learned. By keeping the lessons short, users only need to dedicate a few minutes a day and aren’t inundated with a barrage of information all at once.
Creating smart and safe online habits is vital to our world today. But traditional training techniques are too often boring, inconsistent, and end up feeling like a chore. Instead, we believe the best way to help people make meaningful changes in their online behavior is to focus on the small things. By leveraging Fogg’s tiny habits model, The PhishMarket™ has successfully helped users feel more confident in their ability to spot phish and disinformation.
The current crisis has forced all of us to make changes that we otherwise wouldn’t have made. The upside, however, is that some of these changes may end up benefiting us well beyond the pandemic. One area that desperately needs this change is our view of cyber awareness — whether in remote environments or at the office. One report found that 91% of IT leaders simply trusted their employees to maintain safe security practices while working at home. This trust, it turns out, is misplaced, with 48% of employees saying that they are less likely to follow security practices at home. The bottom line is, if organizations want their employees to take cyber awareness in remote environments more seriously, they need to find a new way to help their employees create lasting behavior change.
Working from home creates unique challenges for their employees. They’re distracted, they’re doing their work on their personal devices, and they don’t have co-workers and managers there to motivate them. To build better cyber awareness while working from home, organizations should therefore focus on creating “micro-moments.” These micro-moments are small opportunities that contain four key elements:
- Frequent and consistent
- Involve positive reinforcement
By combing these elements, micro-moments sensitize employees to thinking about cyber awareness in their daily work, motivate them to continue learning, and keep them from thinking about cyber awareness as a burden or something that takes away their ability to get work done.
We know this works because it is the very foundation of Designed Privacy’s cyber awareness program, The PhishMarket™. The program combines phish simulations, daily micro-lessons, and detailed reporting to create behavior change that employee want to maintain. A study of The PhishMarket™ conducted by Stanford’s Peace Innovation Lab found that our program resulted in a 30% reduction in overall phish susceptibility in just four weeks, and 70% of participants said they would do the program again.
By incorporating a new a new type of cyber awareness training that focuses on creating micro-moments, organizations can help their employees create lasting behavior change, and the trust IT leaders have in their employees won’t be as misplaced as before.
With phishing campaigns now the #1 cause of successful breaches, it’s no wonder more and more businesses are investing in phish simulations and cybersecurity awareness programs. These programs are designed to strengthen the biggest vulnerability every business has and that can’t be fixed through technological means: the human factor. One common misconception that may employers have, however, is that these programs should result in a systematic reduction of phish clicks over time. After all, what is the point of investing in phish simulations if your employees aren’t clicking on less phish? Well, a recent report from The National Institute of Standards and Technology actually makes the opposite argument. Phish come in all shapes and sizes; some are easy to catch while others are far more cunning. So, if your awareness program only focuses on phish that are easy to spot or are contextually irrelevant to the business, then a low phish click rate could lead to a false sense of of security, leaving employee’s unprepared for more crafty phishing campaigns. It’s therefore important that phish simulations present a range of difficulty, and that’s where the phish scale come in.
Weighing Your Phish
If phish simulations vary the difficulty of their phish, then employers should expect their phish click rates to vary as well. The problem is that this makes it hard to measure the effectiveness of the training. NIST therefore introduced the phish scale as a way to rate the difficulty of any given phish and weigh that difficulty when reporting the results of phish simulations. The scale focuses on two main factors:
The first factor included in the phish scale is the number of “cues” contained in a phish. A cue is anything within the email that one can look for to determine if it is real of not. Cues include anything from technical indicators, such as suspicious attachments or an email address that is different from the sender display name, to the type of content the email uses, such as an overly urgent tone or spelling and grammar mistakes. The idea is that the less cues a phish contains, the more difficult it will be to spot.
#2 Premise Alignment
The second factor in the phish scale is also the one that has a stronger influence on the difficulty of a phish. Essentially, premise alignment has to do with how accurately the content of the email aligns with what an employee expects or is used to seeing in their inbox. If a phish containing a fake unpaid invoice is sent to an employee who does data entry, for example, that employee is more likely to spot it than someone in accounting. Alternatively, a phish targeting the education sector is not going to be very successful if it is sent to a marketing firm. In general, the more a phish fits the context of a business and the employee’s role, the harder it will be to detect.
Managing Risk and Preparing for the Future
The importance of the phish scale is more than just helping businesses understand why phish click rates will vary. Instead, understanding how the difficulty of a phish effects factors such as response times and report rates will deepen the reporting of phish simulations, and ultimately give organizations a more accurate view of their phish risk. In turn, this will also influence an organization’s broader security risk profile and strengthen their ability to respond to those risks.
The phish scale can also play an important role in the evolving landscape of social engineering attacks. As email filtering systems become more advanced, phishing attacks may lessen over time. But that will only lead to new forms of social engineering across different platforms. NIST therefore hopes that the work done with the phish scale can also help manage responses to these threats as they emerge.
Remember the sales contest from the movie, Glengarry Glen Ross?
“First prize is a Cadillac Eldorado….Third prize is you’re fired.”
We seem to think that, in order to motivate people, we need both a carrot and stick. Reward or punishment. And yet, if we want people to change behaviors on a sustained basis, there’s only one method that works: the carrot.
One core concept I learned while applying behavior-design practices to cyber security awareness programming was that, if you want sustained behavior change (such as reducing phish susceptibility), you need to design behaviors that make people feel positive about themselves.
The importance of positive reinforcement is one of the main components of the model developed by BJ Fogg, the founder and director of Stanford’s Behavior Design Lab. Fogg discovered that behavior happens when three elements – motivation, ability, and a prompt – come together at the same moment. If any element is missing, behavior won’t occur.
I worked in collaboration with one of Fogg’s behavior-design consulting groups to bring these principles to cyber security awareness. We found that, in order to change digital behaviors and enhance a healthy cyber security posture, you need to help people feel successful. And you need the behavior to be easy to do, because you cannot assume the employee’s motivation is high.
Our program is therefore based on positive reinforcement when a user correctly reports a phish and is combined with daily exposure to cyber security awareness concepts through interactive lessons that only take 4 minutes a day.
To learn more about our work, you can read Stanford’s Peace Innovation Lab article about the project.
The upshot is behavior-design concepts like these will not only help drive change for better cyber security awareness; they can drive change for all of your other risk management programs too.
There are many facets to the behavior design process, but if you focus on these two things (BJ Fogg’s Maxims) your risk management program stands to be in a better position to drive the type of change you’re looking for:
1) help people feel good about themselves and their work
2) promote behaviors that they’ll actually want to do
After all, I want you to feel successful, too.