Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 48

The ABCs of behavioral science are similar to the ABCs of awareness, but with important differences: The ABCs of awareness lay out a path, and the ABCs of behavioral science define motivation. (See Figure 3-2.)

FIGURE 3-2: The ABCs of behavioral science.

Here’s how to break down the ABCs of behavioral science:

 A stands for antecedents. In the context of this book, an antecedent is something that intends to influence a behavior. Antecedents in the security field are usually security awareness efforts. For example, users might see posters reminding them to wear their security access badges.

 B stands for behavior. The B is the desired behavior that you’re trying to create. For example, users may be expected to wear their badges at all times while in the building.

 C stands for consequences. Consequences are the responses to the behaviors. Users may experience a range of consequences for their behaviors:Negative consequences: The user experiences embarrassment, inconvenience, or correction. For example, a security guard might stop someone who has forgotten their badge, or the person may be unable to enter an area that’s protected by a badge reader.Positive consequences: The user is rewarded for the behavior.Neutral consequences: The behavior happens, and the user experiences no obvious consequence.

To apply this concept using clean desks as an example, consider how you tell people to keep a clean desk and lock computers and hard copy materials when unattended. You provide awareness to tell them what to do and what is expected. Combined with the awareness you provide, they also see what their coworkers are doing. They then either follow your guidance or not. They might partially follow your guidance as well, such as shutting down their computers but not securing hard copy materials.

If the employee fails to follow the guidance and you do nothing, that is a neutral consequence — and their behavior is likely to continue. If, however, a coworker or a supervisor speaks to the employee the next day regarding their failure to follow the clean desk policy, they will likely improve their behaviors the next day. If someone from the security department calls the person in and threatens disciplinary actions, they are most likely to improve their behaviors in the future. Though I don’t advocate threats on the first occasion, any negative consequence is likely to improve behavior in this example. Again, the peer pressure of seeing how coworkers behave is likely to strongly influence the behavior as well.

Both antecedents and consequences influence behaviors; however, they don’t influence behaviors equally. Antecedents have at best a 20 percent effect on changing behavior. Consequences have an impact of 80 percent or more.

In the ideal world, you can provide positive consequences for improved behaviors. However, providing negative consequences should not be out of the question, especially if the insecure behavior costs the organization money or other resources.

Consequences should be consistent across the entire organization. Some individuals may rebel against or ignore certain consequences, but your goal is to move the organization as a whole. This doesn’t require everyone to adhere to follow your guidance — just most people.

Culture, from the ABCs of awareness, can serve as a form of consequences. Culture provides peer pressure. Peer pressure is one of the most effective forms of consequences and drivers for change. If you can improve the security culture, the culture provides all the consequences you need.