Behold the powers of behavioral alchemy! Are you ready to unleash 4 "Trojan Horses for the Mind" that will change the way you communicate forever? How about a magic wand that will help manifest secure behaviors and shape culture? Attend this session and harness the power.
Developer Data Modeling Mistakes: From Postgres to NoSQL
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry Carpenter
1. How to Become a Security Behavior Alchemist
Perry Carpenter, MSIA, C|CISO
2. Security Awareness and Secure Behavior are NOT the Same
Thing
Traditional
awareness
programs fail to
account for the
knowledge-
intention-behavior
gap…
3. Agenda
1. Why behavior?
2. How can you model and design
secure behaviors to help shape
good security hygiene?
3. How can you debug behavior?
4. Agenda
1. Why behavior?
2. How can you model and design
secure behaviors to help shape
good security hygiene?
3. How can you debug behavior?
5. There are Three Realities
of Security Awareness
Just because I’m
aware doesn’t mean
mean that I care.
If you try to work
against human
nature, you will fail.
What your
employees do is way
more important than
what they know.
11. System 1 vs. System 2:
an Example
A bat and a ball cost $1.10.
The bat costs $1.00 more than the ball.
How much does the ball cost?
12. System 1 vs. System 2:
an Example
Did you say that the ball costs ten cents?
If so, you were just a victim of System 1.
Total cost: $1.10
Minus ball cost : $0.10
Equals bat cost: $1.00
Here’s what System 1 gets you:
13. System 1 vs. System 2:
an Example
But remember:
The bat costs $1.00 more
than the ball.
Bat cost: $1.00
Minus ball cost : $0.10
Equals: $0.90
Warning:
Blindly following System 1
can be hazardous.
19. http://behaviormodel.org
Behavior happens
when three things
come together at the
same time:
Motivation, Ability, and
a Prompt to do the
behavior…
BJ Fogg is the father of a field now referred as “Behavior Design.”
ciso.eccouncil.org
20. 20
1.What behaviors, if adopted, would
have the most security benefit for our
organization?
2.Is this a group of behaviors, or is this
a single behavior?
3.Is this a behavior that we have the
appetite to take-on right now?
Get Specific:
21. Designing Behavior (A Non-Security Example)
Fogg Behavior Model Component Description
Behavior(B): What specific
behavior do we want someone to
do?
Drink a glass of water
Motivation(M): What types of
things might motivate someone
to perform the B?
They could be thirsty
The might want social acceptance (everyone else is doing it)
They might want to avoid offending the person offering them water
They believe that there are positive health benefits associated with staying
hydrated
Etc.
Ability(A): What types of things
must someone already be able
to do or know to successfully
perform the B?
A glass of water is available to the person or can be obtained with little effort
The person’s mouth is not taped shut
The person is not asleep or otherwise incapacitated
Etc…
Prompts(P): What types of things
can cue the B?
The person noticing that they are thirsty
Someone offers the person a glass of water
The person receives a prompt from a health-app reminding them to drink
Etc.
ciso.eccouncil.org
23. Learn from Marketers and Storytellers
to Influence Motivation
ciso.eccouncil.org
24. Nudge your audience toward the behavior
A nudge, as we will use the term, is any aspect of the choice architecture that alters people's behavior in a
predictable way without forbidding any options or significantly changing their economic incentives. To count as a
mere nudge, the intervention must be easy and cheap to avoid. Nudges are not mandates. Putting fruit at eye level
counts as a nudge. Banning junk food does not. Nudge: Improving Decisions About Health, Wealth, and Happiness, 2008
25. Nudging: A Security Example
A nudge, as we will use the
term, is any aspect of the choice
architecture that alters people's
behavior in a predictable way
without forbidding any options
or significantly changing their
economic incentives. To count
as a mere nudge, the
intervention must be easy and
cheap to avoid. Nudges are not
mandates. Putting fruit at eye
level counts as a nudge. Banning
junk food does not.
Nudge: Improving Decisions About Health,
Wealth, and Happiness, 2008
Your password change portal is a great place to insert a nudge:
• Strength Meters
• Videos on how to create & remember strong passwords
• Elective LMS modules
• etc.
ciso.eccouncil.org
26. Design
Power Prompts
Where Possible
A power prompt is a prompt that the user receives
that also contains something intended to increase motivation,
make the behavior easier, or both.
27. Designing Behavior (A Security Example)
Fogg Behavior Model Component Description
Behavior(B): What specific behavior do
we want someone to do?
Choose a good password
Motivation(M): What types of things
might motivate someone to perform
the B?
• They understand and appreciate the value of choosing a good password
• They feel empowered by choosing a good password
• They feel more secure by choosing a good password
• They are afraid that their current password has been (or might be) compromised due to its
simplicity
• They feel pressure to create a better password because the organization is monitoring
strength
Ability(A): What types of things must
someone already be able to do or know
to successfully perform the B?
• The person has the required knowledge of how to construct a password that is both strong
memorable
• The person has tools that will help them construct a password that is both strong and
memorable
• The person has tools that will choose a strong password and remember that password for
them
Prompts(P): What types of things can
cue the B?
• The person just feels like changing their password
• The person receives notification that it is time to change his/her password
• The person is locked-out of his/her account because they forgot their current password
• The organization issues a forced password reset
• The person receives a security tip that has advice on how to create and remember a good
password
• The person forgot their current password and is about to perform a password reset
• The person receives a notification that his/her account was breached, and hackers may
accessed the password
28. Phishing / Automated Social Engineering Testing
Plan like a Marketer. Test like an Attacker.
Time
Channel
Executive
Message/Video
LMS Modules
Newsletter
Digital Signage – Theme 1
LMS Modules
Department Manager
Message
Newsletter Newsletter Newsletter
Digital Signage – Theme 2
Security Town Hall
LMS Modules
ciso.eccouncil.org
29. Agenda
1. Why behavior?
2. How can you model and design
secure behaviors to help shape
good security hygiene?
3. How can you debug behavior?
31. Debugging Problem Behaviors
Prompt:
• Are we prompting for the
behavior? If not, prompt for the
behavior.
• If so, are the prompts designed
effectively?
• Have the prompts become
‘invisible’ through overuse?
• Are the prompts occurring
through an optimal channel?
• Can we create a power
prompt?
Ability:
• Is the behavior still too hard?
• Is there any way to make the
behavior easier? Perhaps
through tools, additional
training, etc.?
• Is this behavior even something
most humans can do
consistently?
• Is there a time that the
behavior feels easier or more
achievable than other times?
• Can we embed something
within the prompt that will
reduce the real (or perceived)
time, complexity, or effort
required to do the behavior?
Motivation:
• What factors might enhance or
erode emotion at the time of
behavior?
• Are their times when someone
may feel more naturally
motivated to do the behavior?
• Is there a way to make the
behavior feel more
meaningful?
• Are their social, environmental,
or other factors that can be
leveraged to provide intrinsic or
extrinsic motivation?
• Can we place a motivational
boost within the prompt?
I’m aware of a ton of things that I don’t care about!
Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here (http://behaviormodel.org/) and here (http://tinyhabits.com/).
I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms – like the one offered by my company, KnowBe4 , as well as a few others in the market – distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!
http://captology.stanford.edu/about/about-bj-fogg.html
Group 1: Sufficient Motivation and Sufficient Ability
Group 1 is a no-brainer (though with this behavior, it will likely be a small group). You just need to prompt them, and they will do the behavior. But you need to ensure that your prompts will be received by the group and are effective. So, you still don’t want to take prompt design for granted. Use more than one style of prompt across multiple channels, if possible. For instance: email notifications, intranet banners, desktop popup notifications, etc.
Group 2: Sufficient Motivation, Lacking in Ability
Group 2 gets a bit more complicated. You’ve got people who have sufficient motivation, but they lack the ability to create and remember a good password. This is likely the majority of your organization. They want to do the right thing, but they feel like the process is scary, cumbersome, or they simply don’t know how. With this group, your job is to find ways to make creating and remembering a good password easier. And there are only a few ways to do so. Remember the barrel of rocks example and how that applies to security? I mentioned four (well, actually five) options:
1. Train them (strengthen their ability) so that the behavior is no longer difficult, onerous, or scary
2. Provide them with tools that assist with the behavior
3. Help them accomplish the behavior
4. Make the behavior easier or smaller
5. Do the behavior for them
Here’s how that would look. I can both train them and help them accomplish the behavior if I place just-in-time training on the password change page. The training would be timely and relevant, thus more easily remembered. This could be a combination of information (how to do it) and training (ways to practice, including real-time feedback). I could also include a just-in-time tool, like a password strength meter to help nudge people into the behavior, while also providing a bit of motivation. Of course, there are ways we might make this even easier, but I’m saving those for our discussion of Group 4.
Group 3: Lack of Motivation, Sufficient Ability
Group 3 consists of people who have the requisite ability but lack motivation. We’ve discussed the inherent difficulties in addressing motivation. Your Group 3 people, in this scenario, are likely pressed for time, have too much on their mind, or just don’t feel like they can be bothered. For this group, you should consider tactics like nudging, creating social expectations, and so on. Your best bet here would be to take a multifaceted approach. Use a combination of nudges and power prompts to increase motivation. The prompt should be positive, encouraging, and remind them that the behavior is easy. The prompt can also include a link to the password change page that includes all of the nudges and tools that we setup for Group 2. So now, the behavior is easy, fast, and the person feels supported and encouraged. This increases the likelihood that they will engage.
Group 4: Lack of Motivation and Lack of Ability
Group 4 is difficult. They lack motivation and they don’t have the ability to perform the behavior even if they did. If you want to get them to perform the behavior, you’ll have a lot of work and possible frustration ahead. Your options are to simultaneously dramatically decrease the effort involved in the task, provide training support, and encourage -- or threaten -- them until they do the behavior. Or, you can go with a combination of options 2 and 5 from above, which is (you guessed it) give them a password manager (like 1Password, Dashlane, KeyPass, or LastPass) that can automate the creation of strong passwords and will remember the password on their behalf.