I was interviewing a manager recently about his department’s cybersecurity practices when I asked him whether they lock their paper records up at night. He said yes, they keep their files locked at all times, not just at night. I pointed to the filing cabinet in his office, where they key was still sticking out of the lock and asked, “Do you ever take the key out?”
Cybersecurity is a behavior, not a skill. We’ve taught cybersecurity awareness for years as though it were a skill to be learned like any other technology. People are smart, and they’ve listened to this training. And now when you ask them questions about cybersecurity, they know the right answers. But when you inquire whether they’re actually doing those things regularly, you discover that they aren’t.
If you’ve ever gotten advice on your golf swing, you know that keeping all of those little tidbits of knowledge in your head while you’re holding a club can be a challenge. Keep your knees bent. Breathe. Hold your club like this. Bend your elbows. Eye on the ball. Follow through. Security awareness has failed because we aren’t looking at modifying or influencing behaviors, we’re just giving tidbits of advice without a strategy for getting people to put them into practice.
The good news is that we know how to change behaviors.
In order to change a behavior you need several things. You need to understand the unconscious routine that we regularly follow according to Charles Duhigg, author of the New York Times Bestseller, The Power of Habit. To break a bad habit, you need to understand the cues that trigger our unconscious behavior in order to replace the bad behaviors with good ones. And you need to create a reward after those good behaviors are in place in order to create a craving that will create a loop to get those behaviors to repeat.
What are the behaviors that need to change? There are top ten lists of cybersecurity tips that list all kind of specific things that people can do to be more cybersecure. There are hundreds of different types of advice and it’s not realistic to expect people to memorize every one of them. And even if they did, when a new variation of social engineering comes along and they still wouldn’t be prepared.
What we need, then, is a understanding of the underlying structures that govern a person’s choices that take them towards making the right decisions. To do this, I’ve looked at all of the tips or advice we call “good behaviors”. These underlying structures fall into eight different habits. How strong the underlying habit is determines how effective the cybersecurity defense will be.
There are three main categories that all activities of Cybersecurity fall into: prevent, detect, and mitigate. Prevent describes any action that stops an incident from happening, from not collecting social security numbers when you don’t need them to installing software updates immediately. Detect is the most difficult of the three areas to perform because in cybersecurity it may be possible to not leave a trace. If someone broke into your house, took a bunch of pictures and locked the door as he left, it would be impossible to ever know he was there absent some controls in place like an alarm or CCTV system. Mitigate describes the actions you take after an incident has happened. The eight habits all fall somewhere within these three categories. Some fall into multiple categories.
What this tells me is that we’ve started out trying to understand cybersecurity awareness without any framework to describe the behaviors that govern how individuals can protect themselves. It’s like looking at an orange under a microscope and trying to figure out what kind of vegetable it is (it’s not a vegetable). We’ve focused on the specifics. But in math, or science, or language; we learn concepts as a construct to understand how the specifics fit into the larger picture. I’ll describe below how we’ll use the eight habits to change behaviors and then to measure that change.
1. Literacy – there is an element of security that involves understanding of your environment. This involves continuous learning. You need to know how your alarm system works, or how to set privacy settings, or what kinds of scams to be on the lookout for. It also means making informed decisions.
2. Vigilance – this is the state of mind for keeping watch so that when you see something, you can be ready to recognize and act. Monitoring server logs or reviewing physical access records is a great example of this.
3. Skepticism – My wife is from Missouri. Missouri calls itself the “show me” state because people from the state won’t believe anything unless they see it with their own eyes. Being a skeptic means not trusting something until you’ve established its credibility, which also requires patience.
4. Hygiene – Just like brushing your teeth, security requires a routine. Hygiene is the habit of performing security tasks on a regular basis. Perhaps you check the locks on your house before you go to bed or maybe you have an algorithm for creating passwords.
5. Federation – You need help to be secure. We work together to solve problems. We share information in order to protect others and to be united in a common defense. We need to look to help, not just from law enforcement or inside our companies, but from peers in our industry or in similar roles across industries.
6. Deception – Have you ever seen a movie where someone asks a question, “Do you know Captain Harris?” When the person asking answers, “Yes, of course!” you know they’re lying because that person doesn’t exist. You might create “lies” you use for common password challenge questions. Or you might setup a honeypot on your internal network to alert you if anyone accesses it. Deception can be both a preventive control as well as a detective one.
7. Mirroring – There is an element of curiosity involved in mirroring. You want to be able to see yourself and what you look like from someone else’s perspective. Penetration testing is this habit put into practice, but so is looking at your social media profiles from different perspectives or Googling your own name.
8. Diligence – My definition of diligence is very similar to the legal definition of “Due Diligence”. Because of my more narrow definition, diligence falls into the Mitigate category. After you’ve experienced an incident, you need to have plans and protocols for handling how you respond.
When a company experiences a breach due to a failure of the “human element”, it’s because one or more of these habits was broken. For example, an employee knew they clicked on a phishing link (vigilance, skepticism), but didn’t report it (federation, diligence) and didn’t change their password afterwards (hygiene). To be successful at improving our cybersecurity, we need to get people to take the keys out of the filing cabinet, to replace their old habits with new, better ones.