Using Behavioral Science to Secure Your Organization
Download as PPTX, PDF0 likes348 views
The document discusses using behavioral science to improve security practices within organizations by transforming security behaviors from obligations to motivations. It emphasizes the importance of understanding human factors in security breaches and outlines a behavior change model that combines motivation, ability, and triggers to effectively influence security habits. Key strategies include setting behavior goals, reinforcing positive motivation, and utilizing real-world events to encourage security awareness and reporting.
Using Behavioral Science to Secure Your Organization
- 1. 1 Using Behavioral Science To Secure Your Organization Masha Sedova [email protected] Co-founder, Elevate Security
- 2. 2 Built and ran Salesforce trust engagement team Passionate about transforming security behaviors from “have to” to “want to” Co-Founder, building security behavior change platform About Me Computer security meets behavioral science
- 3. 3 Opinion A: Users Are Dumb ...and will always make mistakes
- 4. 4 Opinion B: It’s Us, Not Them “People are the weakest link in security is a comfortable excuse to lean on when it should be a rallying cry to change the status quo.” Jessie Irwin, security researcher
- 5. 5 Historically, the industry solution has been to insist on terrible “check the box” trainings as an employee’s only defense. Training Alone Doesn’t Work 15% Retention 95% of breaches are caused by human factors.
- 7. 7
- 8. 8 Behavioral Science + Security = How humans make (security) decisions and how security folks can help.
- 9. 9 What are your key behaviors?
- 10. 10 What Does Security Awareness Mean To Your Organization? Make less security mistakesEmbed security into everything they do Have more security common sense Be more vigilant
- 11. 11 Set Behavior Goals, Not Mindset Goals Reduction of bugs in our code base by 30% over the next quarter. 90% of new process created by the finance team have a security control in place. Phishing click-through rates drop by 50% Reporting rate increases by 300% in 6 months
- 13. 13 Behavior Change Model By Dr. Bj Fogg
- 14. 14 Ability
- 15. 15 Behavior Change Model By Dr. Bj Fogg
- 16. 16 Security Action Can Be Simplified Having secure passwords for all sites Reporting suspicious activity Stop tailgating Remember 20 unique characters across 40+ sites Install a password manager Look up correct email, reporting guidelines & send Install a “Report” button Social Accountability Install a man-trap or in/out badging HARD EASY
- 17. 17 Education Theory: Improves understanding of a concept and therefore increases the ability to perform that behavior. Practice: Not all education is created equal. “In theory there is no difference between theory and practice. In practice there is.” -Yogi Berra
- 18. 18 Education Pitfalls Demand more of your trainings! 1. Does it have the intended goal? 2. Relevant and needed? 3. Timely?
- 19. 19 Motivation
- 20. 20 What about things that are hard to do? By Dr. Bj Fogg
- 21. 21 When Does Motivation Occur? Hard things require high motivation.
- 22. 22 Naturally Occurring Motivation MOTIVATION TIME EVENT MOTIVATION TIME EVENT Predictable Events Unpredictable Events ▪ Audits ▪ Red Team exercises ▪ Breaches ▪ Incidents ▪ News events
- 23. 23 Good leaders seizes crises to remake organizational habits. Charles Duhigg, The Power Of Habit
- 24. 24 What Motivates Us? “People will do things because they matter, they are interesting, part of something more important. “ Daniel Pink, Drive Pride Interest Achievement Curiosity Praise Punishment Money
- 25. 25 5:1Positive to Negative exchanges Positive vs Negative Motivation
- 26. 26 Competition How to Create Positive Motivation Altruism Access AchievementStatus
- 27. 27 Competition How to Create Positive Motivation: Status Altruism Access AchievementStatus Leaderboards Top performer award
- 28. 28 Competition Capture the Flag Bug Bounties How to Create Positive Motivation: Competition Altruism Access AchievementStatus
- 29. 29 Competition How to Create Positive Motivation: Altruism Altruism Feedback on impact Champion Programs Access AchievementStatus
- 30. 30 Competition How to Create Positive Motivation: Access Altruism Access Awarded points Access to exclusive swag AchievementStatus
- 31. 31 Competition How to Create Positive Motivation: Achievement Altruism Access Achievement Recognition emails Company-wide shoutouts Status
- 32. 32
- 33. 33 Market Norms Assigning a monetary value to an exchange Social Norms The actions among friends that are not based on money. Dan Ariely, PhD Predictably Irrational
- 34. 34 Triggers
- 35. 35 Communications (aka Triggers) 36.5 million adults in the United States currently smoke cigarettes
- 38. 38 Lessons Learned in Changing Tailgating Behavior Goal: To ensure that people wore their badges visibly at all times while in secured spaces and not allow unbadged person tailgate behind them. Assumption: People didn’t know that this was policy. Bring “awareness” to them via digital posters ● Passive education ● Very limited results
- 39. 39 Lessons Learned in Changing Tailgating Behavior Root cause analysis of the behavior. This is what we learned: ○ “I don’t feel comfortable confronting my peers.” (Ability + Motivation) ○ “Tailgating isn’t really a big problem, right?” (Motivation) ○ “I broke my badge pull reel and don’t have a replacement, so I keep my badge in my wallet.” (Ability)
- 40. 40 Creating a Phishing & Reporting Behavior Change Campaign Goal #1: Reducing the percentage of malicious links that are clicked in a phishing email campaign to be 12% or less as an average across all difficulty types of phishing email. Goal #2: At least 20% of recipients of an attack report it to security, regardless of the difficulty of the attack.
- 41. 41 Phishing Campaign Model ● Case studies of phishing related breaches ● Leaderboard of top reporters ● Thank you emails to employee + managers ● Kudos of breach-prevention on company call. ● Reporter button ● Safe sender ● Detection skills ● Phishing practice
- 42. 42 Takeaways ■ Motivation is required when something is hard to do. ■ First- make it easy with technology. Second- rely on motivation. ■ Leverage naturally occurring events for motivation. ■ Connect intrinsic motivations to security motivation. ■ Negative feedback should be balanced with positive motivation. ■ Use triggers in the moment they are needed.
- 43. 43 Comments? Questions? Let’s stay in touch! @modMasha [email protected]