If we remove conversation from our security awareness toolset, we remove our ability to change behaviour.
That was my enduring message at my talk last month at Cyber Security and Cloud Expo. I was speaking about how we can move people from knowing what they should do to doing it!
Following the talk many people asked for more information about the technique. Whilst conversation is our catalyst for change, those conversations must be designed and applied carefully.
I wanted to share the questions I was asked in more detail:
- Tell me more about the technique, and how you use conversation to change behaviours?
It’s based on a principle that’s been used extensively in the design of smart cities, Appreciative Inquiry, or AI. But we tend to steer away from shortening it in our industry for obvious reasons!
Appreciative Inquiry works on the belief that organisations move in the direction they focus on. Therefore, discovering what already works, and why, is key. It can be quite interesting when we work with security teams that are accustomed to identifying weaknesses.
At its basic form the technique goes through four iterative phases:
- DISCOVER – discovery is about learning what’s going on now and getting familiar with what a business is good at and why. Designing questions like ‘when we do things well around here, why is that? And, ‘tell me about a time when you felt proud to defend the business?’ Are great ways to open the dialogue.
- DREAM – dreaming is about figuring out the ideal outcomes without inhibitions. As I mentioned earlier it can be tough, not just because we’re used to looking for weaknesses, but large organisations can be full of barriers, blockers and politics. However, if we start by focusing on the barriers, we keep finding more.
So, when we design conversations in the dreaming phase, we ask unconditionally positive questions, like ‘imagine a security team made up of all your employees, what benefits would that bring?’ Or, ‘you go away for 3 years, and when you return the business has an ideal security culture, what are people saying and doing in this new culture?’ Or, something more tactical, ‘imagine everyone was able to recognise phishing emails, what actions would people take?’
- DESIGN – at the end of the dreaming phase we create a provocation. A provocation is a vision, a rallying cry, a challenge, put together as a result of the conversations you have had. It’s something recognisable to the people you’ve spoken with.
With your provocation in hand you are now ready to move into the design phase. You’ll need others to help, but through the conversations you’ve had there will people willing to volunteer. Believe me there will, at every organisation we’ve worked people’s biggest fear is that no one will volunteer. But they always do because they’ve been engaged in what’s meaningful to them, and have an opportunity to create a new future they believe in.
Design is collaborative, about bridging the gap between today and the provocation for the future. By building on what your business already does well and propagating it.
- DELIVER – delivering is about measuring what’s happening and going through the cycle repeatedly to continually improve.
2. How can it be applied alongside my existing awareness programme?
Using conversation as an approach for change does not need to be exclusive. However, for some small businesses it might be enough.
Most businesses we work with are dispersed and international, therefore we also deliver elements online.
Setting up networks of Security Champions and up-skilling them in Appreciative Inquiry means that meaningful conversations about security resulting in change can happen at the grassroots. The online materials should support the Champions to take the learning out to the business and make change happen.
3. What have you used the technique for?
Most extensively we’ve used it to develop proactive, sustainable Security Champions networks. We’ve done this at Openreach, you can download a full-case study here, and a number of other business, including a large Charity and Critical National Infrastructure client.
We’ve also used it to:
Facilitate a collaborative and productive working relationship with siloed business divisions.
Engage the c-suite in security and create a shared vision.
Identify a set of key security habits for a business.
Improve a business unit’s response and processes for dealing with social engineering attempts.
Now I’d like to hear from you – tell me about a time conversation has helped you or your business improve its security posture?
Layer 8 minimises the risk to businesses caused through poor employee behaviours. Most security training fails because it removes conversation, which is a primary catalyst for change. Layer 8 uses conversation to create proactive security behaviours that can be measured. Using the Layer 8 Toolkit, accessible in App or Web-based formats. The Layer 8 Toolkit delivers impactful messages fast, allows interaction, drives people to collaborate on risk reducing initiatives and can measure improvements.