A CISO’s guide to: Baseline Behavioural Research25 June 2018
Changing everyone’s behaviour can be done
‘Know thy enemy’ is a mantra often on the lips of the threat-aware CISO. But knowing your friends can be even more critical. Staff can be your human firewall or your hidden vulnerability. You need to know what makes them tick.
Social psychologists might say we are best viewed as a collection of individuals, but increasingly research points to human behaviour being significantly influenced by the social groupings we inhabit. That we have an innate, unconscious herd instinct is the claim. Wherever the truth lies, for a CISO, understanding how their people behave is crucial to success, no matter how that success is measured.
Gaining a deep understanding of patterns of behaviour is an essential first step to developing and executing a successful behavioural change strategy: one that both increases employees’ awareness of their information security responsibilities and influences their behaviour.
From baseline to ‘bang for your buck’
They say everything in life is relative. But relative to what? If you want to show your information security strategy has achieved its goals and changed people’s behaviour, then you need to define your start position. Establishing this ‘as is’ baseline provides a reference point from which to measure. This allows you, for example, to assess how security risks are evolving (or receding) across the organisation’s culture.
Even better, by being able to show the board how much bang they get for their budgetary buck, you’re within reach of the CISO holy grail – getting the board’s attention. But setting a baseline needs some careful consideration – of depth, detail and length.
Go deep with your baseline
It sounds easy, right? Knock together a survey, elbow a space onto the corporate comms plan and see those numbers roll in. Not so much. Don’t be tempted to be superficial. In addition to measuring awareness and behaviour, there are other aspects to be recorded that really get to the heart of your company’s culture.
The approaches to information security that your employees take are afloat in a sea of emotional attachments, perceptions, values and attitudes. You need to capture and combine these to see the full picture. Digging deeper to uncover these more fundamental insights is necessary if we want to effect real change.
So, a well-thought through behavioural change survey will find rich data across three broad areas:
Information Security Awareness and Behaviour:
Here we look at the everyday behaviours and staff awareness levels. Do your staff generally use secure passwords, but share them across work and home systems? Do younger employees feel less confident to challenge people without ID cards? Are personal social media accounts used to discuss work issues? There is a whole host of behaviours to be measured but focus on those where risk is highest for you.
This covers employees’ perceptions of and engagement with security, as well as their involvement and relationship with the company. There are some clever ways to look at how an employee feels about the company. Given certain scenarios who would they put first, themselves or the company? Carefully crafted questions are needed to elicit reliable data in this very subjective area.
Within your overall cross-organisation baseline you’ll find many points of divergence between distinct demographic groups. The differences can be stark. For example, employees overall may have poor password management, but the under-24-year-old age group may show exemplary performance on this marker. Defining your groups appropriately is key to capturing such demographic differences; this certainly is not a one-size-fits-all game.
Future-proofing your demographic groupings is also important. Remember this is your baseline. As you re-run the research over subsequent years, you need to ensure you’re comparing like-with-like to properly capture the change. So, try not to tie yourself into business units that may be about to change their function or be subsumed in the next big organisational shake-up.
Go long with your baseline
Once run, the results of your first survey will have established that all-important baseline for behaviour and attitudes. The intelligence gleaned provides the core input from which a successful behavioural change programme can be devised and implemented.
But the long haul is what we are looking at here. If the baseline behavioural research is ‘take off’ then the ‘flight journey’ should be a series of regular – usually annual – follow-up surveys. Effecting change in behaviour is not an overnight job, so the CISO needs to be committed to the long term and look at least three to five years ahead.
Re-running the baseline survey – suitably modified and updated to take account of company changes – allows you to see where there has been a real change in behaviour. Hopefully, this will be positive across the business but, if not, it will highlight areas where the problem is particularly deep-rooted and allow you to develop and implement remedial action.
Furthermore, if you supplement the survey results with qualitative insight from focus groups, you’ll raise further the integrity of your baseline research findings by spotting potential biases in the self-reported behaviours and attitudes of the survey. This extra effort is worth making, especially when presenting your annual information security strategic plan to the board.
Finally, don’t forget to get full buy-in from your stakeholders. This means not just the idea of a survey but the details – length, breadth, timeframe and the questions. Remember, this is a long-haul flight and we don’t want the passengers claiming they didn’t know where they were going or, worse, wanting to change destination halfway through!
Gathering intelligence on— and knowing— your enemies is one of the major foundations of a strong information security strategy. But just as crucial is determining where weaknesses lie within your organisation. Running a behaviour survey to establish your baseline position – and then feeding the data into a behavioural change programme – lays good security foundations in your all-important backyard.
Ultimately this will enable you to build a robust internal culture that’s more resistant to external threats. Not only will that allow you to focus resources outward toward those external threats – you’ll also have the reassurance of knowing your infosec team is as broad and deep as your organisation.
So, whether your employees are a collection of individuals or a group unconsciously learning behaviour from each other a baseline behaviour survey is the place to start to bring everyone onto the same information security page.