“This is one piece of the puzzle that we rarely think about.”

My colleague and I just finished presenting at the Center for Medicare and Medicaid Services’ Security Control Oversight & Update Training (CSCOUT) conference.  This might seem an unusual place for a behavioral change management practitioner, but the topic of cyber security and human behavior is not new or unusual.  Attackers have exploited human behavior since long before the digital age.  But as the number of security breaches have risen, so too has the prominence of these behavioral techniques.  In the last two years both spear phishing and social engineering have jumped to the very top of the causal list of security breaches.  Most of the cyber security vendors who attended the conference made it clear to us: human behavior should be one of the main concerns when it comes to cyber security.

The psychology of security is of great interest for both hackers and security professionals. For the last decade, security engineers have focused on behavioral science and the psychology of risk in an attempt to better design their technology. Hackers have been exploiting insider’s behavior to deceive them and gain access to company’s data. For example, warning messages are carefully crafted to counteract our habit of clicking on the OK button to accomplish a task on the computer. I personally have witnessed the powerful results that can come from a focus on behavior.  So, what are organizations doing about human behavior?

Investing in more technology seems to be the common theme.  Some have taken the next step to require security awareness training. However, the steady increase of security breaches shows that these initiatives are not enough to reduce human error. In fact, a technology and hands-off compliance approach will often drive the wrong behavior.  People have demonstrated that they will often choose  what’s “convenient” over what’s “best”. If companies want to protect their data they are going need a plan for driving consistent, cyber-aware behavior.

It takes more than willpower to maintain consistency. Unlike technology investment and awareness training, a focus on behavioral change requires a more thoughtful approach. Security professionals must identify what will motivate users and activate them to be your first line of defense. It’s not enough to set rules for people to follow or to outline punishment. You have to explain why these rules exist and effectively train your audience on how to respond to highly sophisticated attacks.  You have to demonstrate and reinforce its importance.

I was visiting a doctor office last month, and noticed some security awareness posters on the walls. Then I watched the staff as they were absorbed in their daily tasks and wondered how often these posters get looked at. It reminded me of an experiment that was conducted at a government-owned health insurer to test the employees’ resilience level when faced with social engineering attempts. The test was not advertised, and started with simulated attacks where someone pretended to be an ER doctor looking to access a patient’s information “immediately.”  During the initial week of testing, thirty attacks were successful and the employees granted the caller access to the information despite being previously trained on data privacy. Most failures were attributed to external factors such as multitasking or the anxiety generated by the “urgency” of the caller’s request. While the workers were aware that social engineering attacks are possible, they failed to take appropriate measures to prevent data loss.

This is why it’s so important to take a more innovative approach when it comes to cyber security.  A poster on the wall or a one-time awareness training will not change behavior.   Risk mitigating behaviors must become automatic, like a reflex, so they are not forgotten when the pressures of the job escalate. The company’s first line of defense is the employee.

So how can you shape behavior in your organization? This is where your Behavioral Change Management practitioner can put his/her knowledge in into practice. Armed with an understanding of the psychology of risk and the mastery of a multi-disciplinary change practice, he or she will help users transition from “being aware” to “being owners” of the safety of your data and assets. It is only then that cyber security will become everyone’s responsibility. For a fraction of what security technologies cost, you will be able to acquire your first – and quite often most effective – layer of cyber resilience: your own employees.