Five ways to evidence change in security behaviours with a security champions program
Measuring change for security culture programs is notoriously difficult to translate into hard numbers. While we all want to be able to report direct reductions in costs associated with data breaches as a result of security awareness initiatives, the only way we can prove cost savings is to benchmark against a recent breach and pluck predicted savings on potential breaches out of thin air. Phew. We soon end up with very long-winded sentences, and it still feels a bit fluffy.
So, let’s focus on the ways in which it is possible to evidence behavioural change…through security champions. Here are five ways to embed a more secure culture and support real business KPIs with your organization’s strongest asset – its people.
Frame security using a perspective the board will relate to
Get really familiar with your organization’s KPIs and think about the ways in which a champions network will support them. If you focus, for example, on customer satisfaction and retention, do the research: evidence shows that consumer attitudes towards data privacy have changed and that consumers now actively seek companies that prioritize the security of their data. In this scenario, piloting a champions initiative with customer-facing colleagues could be a great starting point. These champions are well-positioned to work with sales, marketing, and customer support teams to develop practical skills from the ground up, ensuring people know how to talk to customers about security.
Leverage existing metrics, such as customer satisfaction surveys, to measure changes in attitudes and behaviour. Adding a couple of simple questions like ‘How concerned are you about the security of your personal data?’ or ‘How well do we look after your data?’ is an effective way to make a case for your champions network, as well as to measure subsequent shifts in your internal security culture.
Identity key habits and behaviours to measure champs’ success
Just as your business needs to focus on key activities, so do your security champions. We’ve found that identifying key habits or key behaviours as a collaborative exercise is a brilliant way to engage, focus, and measure change.
A key habit is simply something that would reduce the risk of a breach if everyone in the business adopted it – because as we all know, most breaches are the result of avoidable mistakes. We often start this process by asking: “Imagine you’ve been away from the business for three years. When you return, you have the proactive security culture you want. Look around you – what are people doing and saying differently now?” Security culture can be defined as ‘what people say and do to demonstrate what’s important to them’. Run this exercise with key stakeholders and champions.
Task your champions to come up with the methods to measure change
Let’s say you’ve completed the exercise above and have identified a key habit as ‘I don’t tailgate into my building because I don’t want to put my colleagues in the position of having to challenge me’. Now ask your champions network how you’re going to know whether people are doing this. Here are some ideas from champions we’ve worked with:
- Join forces with the reception team to get a tally sheet each morning
- Make and record individual Adhoc observations on a few mornings every month
- Ask people in my team how many times they’ve witnessed tailgating and record responses on a quarterly basis
Empower the eyes and ears at grassroots level
A security champions network really does make it possible to measure behavioural change. Until now, the awareness field has continually tried to construct complex algorithms and psychological theories that imply change has occurred, or that suggest it’s more likely because certain beliefs and drivers are in place. The basic truth, however, is that we simply need to see if it’s happening. Security champions enable you to see the change because they are the eyes and ears at grassroots level. They will provide qualitative data and a much more realistic view of risk, enabling you to tackle security weaknesses proactively.
Use an incentive and let them eat cake
The fifth way to evidence behaviour change through security champions is based on a real case study. Our first workshop focussed on the question: “Imagine you’ve been away for three years…”. The recurring response was that they’d expect to see colleagues locking their screens when they left their desks. So this is what the champions did to drive the key habit:
1.Spoke to people across the site and asked them to complete a simple tally sheet for one week, to record how many times they saw a screen unlocked and unattended.
2.Work with us to develop a 10-minute interactive exercise about the importance of locking screens and ran it at their next team meeting.
3.Realized they could easily incentivize a change with, you’ve guessed it, cake. It was agreed that anyone who left their screen unlocked would receive a small fine. All monies collected went into the Friday cake fund.
4.Kept it fun with post-it messages like ‘nom can’t wait for my Friday cakes’ stuck to unlocked screens. This soon caught on across the whole site.
Colleagues became so accustomed to noticing unlocked screens and locking their own screens, that after three months the cake fund was running extremely low. So, they moved on to the next key behaviour. They don’t need to be reminded about screen locking anymore because it’s become a habit. One colleague told us that it’s so normal to ctrl+alt+del when she gets up from her computer that she does it at home, leaving her husband wondering what she’s got to hide!
To sum up, measuring behaviour change is not only possible, but it’s easy if you allow your security champions to help create self-determined change. Engage them in the right way, and they’ll come up with more effective ways to affect and measure change than you can – because they know their area of the business. Think qualitative, rich data, rather than stats and figures. Start by identifying where you can really prove the business value of your champions network, and the return on investment becomes much easier to calculate.
By Sarah Janes
Managing Director, Layer 8 Ltd
Bedford, England