- Last Week As A vCISO
- Posts
- Behavior Change Is Hard
Behavior Change Is Hard
Cognitive biases in life and Information Security
I feel like this article is for my future teenage kids where they will tell me that they are who they are and don’t want to change.
Change is hard. It’s even hard when you don’t have one or more of these things:
Self-awareness
Humility
A goal for understanding
Willingness to learn
Change: Getting To The Root Of Will
How many times have you been a victim to a sign or post like this?
Although this may achieve the goal you are looking for if followed, it’s not terribly welcoming.
An alternative sign could be like this:
The idea is that, assuming they’re not a psychopath, any good natured person will see the impact of their actions and not want to burden someone else.
Another example is when a water company wanted to get residents to use less water, instead of asking residents to use less water to save the environment etc, they said that their neighbors are already saving water and doing a great job. Here the company used simple psychological pressure levers of guilt and shame to change user behavior1.
Sometimes change is not possible, and so that is where a technical control may come into play. I know I had difficulty changing the behavior of people turning off the light when they left the kitchen, so I ended up installing a motion sensor light switch instead!
Change In Information Security
Enter Information Security. I think there are two components here.
One, for Information Security professionals to embrace change and understand the psychology behind the work they do. Yes having technical proclivity is important, but not everything and vice versa. Your message will not be well received if you are difficult to work with. Period.
Two, the other is how to influence behaviors in others. I believe that people want to do the right thing, they just need to be made aware of it. Instead of writing rules and controls in a vacuum, show the impact of not fixing or not doing something to better communicate you objective.
Leaky Hose Story
I have a leaky hose that I’ve been struggling to get people to turn off after using (long story). Because people were not closing it after use, I had to put a towel to capture the water so it doesn't damage the wood.
Today I was about to put a sign say “Please turn off valve” but instead opted to say “<-- Leaky Faucet” instead. The hope is that they will see the note and be reminded to close the faucet. If not, I might put one more note behind it saying “will cause permanent wood damage”. Let’s see if it works.
Or I could just find the time to fix it. 🤷🏽♂️ 😀
Reply