ChangingHumanBehaviour
?
Security Policies
Controlling Human Behaviour
Don’t tell me what to do!
• We think we understand how to do this
• We think it is common sense
• So – how can we make people behave
securely?
Behaviour Change
• Time to report back on research from this
week
Report Back
Simple Question
How do we keep people from walking on the
grass (or doing something else we want them
to do/not to do)?
Appeals (Emotion)
Fun/Humour? (Emotion)
Smoking
Smoking
• Wilhelm Kieft tried to outlaw smoking in New
Amsterdam in the 1630s
• A mob of citizens had assembled before the
governor’s house.
• They began to smoke
• William remonstrated
• The rioters made no reply but continued to
smoke
Smoking
• Wilhelm finally gave in
• People could smoke, but they had to give up
long pipes.
• Thus ended this insurrection, the pipe plot
• It ended, in mere smoke
Other Techniques
• Nagware:
– Cars that beep when drivers don’t fasten their
seatbelts
– Windows pops up reminders until you install
security updates
• Forcing
– Systems that force you to change your password
at regular intervals
1. Users just need to be educated
2. Get people’s attitudes sorted out
3. People need to think about the
consequences of their actions
4. People are lazy
I am borrowing heavily from TED
talks, specifically Jenni Cross’s talk
Usual Considerations
Which Will Reduce Littering?
EDUCATION Myth
Knowledge
Reliably
Changes
Behaviour
Information is not Enough
Information is not Enough
60%
It Depends How you Present it
Frame LOSS, not Gain
Just Educate…
• Ignaz Semmelweis
• Discovered the role of hand
washing in preventing cross-
infection in 1847
• He didn’t live to see them
accepted, dying in a mental
asylum after a breakdown in
1865
In a recent UK-wide study, 99% of
people interviewed at motorway
service stations toilets claimed they
had washed their hands after going
to the toilet. Electronic recording
devices revealed only 32% of men
and 64% of women actually did.
Texting while Driving
Attitudes Myth
Change the
Attitude to
Change the
Behaviour
It’s the Other Way Around
Behaviour Changes Attitudes
NORMS!
Set Behavioural Expectations
Attitudes!
• Video
We Understand Ourselves
Myth
People Know
What Motivates
their Behaviours
38%
58%
What Will Motivate You?
NORMS
Social Norms:
Descriptive –
what people
currently do
Injunctive – it is
expected that
people do this…
Descriptive
Injunctive
• The campaign is credited with
reducing litter on Texas highways
roughly 72% between 1986 and
1990.
Social Norms/
Identity
Which Will Reduce Littering?
Consequences
It is just not that
simple!
Smoking
Literacy Levels
Safety Procedures
Lazy?
I wonder…
Cognitive Misers
• You should NOT do these things
• You SHOULD do these things
• Here are the consequences if you don’t
Security Policies look like this:
Why do folks drink and drive?
Why do folks drink and drive?
• They think they are unlucky to be caught (no
consequences)
• Confusion about safe levels (no knowledge)
• Poor judges of their own level of inebriation
(skills)
• Publicise breathalising levels – Consequences
• Report numbers caught – Knowledge
• Random testing – luck out of the equation
• Reduce confusion – simple & clear
Education
Drink Driving
• First anti-drink drive campaign in 1967
• Breath testing
• Tougher laws and better enforcement
Drink Driving (UK)
1. Users just need to be educated
(necessary, not sufficient)
2. People need to think about the
consequences of their actions
(necessary, not sufficient)
3. Get people’s attitudes sorted out
(myth)
4. People are lazy (myth)
Usual Approaches
We need to think of other motivators
People are Complicated!
Desired
BehaviourIgnorance Training
Gulf of Evaluation
No
Intention
KNOWLEDGE PERCEIVED
VULNERABILITY
RESPONSE
EFFICACY
SELF
EFFICACY
SECURITY
CULTUREPERCEIVED
SEVERITY
RESPONSE
COSTATTITUDE
Behavioural
Intention
Of Varying
Strength
Gulf of Execution
LACK OF TRUST IN
SOURCE EXPERTISE
Sustaining
Factors
Deterring
Factors
RESPONSE
COST
LACK OF
EXPERTISE
ELAPSED
TIME
IMPLEMENTATION
INTENTION
TENSION
WORK &
SECURITY
RESOURCE
SCARCITY
LACK OF
COMMITMENT
WORK
PRESSURE
INAPPROPRIAT
E TRAINING
AUTONOMY
VISIBLE
MONITORING
HABIT
SECURITY
CULTURE
FEEDBACK
CHANNEL
PERFORMANCE
FEEDBACKCOMMITMENT
EMPLOYEE
PARTICIPATION
INTENTION
VALENCE &
STABILITY
Motivations
• Quiz Question. A company wants to motivate
you with a bonus. Which motivation works
for you?
1. Think of what £1000 would mean as a down
payment on a car or that home improvement
you want?
2. Think of the security you would have with that
£1000 in your bank account
3. Think of what £1000 means in terms of how
much the company values your contribution
It’s all about
self esteem
Motivations
• Which of these motivations would work best
for other people?
1. Think of the security this job provides
2. Think about the visibility this job provides. Lots
of people will be watching your performance
3. Think about how rewarding it would be to do
this job. It offers a unique learning opportunity
Social Comparison
Company had two schemes
• Salesmen who sold more software than 90% of
other salesmen got into the president’s club
– chosen at end of year
– Gold star on card
– Companywide recognition
– Email from CEO
– Weekend trip
• Commission accelerator – a high volume sale at the
beginning of a quarter gets higher commission on
next sales
How do they decide?
• Negotiating sale in December
– Do it now, get into the club
– Do it in January, get higher
commission
• What do they do?
– They “pay” $30 000 to get into the
club
• Workers respond to schemes
which allow them to compare
themselves socially to their peers
Performance
Behaviour
Think
Feel
Raw Emotion
Physiology
What Motivates People?
• Emotional needs are on the same level as food and
water
• SCARF Model
– Status – importance to others
– Certainty concerns being able to predict the future.
– Autonomy provides a sense of control over events.
– Relatedness is a sense of safety with others, of friend
rather than foe.
– Fairness is a perception of fair exchanges between
people.
David Rock SCARF Model
Change our Perspective
• Stop asking why they won’t do things
• Ask yourself why they CAN’T do things
Atul Gawande
• Went to India and explained about hand
washing to rural midwives
• Still, they did not wash their hands
• They had the knowledge, and the
competence, and understood the risks
• They still did not wash!
• They COULDN’T wash. Soap was too
expensive
• When they handed out soap, everyone
washed!
Influencing Behaviour
EDUCATE
DESIGN
CONTROL
SUPPORT
Influencing Behaviour – Social Marketing
EDUCATE
DESIGN
CONTROL
SUPPORT
Certainty
Certainty
Fairness
Autonomy
Fairness
Status
Relatedness
Influencing Behaviour – Smoking
EDUCATE
DESIGN
CONTROL
SUPPORT
Education Programmes
No Cigarette Vending
Machines
No Selling to Children
Stop Smoking
Support
Problem Scenario
• People leave
confidential info in
printers at night
• How do we solve
this?
Think about it
• Why are they leaving the paper in the
printer?
– Address the causative and you will address the
consequence!
Printout left
in printer
Forget to
fetch
Go to fetch,
printer out of
paper
Design for Security
• Require people to enter a code at printer
• No more paper left in the printer!
They purposely did not put in any sidewalks. Within a year, well-worn paths
in the grass showed clearly where the students wanted to walk. The
following year, the sidewalks were installed in those exact locations. Wow,
the users became site architects and designed a more effective campus.
Another Example (Empty Boxes)
Company Approach
• hire an external engineering company to
solve their empty boxes problem.
• The project followed the usual process:
budget and project sponsor allocated, RFP,
and third-parties selected.
• Six months (and $8 million) later they had a
fantastic solution – on time, on budget, and
high quality. Everyone in the project was
pleased
Solution
• They solved the problem by using a high-tech
precision scale that would sound a bell and
flash lights whenever a toothpaste box
weighed less than it should.
• The line would stop, someone would walk
over, remove the defective box, and then
press another button to re-start the line.
• As a result of the new package monitoring
process, no empty boxes were being shipped
out of the factory.
Monitoring
• 1st week the scale picked up x boxes per day
• Next 3 weeks no boxes picked up!
• ???
Example from NHS
Hospital in Glasgow has a phone room so
patients can make calls
Patients
• Patients can make 2 kinds of calls
– Unsupervised
– Supervised
• 2 different PINs
• Problem – patient made call to supervised
number without supervision
• Design is the key!
Design Problems
• The PIN was displayed during
the call
• PINs were issued sequentially
• Nurses being required to
memorise pins?
• Staff being required to hang
around when phone calls are
made?
Sigh
• Learning point
– Issue PINs randomly
• Should be
– Design the system properly!
What Else is Needed?
• Education – first step
– Work to change and use norms of behaviour –
social influence
• Support: Training – to give skills, competencies
• Control – policy and audits
• Design – VERY powerful – bear emotional needs in
mind
• Sufficiency is probably infeasible, but we can get
closer
Atul Gawande: Childbirth Rural India
• Only four per cent of birth attendants washed
their hands
• In an average childbirth, clinicians followed
only about ten of twenty-nine basic
recommended practices
• BetterBirth project gives childcare nurses and
attendants “mentors” to provide
personalized critiques and instruction
• After going through one of the classes, not
much had been absorbed
• Rooms not disinfected, vital signs not
checked, no hand washing etc.
• Midwives were defensive when mentors tried
to give them feedback
• After a few months things started to change.
The mentor and the midwife started to form
a relationship. Barriers were broken down
“Policymakers should learn from this.
In order to change the way physicians
practice, neither top-down penalties
or incentives will work”
• To change doctors’ behaviour, partner with
them. Listen to and acknowledge what
physicians are concerned about.
• “It wasn’t like talking to someone who was
trying to find mistakes … It was like talking to
a friend.”