Security Awareness Needs Science, Not Opinions


Posted on

It used to be a common practice in organizations where if someone left their computer unlocked and unattended that another person would walk up to their computer and send out an email addressed to their entire team saying, “Donuts are on me tomorrow!” It was a simple practice, but it was one of the most effective ways to get people to lock their computers. I likewise tell the story about when I worked at NSA, how my coworker once hid my badge when I accidentally left it at a workstation and ran out to use the restroom. I was stopped by a security guard, and had to deal with a good bit of aggravation, until my coworker gave me my badge.

From a scientific perspective, these experiences are classified as shaming. Clearly, as a practice for encouraging desired behaviors, shaming proved to be extremely effective in my experiences. So, when I saw an article touting recent research that showed shaming to be an effective awareness tool, I shared it to my LinkedIn page. It was great to see empirical proof for something that was just anecdotally true until that time. The reactions were, unfortunately, what I would have expected.

The majority of the responses stated how the research is wrong, because, essentially, shaming is intuitively bad and you need to treat users well. They did not read the article in question, nor did they consider the implications. Most important, they didn’t consider the science, but just expressed their opinions. The opinions were not the result of even anecdotal stories, but of their personal beliefs in how awareness programs should treat users. This is problematic on many levels.

Frankly, the commenters could have easily questioned the validity of the research. It is actually easy, as good research proactively states its own limitations. The study in question actually stated that the sample was limited to a certain population. The study was conducted in New Zealand, and there might be cultural issues to consider in the generalizability of the results. There are a variety of concerns. Instead they gave their personal opinions.

While it would be great for awareness professionals to generally be champions for users, this is not what we are paid for. As part of the security organization, security awareness professionals have the primary responsibility of reducing risk through improving security-related behaviors. While some methods, such as shaming, might not seem desirable, if there is research showing the potential effectiveness of an awareness tool, it should be at least examined.

When awareness professionals see anything that is purported to improve awareness, they need to look at it on its merits. It is to their benefit to look at anything that might make them more effective in their jobs. Yes, it should be looked at with a critical eye, but biases should be put aside in the evaluation of potential awareness tools.

Likewise, they need to consider the research as it is, and not attempt to redefine fruitful research. This is one reason I complain about people attempting to redefine gamification as just being a game. Gamification is an established business practice that sets up a rewards structure for specific behavior. There is a tremendous amount of research and proof that gamification, specifically as defined, provides tremendous results. It is the basis for consumer loyalty programs achieving the success that they do.

On the other hand, most awareness programs that describe their efforts as gamification are simply games, not gamification, and simply more creative ways of delivering information, which might produce minor improvements in slowing the forgetting curve and enhancing momentary engagement. However these “games” are not proven to produce measurable improvements to the business. Using an analogy, you can’t just swap a coronavirus vaccine with a B12 vitamin shot, and say they’re both essentially trying to make you healthy. Words matter in science.

With regard to human behavior, there is a great deal of scientific investment, especially in fields where there are significant financial benefits. Such is especially the case in accounting, safety science, sales and the like. The security awareness field is now blessed in that researchers have begun to look into it, and are considering how theories that apply to other fields may apply to security awareness. If practitioners in the field choose to ignore the findings because it is against their biases, they are doing themselves, their organizations and the profession a great disservice.

It is healthy to be skeptical. It is warranted to question research that is counterintuitive to experiences. Yes, the research might not have taken certain issues into account. Highlight the failings that are built into all research. But people should never just say they disagree with research because they don’t like it. It would benefit all professionals to learn how to critically valuate research.

Human Element

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs