For decades security awareness programs have been based on the assumption that employees don’t know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to “surf” motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees’ security behaviors and how practitioners can create meaningful metrics. This was the keynote for Source Boston 2018.
Automating Google Workspace (GWS) & more with Apps Script
Using Behavioral Science to Secure Your Organization
1. 1
Using Behavioral Science
To Secure Your Organization
Masha Sedova
Masha@ElevateSecurity.com
Co-founder, Elevate Security
2. 2
Built and ran
Salesforce trust
engagement team
Passionate about
transforming security
behaviors from “have to”
to “want to”
Co-Founder, building
security behavior
change platform
About Me
Computer security
meets behavioral
science
4. 4
Opinion B: It’s Us, Not Them
“People are the weakest link in
security is a comfortable excuse
to lean on when it should be a
rallying cry to change the status
quo.”
Jessie Irwin, security researcher
5. 5
Historically, the industry
solution has been to insist on
terrible “check the box”
trainings as an employee’s only
defense.
Training Alone Doesn’t Work
15%
Retention
95%
of breaches are
caused by human
factors.
10. 10
What Does Security Awareness
Mean To Your Organization?
Make less security
mistakesEmbed security into
everything they do
Have more
security common
sense
Be more vigilant
11. 11
Set Behavior Goals, Not Mindset Goals
Reduction of bugs in
our code base by 30%
over the next quarter.
90% of new process
created by the finance
team have a security
control in place.
Phishing click-through
rates drop by 50%
Reporting rate
increases by 300% in 6
months
16. 16
Security Action Can Be Simplified
Having secure
passwords for all sites
Reporting suspicious
activity
Stop tailgating
Remember 20 unique
characters across 40+ sites
Install a password
manager
Look up correct email,
reporting guidelines &
send
Install a “Report” button
Social Accountability
Install a man-trap or
in/out badging
HARD
EASY
17. 17
Education
Theory:
Improves understanding
of a concept and
therefore increases the
ability to perform that
behavior.
Practice:
Not all education is
created equal.
“In theory there is no
difference between
theory and practice.
In practice there is.”
-Yogi Berra
24. 24
What Motivates Us?
“People will do things
because they matter,
they are interesting, part
of something more
important. “
Daniel Pink, Drive
Pride
Interest
Achievement
Curiosity
Praise
Punishment
Money
33. 33
Market Norms
Assigning a monetary value to an exchange
Social Norms
The actions among friends that are not
based on money.
Dan Ariely, PhD
Predictably Irrational
38. 38
Lessons Learned in Changing
Tailgating Behavior
Goal:
To ensure that people wore their badges visibly at all
times while in secured spaces and not allow unbadged
person tailgate behind them.
Assumption:
People didn’t know that this was policy.
Bring “awareness” to them via digital posters
● Passive education
● Very limited results
39. 39
Lessons Learned in Changing
Tailgating Behavior
Root cause analysis of the behavior.
This is what we learned:
○ “I don’t feel comfortable confronting
my peers.”
(Ability + Motivation)
○ “Tailgating isn’t really a big problem,
right?”
(Motivation)
○ “I broke my badge pull reel and don’t
have a replacement, so I keep my
badge in my wallet.”
(Ability)
40. 40
Creating a Phishing & Reporting
Behavior Change Campaign
Goal #1: Reducing the percentage of malicious links that are clicked in
a phishing email campaign to be 12% or less as an average across all
difficulty types of phishing email.
Goal #2: At least 20% of recipients of an attack report it to security,
regardless of the difficulty of the attack.
41. 41
Phishing Campaign Model
● Case studies of phishing related
breaches
● Leaderboard of top reporters
● Thank you emails to employee +
managers
● Kudos of breach-prevention on
company call.
● Reporter button
● Safe sender
● Detection skills
● Phishing practice
42. 42
Takeaways
■ Motivation is required when
something is hard to do.
■ First- make it easy with technology.
Second- rely on motivation.
■ Leverage naturally occurring
events for motivation.
■ Connect intrinsic motivations to
security motivation.
■ Negative feedback should be
balanced with positive motivation.
■ Use triggers in the moment they
are needed.