The post Pride and Guilt: Affective Keys to Sustainability appeared first on Emotion News.

The post Pride and Guilt: Affective Keys to Sustainability appeared first on Social Engineering Blogs.

The post Marketing Psychology: Price Framing appeared first on Social Engineering Blogs.

Quick question: How do you know that your plan worked? Are users reporting more issues to the help desk? Are people more able to identify phishing emails? Are users retaining the information from annual training through the year? Basically, if your boss walked in and asked for proof that the budget was put to good use will you have anything to provide besides ‘trust me?’

Probably not and because of that you need to measure the behavior within your organization. Without measuring user behavior you have no way of knowing how successful, or unsuccessful, your security awareness architecture is. You are also left in the situation of ‘fire fighter’ in that you only know that a hole (fire) is present when that hole creates a big problem (i.e., a password attack causing a major data breech).

The Value of Baseline Measurements

There are two types of measurement that are going to be pivotal in showing you significant changes in behavior: baseline and continual. Baseline measurement shows you how users were performing before any changes were made thereby providing you with a point of comparison. Lets say that you started your intervention in June and you measured user behavior through September (see ‘No Baseline graph’). Did your intervention work? To be perfectly honest, this graph shows nothing impressive at all. As a matter of fact, it looks like nothing has happened. Money well spent for sure.

Now lets add a baseline measurement and see how that looks.

Much better! Now you can clearly see that (1) help desk calls have significantly increased, and (2) the number of successful phishing attacks have significantly decreased!

Furthermore, your new training/content plan seems to be producing long term behavior change over the following months. Great job.

This example really outlines the value of baseline measurement. Without it you really have no way of knowing if you made it better, worse, or broke even.

The Value of Continual Measurement

Once you have shown the effectiveness of your security awareness efforts, is their value in consistent measurement after? Of course. Constant measurement of user behavior allows you to see behavior trends and address issues before they become a problem. Lets go back to the help desk and phishing attack example. You continued to measure user behavior for several more months and suddenly you saw this.

What happened? Not only are your users not calling the help desk but they are also falling prey to more phishing attacks. They are performing similar to before your new training and content plan was implemented. Upon further investigation you find out that a new phishing method was just released and your users are having a hard time identifying it. This also leads to less calls to the help desk.

While initially this may seem like a giant leap in the wrong direction, it is exactly what behavior measurement is for. Security threats evolve and your security awareness architecture has to evolve with it. By measuring user behavior consistently you are able to see when patterns like this occur and develop an intervention (e.g., a news letter, quick email) that addresses this before it creates a big problem for your users and you.

The post Measuring Your Success: Baseline and Continual Measurement appeared first on Social Engineering Blogs.

1)   Do you need a password?

Yes
No

2)   Should you give your password to a stranger?

Yes
No

3)   True or False: All passwords should be displayed in the open

True
False

What if 100 people were asked the following question on the local news, how many do you think would honestly say yes?

Have you ever had racist, sexist or ageist thoughts?

Maybe 1%? What about if another 100 were asked under complete and utter anonymity?

Think the number would jump up?

Each of these examples demonstrates a valuable point, ASKING QUESTIONS IS HARD. It’s not as easy as just slapping a question mark at the end of a sentence and calling it a day. There are millions –and I’m not exaggerating- of factors to keep in mind when making a test, making a survey, conducting an interview, taking a poll, or anything similar. Since some form of content retention is needed after training, lets focus on quizzes in this blog.

Challenges of Making a Quiz

What’s got 2 thumbs and took an ENTIRE graduate level course/and part of a graduate degree to just learn how to write a good series of questions?

Thanks right, this girl. But rather than put you through that, or more importantly rather than put me through that, I am going to focus on the top challenges of making an effective quiz.

(If you want to know more about any of the other forms of questions/surveys/polls/etc. feel free to ask)

1-    Being too easy-The goal of a quiz is to evaluate an individual’s comprehension, or even mastery of the topic at hand. Sometimes we even use this in annual training as a criterion for taking the next lesson. Because of this, making the quiz questions too easy is not only useless but also damages the overall training efforts. The previous phishing ‘quiz’ is a perfect example of questions that are too easy. Each question is a no brainer, ‘no duh’ question that does not require any learning. Therefore, users can just skip to the quizzes and be finished with your 25 video annual training in 10 minutes.

Yeah, lots of learning there.

Not only does this not evaluate their comprehension of the topic, but also renders the rest of your training efforts, and the information in it, completely useless. You have just made the one time a year that they have to pay a little attention into a wash. The quiz sucks, and now you need to find another way to get them new information so that your enterprise is not made vulnerable with attacks like the Nigerian Phishing Scam.

2-    Being too hard- Just like making a quiz too easy is counter productive, the same is true when the quiz is too hard. When aquiz is impossible to pass users will first spend loads of time trying to complete your training –not great when you are paying them to do so. Once learned helplessness settles in users will start to give up rendering your training message useless.

3-    Getting actionable results- Even though quizzes are made to evaluate a users performance, they also tell the trainers/teachers/managers something as well. If evaluated correctly you can see where there is large levels of misunderstanding, or needed improvement. For example, if you notice that 75% of the users got a 20% or less on their first attempt at a quiz on cloud computing, that tells you that supplemental efforts need to be made to close that gap. Make a newsletter. Start that security awareness campaign sooner rather than later. Regardless, structure your quiz so that you, and your enterprise, can evaluate the user knowledge and adapt accordingly.

The post Making Content Stick: How to Make An Effective Evaluation. appeared first on Social Engineering Blogs.

Welcome to Fantasyland where the budget is limitless and the users pay attention to everything you say!

In Fantasyland you have amazing annual training that lays a solid foundation of information for your users. You have created testing that accurately and effectively measures user understanding of the training without being too hard or too easy. You have created additional content (e.g., posters, viral videos, newsletters, lunch and learns) that calls back to the concepts taught in training and changes user behavior. You have done it all.

So how do you implement this amazing content?

All-at-Once?

Imagine that every year your user comes to a room that is plastered with your amazing posters. They sit down at a computer and watch training videos on topics like ‘secure cloud computing.’ This is followed by a quiz, followed again by a wonderfully crafted newsletter you created on how to ensure that all data in the cloud is safe. It all ends with showing them a funny viral video involving cats, Megan Fox, or David Hasselhoff. Since we know they fully attended to all that information –remember this is Fantasyland- how long do you think their behavior will be affected by the training?

1 week? 1 month? 1 year?

Considering that most annual awareness training programs contain at least 20 topics -all needing a video, quiz, poster, and additional content- I’d give it 2 weeks. Maybe 6 weeks for the topics that really resonated with them (e.g., Protecting your family on Facebook). That’s right, not even 2 months after presenting all this content most of it will be gone until next year pointing out an important part of any security awareness architecture.

Immediate v. Delayed Stimulation

In the previous example, all of the content was set up as immediate stimulation. The user was presented with all information at once and did not see it again until a year later. While this does get all of the information across, it does NOT produce consistent behavior change across the entire year. To do this you have to use a mixture of immediate and delayed stimulation. By combining the two techniques you are able to lay a solid foundation of awareness that is consistently recalled by the user throughout the year. If done correctly, you can even manipulate what is recalled based on what is presenting the most vulnerability within your organization at the time.

When to Implement Different Types of Content

Annual Training- This type of content can include everything from basic videos on passwords that everyone has to watch, to more specific role-based training that targets the information to fit the tasks of the user (e.g., Data classification for all users with a clearance). Annual training is where the foundation of information is established and is essentially ‘ground zero.’ Considering the density of the information, as well as the time required by the user, annual training should only occur once a year. Some companies choose to spread it over the year, and that is fine. The main point is that there is little to no value of using annual training in a delayed stimulation capacity.

Content Testing- After seeing a video the user has this large body of information and it needs to be stored (see previous blogs on the process of memory storage). One way to facilitate retention is through immediate testing. This requires the user to recall the information that they just learned through the training video, use it to answer questions, and re-store it thereby strengthening the memory. Without this, the message is not strengthened and the literacy foundation is much weaker. Because of it’s placement immediately after the video, content testing is most effective as immediate stimulation.

Posters and Additional Content- Something probably painfully obvious as wrong in the previous example was the fact that the only exposure the user was getting to the posters and newsletters was immediate and in conjunction with training. I have never seen a client use posters and other additional content in an immediate stimulation fashion because it does no good. Each are intended to call the user back to the information in training, facilitate recollection, and encourage more secure behavior across the entire year. Showing everything all at once is like placing all your cards on the table. You have nothing left.

While timing of your content requires more finesse and thought, classifying each part as either an immediate or delayed stimulation tool is vital in figuring out exactly where everything goes.

The post Making Content Stick: Immediate & Delayed Stimulation appeared first on Social Engineering Blogs.

Percent Retained =

Information acquired

 *100

Information presented

The post Making Content Stick: Retention appeared first on Social Engineering Blogs.

What is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

…

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.

The post Security Awareness Content: Challenges of Using Punishment appeared first on Social Engineering Blogs.

See any problems here?

Of course you do! The budget for this program is going to be INSANE! No practical business will support paying $1 for each ticket at the help desk for any longer than 6 months- MAX. This leads into the second, and biggest problem with using reinforcement. If the only reason that users are reporting issues is because of a reward, the minute that the reward is removed the desired behavior plummets. Unless you can replace the reward with something of equal subjective value their incentive is gone and the trained behavior is lost.

*Finding something of equal subjective value to cash on a large scale is damn near impossible. I only say ‘damn near’ because I’m sure there is some magical place out there that can do it but I’ve never come across it. *

Finally, lets say that instead of $1 you gave them a free lunch- because your users really like lunch. How long will that be an effective reward? My guess is that after about a month of free lunches have been accrued the value of the reward will go down dramatically and so will your behavior. Suddenly, you have to switch the reward to something else – of equal subjective value- to keep them responding.

Vicious cycle anyone?

How to Use Reinforcement to Your Advantage

As you can see, reinforcement is a tricky thing but when can we use it to change behavior.

Lets go back to the help desk problem. Instead of paying for each help desk ticket, indefinitely, you make it a charity fundraiser for the holiday.

“Every time you call the help desk, $1 will be donated to buy gifts for families in need. Weekly progress will be reported!”

Some of you might look at this and say “even if we had the budget for that, we still have the same problem of removing the reward and loosing the behavior once the fund raiser was over” but consider two very important differences.

1-    The reinforcement has a clearly defined ‘end point’ that has nothing to do with the user, the company, or their behavior but is a product of the reward. The gifts have to be bought at some point otherwise the fundraiser was pointless. Essentially you are isolating the reinforcement contingency and increasing your chances of the behavior persisting after.

-Not to mention periodic fundraisers to increase behavior –if needed- are MUCH more sustainable to the budget than constant reinforcement.

2-    The second and most important is how closely the reinforcement (e.g., $1) and behavior are paired. In our first example the employee saw the DIRECT effect of calling the help desk on their pay check therefore it was very closely paired to their behavior

Just like if Pavlov’s dogs were fed EVERY time the research assistant came in.

The minute that the user realized the reinforcement was removed, the behavior that followed stopped (i.e., calling the help desk).

Back to Pavloc: The dogs would eventually stop salivating once they knew that the assistants were never going to feed them.

In our second example, the users see the money increase but it is NOT directly related to each time they call the help desk. Instead it goes into an anonymous pool that may jump $100 a week even if they just called the help desk once. Since the reinforcement is not closely tied to each behavior they perform, the chances of the behavior persisting after the reinforcement is removed increases significantly.

*For a more detailed look at this process see my previous blog on Pavlov and his dogs.

Based on all of this, be careful when using reinforcement. While it may provide an immediate result, it’s something that needs budget and time to maintain. If used wrong, you will just be setting yourself up for an uphill battle.

The post Security Awareness Content: Challenges of Using Reinforcement appeared first on Social Engineering Blogs.