1 September 2020

What non-mask wearers teach us about security awareness

elevenM Principal Arjun Ramachandran explores why observance of coronavirus restrictions and advice varies across countries and societies, and the potential lessons for those in the game of persuading people to adopt good security behaviours.

“Wear a mask”. “Practice social distancing”. “Isolate”.

Clear, consistent, universal.

But cast your eyes from country to country, even community to community, and you see incredible variance in how the advice sticks.

The management of COVID-19 in the community highlights a core challenge in how companies cultivate positive security and privacy behaviours among their people. Clear guidance and engaging messages alone don’t always get the job done.

As public health practitioners have learned through the pandemic, and as those of us engaged in security and privacy persuasion must recognise, we work in a broader context.

The fingerprints of culture are evident in how different societies are responding to coronavirus guidelines and restrictions. Values like individualism, community, mutual obligation, respect for the elderly and deference to authority – and the extent to which they dominate a culture – clearly influence how communities behave, and how they will respond to advice and guidance.

“Maybe we’ll change our culture so that it’s not expected or brave of you to go to work sick. Maybe we’ll start to protect each other the way Asian cultures do. It’s pretty normal in Asian societies to wear a mask when you’re sick when you go out in public and to stay home if you can. We are the exact opposite. We wear masks to protect ourselves and we feel free to show up at a meeting when we have a fever.”
VICE

Sure – when you’re trying to inculcate good security or privacy practices, repeatedly broadcasting actionable advice will get these messages onto the radar of employees. Heck, if you’re clever enough to make the advice funny or entertaining, it might even go viral! You’ll have smashed a bunch of internal engagement metrics and hit some awareness goals.

But as with “Wear a mask!”, lack of awareness isn’t always the barrier. People can know what to do and still act contrarily. Or, they might follow the rules, but only in circumstances where compliance is monitored or defined.

If we want go beyond compliance, and if we want behaviours to be both lasting and self-applied across contexts, then our goal must be for employees to internalise and identify with those desirable behaviours.

That’s why we encourage organisations embarking on security or privacy education activities to look at shaping culture as a vital complement (if not a precursor) to their education and awareness activities.

Culture is ultimately an expression of shared values and beliefs expressed through collective behaviours and practices.

Research tells us that values, more specifically an alignment of values, creates conditions for people to internalise behaviours.

Yet while organisations abound in discrete bits of security advice (“don’t click this, make sure you do that”), the values underpinning the desired security and privacy behaviours are often never defined or articulated with employees. It could be as simple as revisiting the company’s existing set of corporate values and expressing how security or privacy are integral to that value set.

For staff to identify with values and desired behaviours, they will also expect to see them being exhibited and advocated by those they admire or respect. This is where an organisation’s high-profile security champions can play a role, and where its most senior leaders have a responsibility.

For more on security culture, check out our recent work.

Photo credit: Evgeni Tcherkasski on Unsplash.