During 2018 we ran our Security Culture Survey with over 2500 employees, asking them ‘how often do you talk about security at work’? I knew the result would be low, but I didn’t expect it to be as low as 3.4%.
Does it matter if employees are not regularly talking about security?
To answer that question you first need to know what type of security awareness maturity you are looking for. If you’re compliance focused the answer is probably no, people don’t need to talk about security regularly. However, if like a progressive number of organisations, you want to see behavioural change, then the answer is yes.
Changes that stick usually start with a conversation
Think about yourself. Can you remember a time when you tried to make a change perhaps a new diet or exercise regime, or keep a new year’s resolution? Remember, the changes that stuck. The ones that are now habitual. They often start with a conversation.
Let’s be clear what we mean by a ‘conversation’. I mean an exchange of questions, ideas, opinions and information. A conversation involves both talking and listening.
Engaging in good conversations, provides both parties with:
- context and meaning.
- time for self-reflection of your own behaviour and beliefs.
- insight into new perspectives
- the possibility of redefining your opinions.
- the opportunity to collaborate and identify new processes.
Moving onto security, the development of healthy security behaviours is dependent upon drivers – emotionally charged behaviours which demonstrate motivation and personal engagement with security issues. Talking about security makes it real. If employees are not discussing security, it means that secure behaviours are probably not happening.
Why traditional security awareness is failing to change behaviour
Just knowing about something alone can’t create change. Security awareness programmes can be difficult to obtain investment for. This is because many people feel like they make big investment in training, but when the session is over people fall back into old habits and behaviours.
“People need a catalyst to change, if we drop conversation from our security awareness toolset, then we lose our ability to change!”
What the Scientists Say
The benefits of using conversation as a catalyst for change are self-evident in the projects we’ve worked on, but it’s not a new phenomenon. Here’s what the scientists say:
- Fogg Behavioural Model – BJ Fogg’s model argues 3 items must be present for behavioural change:
- A motivator
- The ability
- A prompt – conversation is listed as one of the most powerful prompts available
- Mindspace (Dolan et al) – identifies 9 factors that influence change, easily retained in this mnemonic –
Significantly, (messenger – we are heavily influenced by those we communicate with – and norms – we are strongly influence by what others do) both have interaction and conversation at their core.
- The 4 E’s (HM Government) – Enable, Engage, Encourage and Exemplify – the 4 E’s principle notes that change only occurs if all 4 E’s are present and there is a ‘catalyst’ present to kick start the change.
So, conversation on its own will not create secure behaviours, but adding conversation to your security awareness programme may be the catalyst you need to make change happen.
If you haven’t made a New Year’s resolution yet make it this ‘I will add conversations to my security awareness toolset’.
If you’re interested in how to apply conversation to your security awareness programme in a way that can be coordinated and measured, visit the Layer 8 website and download some of our free resources. www.layer8ltd.co.uk/resources/
Layer 8 minimises the risk to businesses caused through poor employee behaviours. Most security training fails because it removes conversation, which is a primary catalyst for change. Layer 8 uses conversation to create proactive security behaviours that can be measured. Using the Layer 8 Toolkit, accessible in App or Web-based formats. The Layer 8 Toolkit delivers impactful messages fast, allows interaction, drives people to collaborate on risk reducing initiatives and can measure improvements.
Our Security Culture Survey – positions organisations on a security culture maturity scale with specific confidence, competence and security culture driver indices.