Maybe the biggest misconception about forming new habits is that the biggest factor for success is the motivation to change. We often imagine that as long as we want to make a change in our lives, we have the power to do it. In fact, motivation is actually the least reliable element making behavior changes. The hard truth is that simply wanting to make a change is far from enough.
The reason? Motivation isn’t a static thing, it comes and goes in waves. It’s therefore tough to keep our motivation high enough to lead to lasting behavior change. Take the response to the COVID-19 pandemic, for example. When it appeared in the U.S, we were highly motivated to socially distance. As time went on, however, more and more people started to take risks and go out more. The reason isn’t because the dangers were any less present, but because our motivation to stay inside started to wane. The point is, if the sole component to any behavior change is motivation, once that motivation starts to diminish, so will the new habit.
Of course, we have to at some level want to make a change, but we also have to realize that it’s simply not enough. Instead, we need to rely more on starting with changes that requires the least amount of motivate necessary for it to occur. This is the idea behind BJ Fogg’s Tiny Habits that we wrote about last week. If you want to start reading more, it might be tempting to try reading a chapter or two every day. But more often than not, you’re not going to be motivated to keep that up for long. Instead, if your goal is just to read one paragraph of a day a couple times a day, you’re far more likely to keep up the new habit. Then, over time, you’ll find you need less motivation to read more and more, until you don’t even think about it any more.
This can be a hard pill to swallow. We like to believe that we can do anything we set our minds to, and it’s a little disheartening to think we don’t have as much control over our motivation as we might prefer. When looked at from a different angle, however, understanding this fact allows us to focus on what we can control: setting achievable goals and rewarding ourselves when we met them. Focusing on that rather than our inability to keep our motivation high will lead to more successful behavior change.
When you want to form a new habit or learn something new, you may think the best way to start is to dedicate as much time and energy as you can to it. If you want a learn new language, for example, you may think that spending a couple of hours every day doing vocab drills will help you learn faster. Well, according to behavioral scientist BJ Fogg, you might be taking the wrong approach. Instead, it’s better to focus on what Fogg calls tiny habits: small, easy to accomplish actions that keep you engaged without overwhelming you.
Sure, if you study Spanish for three hours a day you may learn at a fast rate. The problem, however, is that too often we try to do too much too soon. By setting unrealistic goals or expecting too much from ourselves, new habits can be hard to maintain. Instead, if you only spend five minutes a day, chances are you will be able to sustain and grow the habit over a longer period of time and have a better chance of retaining what you’ve learned.
The Keys To Success
According to Fogg, in order to create lasting behavior change, three elements come together at the same moment need to come together:
Motivation: You have to want to make a change.
Ability: The new habit has to be achievable.
Prompt: There needs to be some notification or reminder that tells you its time to do the behavior.
Creating and sustaining new habits requires all three of these elements to be successful — with any element missing, your new behavior won’t occur. For example, if you want go for a 5 mile run, you’re going to need a lot of motivation to do it. But if you set smaller, easy to achieve goals — like running for 5 minutes — you only need a littlemotivation to do the new behavior.
The other key factor is to help yourself feel successful. Spending 2 minutes reviewing Spanish tenses may not feel like a big accomplishment, but by celebrating every little win you will reinforce your motivation to continue.
The Future of Cyber Awareness
Tiny habits can not only help people learn a new language or start flossing, it can also play an important role in forming safer, more conscious online practices. Our cyber awareness training program, The PhishMarket™, is designed with these exact principles in mind. The program combines two elements, both based on Fogg’s model:
Phish Simulations: Using phish simulations help expose people to different forms of phish attacks, and motivates them to be more alert when looking at their inbox. While most programs scold or punish users who fall for a phish, The PhishMarket™ instead uses positive reinforcement to encourage users to keep going.
Micro-Lessons: Unlike most training programs that just send you informative videos and infographics, The PhishMarket™ exclusively uses short, interactive lessons that engage users and encourage them to participate and discuss what they’ve learned. By keeping the lessons short, users only need to dedicate a few minutes a day and aren’t inundated with a barrage of information all at once.
Creating smart and safe online habits is vital to our world today. But traditional training techniques are too often boring, inconsistent, and end up feeling like a chore. Instead, we believe the best way to help people make meaningful changes in their online behavior is to focus on the small things. By leveraging Fogg’s tiny habits model, The PhishMarket™ has successfully helped users feel more confident in their ability to spot phish and disinformation.
Yes, sometimes it’s better not to be recognized. Especially if it’s in the Verizon 2020 Data Breach Investigations Report which shows new and emerging trends of the cyber threat landscape. Anyone who is anyone in cyber wants to get their hands on it as soon as it’s published (and we are no exception). As has been for many years, one of the key reasons behind data breaches involves what we do (or don’t do). In fact, this year’s report shows that 3 out of the top 5 threat actions that lead to a breach involve human’s either making mistakes or being tricked. Below is a closer look at those 3 threat actions, and the human factors they rely on.
In this year’s report, phishing attacks lead the cyber threat pack for successful breaches. It it also the most common form of social engineering used today, making up 80% of all cases. A phish attacker doesn’t need to rely on a lot of complicated technical know-how to steal information from their victims. Instead, phishing is a cyber threat that relies exclusively on manipulating people’s emotions and critical thinking skills to trick them into believing the email they are looking at is legitimate.
One surprising aspect of the report is the rise of misdelivery as a cause of data breaches. This is a different kind of human factored cyber threat: the pure and simple error. And there is nothing very complicated about it: someone within the organization will accidentally send sensitive documents or emails to the wrong person. While this may seem like a small mistake, the impact can be great, especially for industries handling highly sensitive information, such as healthcare and financial services.
Misconfigurations as a cause of data breaches is also on the rise, up nearly 5% from the previous year. Misconfigurations cover everything security personnel not setting up cloud storage properly, undefined access restrictions, or even something as simple as a disabled firewall. While this form of cyber threat involves technological tools, the issues is first and foremost with the errors made by those within an organization. Simply put, if a device, network, or database is not properly configured, the chances of a data breach sky rocket.
So What’s to Stop Us?
By and large we all understand the dangers cyber threats pose to our organizations, and the amount of tools available to defend against these threats are ever-increasing And yet, while there is now more technology to stop the intruders, at the end of the day it still comes down to the decisions we make and the behaviors we have (and which are often used against us).
We know a few things: compliance “check the box” training doesn’t work (but you knew that already); “gotcha” training once you accidentally click on a simulated phish doesn’t work because punitive reinforcement rarely creates sustained behavior change; the IT department being the only group talking about security doesn’t work because that’s what they always talk about (if not blockchain).
Ugh. So what might work? If you want to have sustained cybersecurity behavior change, three things + one need to occur: 1) you need to be clear regarding the behaviors you want to see; 2) you need to make it easy for people to do; 3) you need people to feel successful doing it. And the “+ one” is that leadership needs to be doing and talking the same thing. In other words, the behaviors need to become part of the organizational culture and value structure.
If we design the behaviors we want and put them into practice, we can stop being number one. At least as far as Verizon is concerned.
“How prone to doubt, how cautious are the wise!”
We’ve written before about how hackers and online scammers rely on human factors just as much as technological factors. They attempt to manipulate our emotions in order to trick us into handing over information or even money. However, the problem of social engineering goes beyond these tactics used by scammers. We’ve all experienced the anxious rush to check our notifications as soon as they come in. But these aren’t just simple habits we’ve developed — our phones, and especially notifications, are literally re-wiring how our brains work and even dulling our critical thinking skills.
Ever heard of Pavlov’s dog? It was an experiment conducted by the physiologist Ivan Pavlov in which he rang a bell when presenting food to a dog. Upon seeing the food, the dog naturally began to salivate. After awhile, however, Pavlov rang the bell without giving the dog any food and found that the dog began to salivate based on the sound of the bell alone, effectively re-wiring how the dog’s brain responds to certain sounds. Well, this type of conditioned response is also exactly what our phone notifications are doing to us. The ping we hear when a text or email pops up on our phone acts as a trigger for our brain to release pleasure-seeking chemicals such as dopamine. According to behavioral psychologist Susan Weinschenk, this sets us on an endless dopamine loop: “Dopamine starts you seeking, then you get rewarded for the seeking, which makes you seek more. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.”
However, the way that notifications re-wire our brains goes beyond the endless search for more and more messages. The pleasure-seeking response that dopamine triggers can actually lower our ability to think critically, making us more susceptible to online scams. According to research conducted by The University of Florida and Google, the cognitive effects notifications have on us can lower our decision-making ability. The research found that we are more likely to detect a scam when we are stressed and on high alert. However, hormones like dopamine that are pleasure-based lower our level of alertness and make us less likely to detect potential scams. This is especially troublesome when it comes to phishing emails. Emails notifications release these “feeling good” chemicals which in turn makes it harder for us to discern if what we’re looking at is a fake.
There are, however, some steps we can take to combat this. If notifications are re-wiring our brains to be less alert, one step we can take is to simply turn off all notifications. This can limit the dopamine release that notifications trigger. Taking a few breaths before opening an email also helps. Pausing before responding to a notification can help break the “dopamine loop” by delaying the gratification cycle. Whatever method works best is up to you. The important thing is to be aware of how you respond to things like notifications. Taking the extra few seconds to think about what you’re doing and why might just save you from falling for a phish or other online scams.
Your organization’s cybersecurity team is on edge in the best of times. The bad guys are always out there and, like offensive lineman in American Football who are only noticed when they commit a penalty, cybersecurity personal are usually noticed only when something goes wrong. Now, as the game has changed, the quick transition to work from home, combined with the plethora of COVID-19 scams, phishing, and malware drowning the cybersecurity threat intel sources—not to mention the isolation—may leave your team at a chronically high stress level. And cybersecurity is far more than just your technical safeguards. At the end of the day, the stress your team feels could lead them to put their focus in the wrong place and let their guard down.
Here’s what you can do about it
Incorporate cybersecurity as a part of your overall business strategy process – now is the time to recognize cybersecurity as a key part of the organization’s strategy and that enables you to drive your mission forward.
Be a part of the cybersecurity planning process – be active, listen, and understand how your team is handling this.
Leverage your bully pulpit – communicate to the staff about the key areas your cybersecurity team is focused on and the role they are playing to keep the organization secure while everyone is working from home.
Check in – take the time to just check in and see how they are doing. A little goes a long way.
The truth is, when it comes to cybersecurity, your first and most effective line of defense is not your firewall or encryption protocol. It’s the people that form a team dedicated to protecting your organization. Working from home poses unique cybersecurity challenges, and it’s up to you to make sure your team is given the attention they need to do their job well.
Regardless of your business or your personal situation, it is hard to imagine that you have not been impacted by COVID. Among other things, it has exposed how vulnerable we are personally. How vulnerable our company is. How vulnerable our communities are.
And these vulnerabilities can create a sense of anxiety, which can build on itself, leaving feeling us helpless.
Perhaps the single most important thing we can do when we are vulnerable is to connect. To communicate. To reach out to others. If we do nothing but isolate, the vulnerabilities expose and consume us.
Cybersecurity professionals deal with vulnerabilities all the time. Often these individuals work as a group separately or perhaps communicating with other IT members. Unfortunately, apart from compliance audit reports or token security awareness programming, cybersecurity is rarely communicated and integrated into the overall culture of the business. How many times do security professionals say of corporate users and leadership, “They just don’t understand” and c-suite, marketing or other department users say with regards to cybersecurity, “They just don’t understand.” Imagine the understanding that could occur if everyone began to lean in and communicate about these issues as one team.
Just as during these times, a key way to address vulnerabilities in your systems is by connecting and communicating across channels. The more the IT and cybersecurity team is engaging with business leaders and staff and other stakeholders, the stronger the organizational culture will be to mitigate vulnerabilities and build resilience.