Good security habits: Leveraging the science behind how humans develop habits
In this interview with Help Net Security, George Finney, CSO at Southern Methodist University, explains what good security habits are, how to successfully implement them and why are they important. He also talks about his book Well Aware and what inspired him to write it.
As technology progresses, so do cybersecurity risks. Is the awareness about them on the right path or is there still a long way to go?
There is more awareness about cybersecurity risks than ever before. We see stories about data breaches on the front pages of newspapers and the lead stories of investigative journalists. I think there is still a long way to go, and we need to be able to capture all this positive attention and turn it into focused action. The time has come for real cybersecurity change to happen – we have great security technologies today – but we need to build coalitions to make it happen.
We’ve seen CEOs get fired for not getting cybersecurity right, and I think this means that for all the folks out there who aspire to be a CEO one day, they know that they’ll need to start learning about cybersecurity today. This means the cybersecurity community is in a unique position to build partnerships with business leaders – because both their careers as well as our own are on the line.
There’s also a downside: I worry that with all the attention, there’s a natural human tendency to become desensitized to these risks. We need to start building bridges today if we haven’t already.
Is there a single formula to implement good security habits?
There is a secret recipe for good security habits that we’ve discovered from decades of research: it’s called the habit loop. And you can use the habit loop to hack your own brain for better security. You start with a prompt – which is just the signal that tells you to start a behavior. Then there’s the behavior itself. And finally, the most important step, giving yourself a reward. Even if the reward is just patting yourself on the back, your brain starts to release endorphins so when you see the prompt again next time, your brain will want to do that behavior again to receive another reward.
Security can seem scary to some people while to others it might feel like it’s too much work. Using the habit loop can help make security feel easy, because we don’t have to think about habits: by definition they are what we do when we’re on autopilot. But since habits make up about 50% of everything we do in our lives, it’s also the best way to have a massive impact on our security.
Is it always about human error or are there technological issues that are just impossible to deal with?
We talk about “People, Processes, and Technology” being the three pillars of cybersecurity. But we talk about them as though they are three equal slices of a pie. In reality, we are entirely focused on the technology. But people are the ones that build and configure the technology, people are the ones that create and follow (or don’t follow) the processes. In reality, the whole pie is made of people, with processes and technology just sprinkled in.
The tendency in our industry is to remove people from the equation altogether. There’s a word for what we’re trying to do – we’re trying to make our tech “fool proof”. Our industry says that “people are the weakest link”. If we believe that to be true, then we will make our believes into reality. This is what’s known to psychologists as the Pygmalion effect. Instead, I think we should focus on people first.
You are the author of the book Well Aware. What motivated you to write it and what do you expect to accomplish with it?
Building connections with our business leaders is critical to our success in security, and sometimes this can feel like an impossible task. To help build a bridge with our business leaders, we need to meet them halfway. Many business leaders already read extensively in terms of their own professional development, books like 7 Habits, Good to Great, and more. So I wrote Well Aware to help security practitioners build that bridge with our business leaders by writing a non-technical book that any executive can build into their professional development reading list.
For the book, I interviewed hundreds of business and security leaders, psychology and neuroscience experts, and everyday users who have been impacted by security. I think what makes the book resonate so much with readers is that I tell the stories of so many different kinds of people who were able to make a difference in security, even if they didn’t know anything about technology.
With so many books about good security habits on the market, why would you recommend yours?
What makes Well Aware unique is that it focuses on HOW to bring security into our lives. Often the advice we give in security focuses on the WHAT: vulnerabilities, breaches, threats, patches, etc. But our users are left to do the hard part themselves – they have to figure out HOW to take all the advice they’re being given and incorporate that into their own unique lives. And the truth is that there’s no one right or perfect way to do security.
We know from research that 50% of all human behaviors are based on habits. So to be successful at creating real, long-term, sustainable security behaviors we must be able to leverage the science behind how humans develop habits. There are a lot of great books out there around cybersecurity, and I’ve been inspired by and influenced by many of them. We need to continue broadening our audience when it comes to security because security is everyone’s job.