Getting teams to improve security can be hard work, but it’s an important job that organisations must take seriously to protect an increasingly risky world. For this post, I wanted to explore some ways that an organisation or individual might start building a new security “habit” so that, in time, acting securely becomes automatic.
The first key step is defining what you want your habit to be. Translating a security process or activity into a habit means there’s probably plenty of things you might want to become a habit. Defining the habit correctly can make all the difference. And whilst this might seem like common sense, how you put together your definition can be very important starting place for ensuring the habit will stick.
Useful things to consider at this stage include making the definition simple and easy to understand, but detailed enough that it’s clear how you measure success/failure- think “Review Unexpected Changes on Windows Servers every morning” rather than “Check File Integrity Monitoring”. I generally find a little bit of wiggle room in the definition works well, as it allows (especially during the early stages of habit formation) a bit of tolerance so you don’t get put-off carrying out the task.
Cue it up
Consider if it’s possible to set up cues that encourage the habit. A scheduled reminder or email can put a requirement in front of you (or the person in which the habit should be formed), although care should be taken to make this engaging, rather than an annoyance. When planning your habit trigger for those already complaining of busy email inboxes, a daily mail may be more frustrating than encouraging, whilst for others a task item might not provide sufficient visibility if they don’t already manage things through a task based to-do list (on a daily basis) – an element of flexibility and experimentation can make all the difference between a habit sticking or slipping.
As a fan of “inbox zero”, I find the email cue very effective – but I’d often spice it up daily messages with “quote of the day” signatures or a link to a daily crossword so I know that if I complete my task there’s a reward to come!
Reinforcement of the habit is also very important. As before, different people may find different methods of reinforcement effective, so for some it might be best to associate successfully completing the activity with a reward such as ticking it off on a tracker, whilst for others some external reinforcement can be helpful (e.g. sending an email to someone confirming it’s done) or even a team scoreboard tracking success publicly and visibly.
Whilst you are considering this you may also want to think about what other methods you might want to use if you find the reinforcement effect to be “weak” or ineffective over time. There’s evidence supporting that making habit rewarding can be a powerful way to enforce the behaviour, even if the reward is only slightly related to the actual habit itself, so don’t be afraid to abstract out the rewards and cues – I personally find just getting a cup of coffee a very pervasive reward for my own “good behaviour”!
Equally, taking into account that using a variety ofsystems for reinforcement/reward may work better. It may also be useful to identify a variety of methods such that you can inject some novelty into the routine, further helping with motivation and engagement – sometimes a weekly “success” review can help further. If you’re trying to set the habit for others, consider what you might need to do to keep interest levels high, and not just the same thing every single day.
If we consider our Daily Change Audit review again, I might make the job more fun by tracking my progress and daily highs, but I would also likely try and vary the workload I’m addressing, so I’m not always looking at the same set of behaviours every day. Whilst this can help with detecting sudden changes, human beings tend to quickly “switch off” if there’s no variety, so doing the same job in exactly the same way can be ineffective. When building out a FIM solution, I’ll often structure Change Process Compliance Reviews to allow for different workloads for each day, such as investigating different device types or different types of non-compliance (outside of change windows, mis-use of privileged accounts, etc.), and spread these across a team so no-one gets bored and disengaged from the habit.
Keeping an eye on the habit to ensure you’re on track is useful for two reasons – it can act as a further rewarding reinforcement mechanism (encouraging you to try and “complete the chain” – Jerry Seinfeld’s infamous method of ensuring he kept on track every day: https://www.entrepreneur.com/article/334597), as well as a method of checking if you need to make any adjustments to your routine to make sure you’re aren’t lapsing. Ideally, your security controls should be helping you keep track and measuring successful application of security – although you might need to adjust your dashboard metrics to support some specific habit forming activities.
Make it easy to get back on track
During the early stages of habit formation, you should accept that you might fail, so there should be “guard-rails” in place to make sure this doesn’t have a negative impact (either to the security of the system or to the return to the formation process of the habit itself). By planning for this eventuality, you can save a lot of headaches.
Patience here is key – do not expect habits to form quickly and easily and understand that you might need to try different approaches to the habit forming techniques – sticking to the same approach might in fact cause burn out and loss of interest in continuing with the habit. For our daily FIM checks, for instance, that might mean making sure that if you miss a day, you have ways to easily adjust the reports/dashboards you use to look a bit further back and catch up. By using features in your tooling to make it easy to get back on top of reviewing the changes, you can ensure that the backlog never feels insurmountable
Habits to power up your cybersecurity world
Habit-building is a field that is often explored by psychologists, productivity gurus, and business analysts alike, with many having interesting insights and different approaches to help build up habitual behaviour. Whilst the above might not work for every security process you may introduce, perhaps it might help you to start thinking about building habits, and not just security procedures to ensure a more secure future for your organisation.