1.
Security on the Brain
Using Human Psychology to
Achieve Compliance
ISSA-UK Transport Security Expo Workshop 2013
Adrian Wright
CEO Secoda Risk Management
Board & VP Research ISSA-UK

2.
Human Psychology in Risk & Security
1
Risk Factors presentation
10:00
2
Workshop 1 – group exercise
10:30
3
Compliance Factors presentation
11:00
4
Workshop 2 – group exercise
11:30
5
Debate and closing remarks
12:00

3.
How I arrived here
•
20 years in IT Risk and Security – trying to make people aware and compliant
•
CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries
•
Observed that some strategies work – and many that don’t…
•
Like Penicillin, some successes are discovered by accident
•
Follow-up research with security associations and CISO surveys
•
Incorporated useful NLP & psychology strategies
•
This is the story so far and proven strategies shown to actually work…

4.
Its all about people
•
Need for security never been greater
•
•
•
•
•
Easy to convince ourselves it’s a tech issue
•
•
•
•
Critically dependent on information
Mandated by regulators, PCI, customers
No fallback option
Threats, vulnerabilities & losses growing
Encryption, DLP, pen testing, patching will fix it?
Hackers & fraudsters
Investment in tech security measures growing
Information security just isn’t sexy
•
•
•
•
Especially the non-tech HR-sounding bits…
Its all doom and gloom
It’s a cost centre, not a profit centre
Gets in the way of business progress
• We’ve become used to all the problems
•
•
•
News full of breach stories every day
Post PRISM the bar is permanently lowered…
"If we once accept the unacceptable, the
unacceptable becomes the norm"
“We struggle with getting management
and staff to accept that their behaviour
must be modified in order to improve
security practices.”
[Security Survey Respondent,
Manufacturing industry, Western Europe]

5.
Causes of data loss breaches
DataLossDB.org
http://datalossdb.org/statistics

6.
Most from non-technical errors
Non-Technical breach
Snail-mail
Document disposal
%
Fraud
5
Fraud
%
Technical breach
9
Virus
%
Unknown
1
5
Hacking
7
Web
12
Email
4
Lost media
3
Stolen document
3
Stolen media
2
Lost document
2
Lost tape
2
Lost drive
1
Stolen drive
1
Stolen tape
1
Lost laptop
4
16
Stolen computer
Unknown
%
1
Misc loss/disposal <1%
2
Stolen laptop
19
Totals
58
9
29
Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc
4

7.
Human Perceptions of Risk
“Security is both a feeling and a reality. And they’re not the same” Bruce Schneier

8.
How well do we assess risk?
National Safety Council – whole USA statistical averages:
One year odds of dying (USA) as a direct result of:•
Air / space transport accident
1 in
502,554
•
Automobile incident – driver/occupant
1 in
20,331
•
Automobile incident – pedestrian
1 in
48,816
•
Hit by lightning
1 in
6,177,230
•
Flood
1 in
24,708,922
•
Earthquake
1 in
8,013,704
•
Shot by firearm (assault)
1 in
24,005
•
Shot by firearm (self inflicted)
1 in
17,440
•
Some type of accidental trip or fall
1 in
15,085
•
War
1 in
10,981,743
US National Safety Council – Injury Facts 2006: www.nsg.org

9.
Example - Terrorism risk

You are 12,571 times more likely to die from cancer than from a terrorist attack

You are 11,000 times more likely to die in an airplane accident than from a terrorist plot
involving an airplane

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are 404 times more likely to die in a fall than from a terrorist attack

You are 87 times more likely to drown than die in a terrorist attack

You are 13 times more likely to die in a railway accident than from a terrorist attack

You are 12 times more likely to die from accidental suffocation in bed than from a terrorist
attack

You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack

You are 8 times more likely to be killed by a police officer than by a terrorist

You are 8 times more likely to die from accidental electrocution than from a terrorist attack

You are 6 times more likely to die from hot weather than from a terrorist attack
Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S.
Census Bureau, and 2003 mortality data from the Center for Disease Control

10.
Perceived Vs Actual Risk
• “Security is both a feeling and a reality – and they’re not the same”
–
Bruce Schneier: The Psychology of Security, 2008
• We’re getting close to the truth of this now; or at least a useful
definition
• Million years of evolution
• Finely tuned reptilian brain; instant fight or flight decision, in-your-face
risks
• Sabre tooth tigers, strangers entering camp. Crossing the road.
Modern business?
• Initial stimulus for starting cerebral risk management process is change
• And most changes involve a conscious decision. Note the word
‘conscious’
• so... If you’re not making a decision, there’s no trigger for the risk
process

11.
Why do we get it so wrong?
• People exaggerate spectacular but rare risks and downplay common
risks.
• People have trouble estimating risks for anything not exactly like their
normal situation.
• Personified risks are perceived to be greater than anonymous risks.
• People underestimate risks they willingly take and overestimate risks in
situations they can’t control.
• Last, people overestimate risks that are being talked about and remain
an object of public scrutiny.
•
David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide
for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”

12.
Emotional responses to risk
• People focus on the emotionally perceived severity on the outcome,
rather than on its likelihood
• Example: since 9/11 western world preoccupied with terrorism
–
–
–
–
US Homeland security expenditure since 9/11 exceeds 1 trillion dollars
We live under increasing surveillance & security controls / restrictions
Policy is shaped by focusing on worst-case scenarios
Former Sec of Homeland Security Tom Ridge admits pressured to raise
terror alerts to help Bush win re-election
• In the months after 9/11, so many people chose to drive instead of fly
that the resulting deaths dwarfed the deaths from the terrorist attack
itself, because cars are much more dangerous than airplanes.

13.
No personal risk…
Fact: 1 in 5 employees have personally provisioned a cloud service
without IT’s knowledge [1]
–
–
–
–
61% say it’s easier to provision cloud services themselves
50% report it takes too long to go through IT
27% admit company’s policy actually prohibits the cloud services they want
While 60% say they have corporate policies in place that prohibit such
actions, respondents say there are no real deterrents for purchasing cloud
services by stealth.
– In fact, 29% report no ramifications whatsoever & another 48% say it’s little
more than a warning.
– Biggest issue is ¼ of execs don’t have open communication with the depts
& business unit leaders that may be provisioning their own cloud services.
– Enter “cloud sprawl” – the unmanaged spread of public cloud services
inside the enterprise.
[1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries

14.
The Psychology of Why We Don’t Comply
“The simple truth is that people are motivated for their own reasons, not ours"

15.
WIIFM – world’s most listened to station
•
•
•
•
We all listen to it – all the time (you are probably doing it right now)
When we are asked to do something – What’s In It For Me?
Where obvious potential benefit-to-self: its an easy decision
Where no obvious benefit: avoid, put off, refuse, circumvent, argue
– Result: introduction of penalties for non-compliance (reinforces negative
perceptions
• Human brain is bad at processing negative concepts
– DON’T THINK OF DANCING BLUE FROGS!!!
– The DON’T instruction can only be processed after you’ve thought of
dancing blue frogs!
– Tell a child “Mind you don’t spill that glass!”…then 2 minutes later…
• Our security policies and mission are linguistically full of don’t(s) and
negative consequences

16.
Motivation
What motivates people to do or not do certain things?
– All of humankind can be divided into two motivational groupings:
1. People who are primarily motivated by staying away from certain situations and
things;
and
2. Those who are primarily motivated to move towards certain situations and things;
Note: towards-motivated tend to have lower perception of and high tolerance to risk
– Many of us in security and risk management will be of the away from motivated
type: e.g. “we need to avoid that happening, therefore we need to do x”. An awayfrom employee might be thinking more about not getting fired, rather than being
attracted by future success.

17.
Linguistic signals
Towards-motivated types use words such as:
accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets.
Away-from motivated use words like:
security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit.
University of Austin Texas
Information Security Office Mission Statement
•
“The mission of the Information Security
Office (ISO), as required by state law, is
to assure the security of the university's
Information Technology (IT) resources
and the existence of a safe computing
environment in which the university
community can teach, learn, and
conduct research. The ISO collaborates
with campus IT leaders and university
audit, compliance, and legal units to
support the university's teaching,
research, and public service missions”.
Toronto Marketing Group Mission Statement
•
•
“It’s simple: we aim to be the best and we
want to expand globally. We will to
achieve this with an impeccable
reputation and perfect track record for
success in winning client satisfaction”.
“We are targeted with opening the 20
biggest markets in Canada in the next 2
years. Our goal is to have 1000
associates in our company and to have
50 affiliated marketing companies that will
run our campaigns and locations. We will
be working with Clients in Finance,
Telecoms, Business Services, Charities,
Cosmetics, Property , Music…”
Challenge: Couldn’t you rewrite this to read more like this?

18.
Internal vs External (locus of responsibility)
• People who assess their performance via own internal standards/beliefs
or
• Through information/feedback from external sources
– Internal: own internal standards & beliefs, make own judgements on their
work. Don’t accept outside direction & ideas. Don’t give or accept feedback,
may be difficult to supervise.
– External: like being managed & receive outside direction & feedback. Need
to be externally motivated and know how well they are doing.
•
•
Internal types motivated by: “I need your opinion”, “help us decide”
External types motivated by: “others will think highly of you if..”, you will receive
recognition”, “according to the experts..”
– Unmasking question: “How do you know if you have done a good job?”

19.
Options vs Procedures
• Options: this group likes to do things another way. Like bending/breaking the
rules. Start projects but don’t finish them. Explore new possibilities.
– typical roles: fashion designer, inventor, process re-engineering
or
• Procedures: this group need to follow set rules/processes. More concerned
how to do something rather than why.
– typical roles: bookkeeper, commercial airline pilot
•
Options types motivated/ influenced / identified by words such as:
– opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities,
expand your choices, options.
•
Procedures types motivated / influenced / identified by words such as:
– correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow
this to the letter.

20.
Awareness isn’t working
“Hello”
“Yes?”
“Did you finish the security awareness training?”
“Yes”
“So are you aware now?”
“Yes”
“Ok – thank you. Goodbye”
Unfortunately my co-respondent has significant likelihood of being:
• Towards-motivated (blind to, and unmotivated by away-from concepts like risk)
• Internal (works to their own values & beliefs, doesn’t give feedback)
• Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way)
So yes, they may have done the course – but they probably won’t buy-in or comply with it
Conflicts with their own motivations, value system, modus operandi
“We need to address culture change at the level of people’s motivation and belief systems”

21.
Workshop Group Session 1
Security on the Brain – Workshop Session 1
30 mins
• Warm-up Debate: Discuss and agree a list of 2 well-known celebrities
from the business world who you believe are Towards motivated, and 2
who you believe may be Away-From motivated – and why (5 mins)
• Write a Group Mission Statement for your virtual security team that will
gain senior management attention and support for your security
mission (15 mins)
• Statistically there will be a number of employees who have a Towards
Motivated + Internal + Options profile (!!). From what you’ve learned,
suggest ways of reaching out to and gaining buy-in from these people
(10 mins)

22.
Dirty Tricks (not really)
Leveraging Psychology to Achieve Results
“Case Studies of What Actually Works”
"A Man convinced against his will is of the same
opinion still."
— Benjamin Franklin

23.
I’m better than you!
•
•
•
•
•
•
•
•
Online training & testing campaign
– major insurer
Final knowledge test – user
informed of pass/fail result
Usual user apathy/resistance
Added personalised, printable pdf
‘diploma’ for successful pass
Then… we added more information
to the certificate!
Specifically, the percentage pass
score.
1000 staff rushed to take the test on
the same day - and the testing
server crashed!
Eureka moment #1: People can’t
help competing with each other

24.
I wanna be first – certainly not last!
•
•
•
Implemented security awareness & compliance system – user acceptance / tests
Employees can see % progress
Managers can see progress of their staff
•
•
Useful improvement in levels of compliance: particularly as managers can view
With towards-motivated Vs away-from trait in mind: added benchmarking display
(shows how each user is performing against average of their peers)
•
•
Eureka moment #2! Employees rushed to comply more than their colleagues.
Effect of ‘ratcheting-up’ compliance to 100% within days

25.
Divide & conquer: Psycho-linguistically
•
•
•
•
•
•
Notice how some words seem to
‘work’ and others don’t?
We’ve already seen how different
words will register or appeal to
different types (e.g. toward, away-from)
We’ve also seen how certain job
roles will attract personality types
At the risk of generalising; appeal to
those character types by role
Select wording and values that work
for particular character types
Include motivators (positive &
negative) and word to best
influence each personality type
Make Compliance Role-Based
Word policies etc to
appeal to specific char
types
Map char types to most
likely roles
Add Role-Based Guidance
Map guidance to
mandates – use words
that motivate that type
Opportunity to make
guidance more useful /
understandable
Embed Motivators
Results-driven incentives
to comply, excel, achieve
Risk-driven
consequences for ‘do
nothing’, ‘avoid’, ‘breach’

26.
Surfing the Indignation
• Organisations don’t think about security incidents – until they have one!
• Management attention quickly subsides after cleaned up
– evidence from series of risk assessment workshops
– demonstrates phenomenon of short-term corporate memory…
• Use this small window of opportunity to get what you want
– pre-prepare projects, proposals, endorsements ready when window opens
– Incidents are great opportunity to improve processes, controls, culture
– I coined the phrase ‘Surfing the Indignation” for increasing profile of
information security while management attention is still on the issue

27.
Workshop Group Session 2
Security on the Brain – Workshop Session 2
30mins
• Group discussion point: In your respective organisations, where do you
believe your most influential target audience sits? (15mins)
– E.g. what group, function or person will you target with your key message
in order to:
• Gain the most powerful support, endorsement, backing, funding?
• Change the overall perception of your security team and its value?
• Achieve best possible communication (attention + acceptance) of your security
message across the organisation?
• Reach a good level of staff compliance with your policies/procedures across the
whole business
• Given our new insight into the differences between actual risks and
perceived ones, how will you improve the ways you measure, prioritise
and communicate risk awareness across the business? (15 mins)

28.
Selling the Unsellable
“Lessons from other sectors”

29.
Management attitudes (actual!)
• “We don’t measure or catalogue our risks, because then we’ll have to do
something about them”
• “We don’t have any security policies. Our staff don’t like them”
• “We perform hundreds of risk assessments a year and just store the
results”
• “We keep the results within the group. We don’t want senior
management on our backs if they saw how bad it is”
• “We have a well-used business impact assessment process,
unfortunately nearly all our systems appear in the red category so we
don’t have a means of deciding which ones are highest priority”
• “We’ve adjusted the risk process so it shows fewer things as critical”

30.
Lessons from the Insurance industry
• Years ago Insurance was hard
to sell. It was all doom and
gloom, complicated and difficult
to buy (sound familiar?)
• The landscape has changed:
insurance now legal
requirement if you drive &
cannot get mortgage without it
• So now we sell the upside:
faster to buy into, best price,
visually entertaining, more
options…
• So…perhaps we could learn
something here?

31.
Conclusions
• Its people not just technology that needs patching
• It’s a people problem & people fall into defined personality groups.
Understand what motivates and how to communicate with each type
• Use role-based policies and awareness as a means of targeting each
personality type with motivators tailored to that group
• Make security function ‘towards-motivated’ – not just ‘away-from’
motivated. Combine towards and away-from to maximum effect
• Get a neurolinguistic makeover – put a positive spin on your messages
• If you are selling fear – make it graphic and hard-hitting
• If you are selling a necessary chore – make it easier to buy into
• Ideally don’t sell either – sell benefits, cost savings, efficiency

32.
Crisis – or Opportunity?
Weiji [way-jhee], modern Chinese for "crisis"
"The word "crisis" is composed of two characters:
One represents danger, and the other represents
opportunity.

33.
Final Thoughts
 Raise your horizons…
 Embrace the new opportunities…
 But hey – be careful out there!

34.
Suggested Reading

35.
adrian.wright@issa-uk.org
adrian.wright@secoda.com
44 (0)8456 4 27001

36.
U.S. Centers for Disease Control Report
Keep in mind when reading this entire piece that we are consistently and substantially understating the
risk of other causes of death as compared to terrorism, because we are comparing deaths from various
causes within the United States against deaths from terrorism worldwide.