Security Training – Unlearning and Relearning Routines

Today I had a chance to conduct a podcast with Professor Angela Sasse, someone I’ve had the pleasure of getting to know in my couple months at OutThink. Beyond being our scientific advisor, Angela also advises the UK’s National Cyber Security Centre (NCSC) and the EU Agency for Cybersecurity (ENISA). Angela is also the Director of the multidisciplinary UK Research Institute for Science of Cyber Security (RISCS), a professor at two major European universities and has overseen over 30 Ph.D. students to successful defense of their dissertations. Needless to say, every time I speak to Angela I get to learn something new, which, back to my earlier point, makes it an absolute pleasure.

For our podcast, we started with a great story of how Angela got pulled into studying the human factors of cybersecurity. It all started with pesky passwords – a telecom company in the 1990’s whose internal support center to help people reset their passwords had grown 100 strong. That’s an awful lot of expense. Their question to the new professor: Why can’t these “stupid users” remember their passwords? Relatable question!

Like any good professor, Angela is an entertaining speaker. She told us a lot in those first minutes about the cost of that call center, the survey she ran and people’s willingness to give her feedback about their difficulties, the stiff password requirements and the extent to which these passwords turned out to cause friction for everyday work. This set the tone for a highly interactive session, where at least a dozen listeners also contributed comments and questions.

I’ll save the reader from having to plow through a summary of all points we covered in the podcast, and they are too numerous to document anyway. The one point I finally grasped from today’s chat was the reference to System 1 and System 2 thinking from Kahneman’s behavioral economics research. Angela told us that 80-90% of what we do as humans is System 1 thinking – routines that we follow without active, deep thought. We engage in System 2 thinking only when problem solving or creating something new. She quoted General MacArthur, saying “never give an order that’s impossible to execute”. Asking people to engage in System 2 thinking about security all the time would be debilitating.

This has profound implications on the difference between awareness and actual behavior change. To make people aware of policies and potential risks is just the first step. After that organizations need to invest in continuous training to repeat and repeat behaviors until they become routine. It requires investment and leadership all the way from the top. The CISO is just the enabler, to become a security-minded culture is a transformation. Security awareness training can never again be the same. To that end, Angela had some words of encouragement. We’ve made these transformations before. Women in the workplace. Dropping offensive language. Diversity and inclusion. The way companies run today is very different than 10-20 years ago. So it is all possible. Just requires continuous effort and reinforcement.

Check out the details, like self-efficacy, concordance, and other concepts from behavior change science by listening to the full podcast.


Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.