The Shared Ownership Approach to Changing Security Behaviors

Posted by Steve Williams—Director of Strategic Partnerships • 6/25/2015


Changing behavior is a powerful and appealing phrase, it’s especially attractive when it’s advertised as a light switch that can be flipped into the on position through the use of a particular technology or training program. Organizations of all shapes and sizes face challenges when it comes to measurably improving situational behaviors and choices, especially when it comes to cyber security standards. Driving progress in these areas requires an intimate relationship with not only the knowledge aspects of this equation, but also a deeper and more measured understanding of the channels of influence that are either working with us or against us.

For most companies, enhancing cyber and information security practices is now an initiative located at the center of the tug of war for mindshare and influence. Why is it so hard to drive progress and interest considering we all see a weekly front-page story on cyber horrors? It’s tough because gaining buy-in within a single department or even amongst a few dozen people is downright challenging and with security awareness we’re forced to multiply this challenge to include thousands of employees, tens of thousands of devices, and make a difference amidst the constant collision of people’s personal and professional lives.

Driving change of any kind requires us to consider not just what, but who actually gets through to people and why. It’s always baffling to see phishing e-mails with engagement rates that are sometimes several multiples of what a legitimate internal communication can produce. Cutting through the noise is a big part of this battle and it requires allies, strategic thinking, and a lot more than the “spray and pray” approach.

The key here is to start considering, appreciating, and leaning on the value of the messenger to move things forward. In childhood it was often phrased “because Dad or Mom said so”. In business, and as recent as yesterday for me it was “because my boss said so”. Yet with the best of intentions, when trying to improve anything the way we most often go about it is to take as much command, control, and ownership over something as we possibly can and in doing so we diminish our returns by trying to become the messenger and the owner of all outcomes instead of allowing others to share some responsibility for both.

Let’s apply these principles to elevating the application of cyber security standards and engraining these
practices in a business culture. In this context it becomes so important to reverse course and be willing to ask for and enlist the help of those that can get through to people with a message that carries weight. From a vantage point of shared ownership mountains can be moved, but it has to start with the acceptance that both a personal and professional filter is being applied to every communication and initiative based on the messenger and that filter is like any other filter (including the e-mail variety), some things get through that shouldn’t and some things that should don’t.

If you prefer facts and not just theories (which I do as well), I’ve worked with organizations to continuously measure the engagement rates with not just simulated phishing e-mails, but messages and alerts that are shared by their direct supervisor or leader in comparison to those sent from outside the department or from a general internal mailbox. Anyone with an inbox knows that the delete key is always armed and ready especially when it comes to sales related e-mails and mass internal communications. Simply put, if a message or directive is never consumed then it doesn’t matter how good, impactful, or game changing it is because it will result in nothing more than a scan and delete.

Your metrics mileage may vary, but here we are talking about a massive difference in what people will acknowledge and the level at which they will engage depending on the messenger or source. A recent and very simple assessment in this area showed that general security awareness messaging, updates, and specific information security alerts were being acknowledged by employees less than 10% of the time when sent by someone other than the individual defined as their “leader”. Even more alarming, was the measure that simulated phishing messages in the same department were consistently outperforming the direct security awareness alert messages at a rate of almost 5 to 1!

This contrast alone was enough to call for an adjustment to the delivery model. The point of leadership or direct supervisor within that same department soon became the point communicator on cyber security alerts and initiatives. It is important to note that the leader simply assumed responsibility for delivering and reinforcing messaging, not creating or crafting it. Moving the message closer to home delivered an immediate 8-fold increase in engagement just by moving the source of the direction from outside to inside. There’s a lesson here and it’s a good one. The quality and clarity of messaging and direction matters, but who says so matters even more.

Organizations that have upgraded from trying to shoulder the ownership of security awareness for everyone to enlisting the he
lp of others throughout the organization are driving change that can be measured both objectively (department level metrics & quantitative improvements) and subjectively (remarkable stories in which employee’s, not the technology have put the emergency brake on a scam). The key to this approach is to work strategically by objectively measuring influence and progress so you can share, empower, and motivate others not just with messaging, but an information security story backed by facts. Deliberate and persistent “Security Un-Awareness” and risky behavior needs to be owned by those closest to the source and getting others to take on some of the ownership over improvement in these areas is dependent on being able to:


  • Set goals that are incremental, not monumental.
  • Define and share the objectives.
  • Establish and supply continuous metrics that recognize and reward progress while reinforcing the risk picture.

Captivating minds and changing the security standards and behavior of thousands of users across dozens, maybe even hundreds of locations is a utopian goal. The good news is reducing risk and measuring progres
s isn’t.
 Whether it’s weight loss, cutting back on caffeine, or changing security behaviors, the key is staying centered on progressive, measurable, and meaningful improvement.

The bolder the goal, the better the approach has to be in order to accomplish it. Asking others for their help and involvement is infinitely more effective when the facts are in order and backed by objectivity. Measuring ownership one department, one leader, and one location at a time is how some security awareness programs are going from last on the list to top of mind. At the crux of this approach is the ability to engage others to play an active, supportive, and recognized role in the ownership of these critically important objectives.

Related posts