In the beginning of Andrew Carnegie’s famous book, How to Win Friends and Influence People, he tells the story of safety inspector George Johnston. Johnston’s job was to get people to wear hard hats at construction sites. He would tell them, with the force of his authority, that they should wear their hats — even sometimes berating them into compliance. And they would put their hats on… until he left!
Johnston eventually realized that people weren’t taking his advice, so he tried a different approach. The next time he went to a job site, he asked whether the hard hats were uncomfortable. When folks engaged in a conversation about the hats and how they could be personalized for each individual, the workers began actually wearing their hard hats. It wasn’t perfect, but overall safety was improved dramatically.
I recently read an article by a colleague detailing his “not to do list”, to keep a cell phone secure when travelling. There is an increased risk of getting hacked when you travel, and people really should heed this good advice. There is just one problem… people don’t always follow our advice.
One of the most common bits of advice we give is that you should never leave your cell phone unattended. This kind of cybersecurity advice is bulletproof. It’s impossible to argue with someone who says you should never leave your phone unattended. If you leave your phone unattended and something bad happens, it’s your fault. But it’s definitely not the fault of the person giving the advice.
I worry that we’re like George Johnson, walking away from a job site thinking we’ve made a difference while people are in reality taking their hard hats off.
So a question we should be asking ourselves is whether we’re giving effective advice. If I were ranking how good advice is, I would want to try to measure the outcome, and look at how useful the advice we give is at helping people change their behaviors. If most people ultimately ignore the guidance we provide, then we fall into Johnston’s initial trap. People hear us talking, but we don’t actually improve the safety or security of our communities. And if we think we’ve been effective, we don’t continue to improve the effectiveness of our advice!
Is there an alternative?
In 1972, a person put a blanket down on the sand at Jones Beach in New York, just a few feet away from a stranger. They set their portable radio down, and then walked away. A thief had been watching, and seeing their opportunity, they quickly walked by and stole the radio. Of course, both the victim and the thief were sent there by a Dr. Thomas Moriarty to see if anyone would try and stop the theft. It turned out only 20% of people tried.
Dr. Moriarty then conducted the experiment again with one small change: he had the person ask their neighbor to watch their radio for them before they left. When the thief came up, 95% of the people who were asked to help did intervene to stop the theft.
If I were to tell you in my security training classes that you should ask for help if you have to leave your phone unattended at a coffee shop…this would be an example of what I call “bullet resistant” security advice. It’s not perfect. But it gives the person hearing the advice an additional tool to help protect themselves. And they can use that tool in a way that fits their needs.
The reality is that bulletproof advice is challenging to design with just spot online training courses and simulated phishing campaigns. To be effective, we need to act more like an athletics coach. A coach observes the individual’s strengths and weaknesses over time and helps to personalize the training for each student. They don’t expect perfection at any step; it’s a journey. Businesses have leadership coaches, and wellness coaches, and I think there is a growing need for cybersecurity coaching.
In cybersecurity, we know that the training we give isn’t as effective as it could be. Despite our efforts, we know that people are our largest attack surface and that over 90% of breaches stem from attacks against our people. I think we need to take a cue from Johnson: observe outcomes, ask questions, and follow-up with better and more personalized training, like a good coach would. We need everyone’s help on the journey to be more secure.