Hope vs. Expectation: Adapting to End User Behavior

There is a prevalent paradigm within the organizational cultures of many well-meaning institutions that seems to have left open an opportunity for improvement. For many people, the tired axioms of security awareness training have resulted in a devaluation of training and made less realistic the possibility of creating a security-minded culture within the workplace, as well as in our personal lives.Many people purchase lottery tickets each day, and while there is hope that the purchase will lead to a big win, there is little expectation that a jackpot will result. That is the difference between the estimation of a high probability versus a low probability outcome. For most security awareness training participants, the chances that long-term behaviors will change as a result is low.Instead of continuing to hope that end users willfully and cheerfully engage in the things that are taught in security awareness sessions, we may choose instead to expect that they most certainly will not. By making a rational estimate of end-user behavior, creation and innovation can guide policy rather than the irrational gamble that people will stop writing down passwords and stop clicking on links.I propose that security professionals actively pursue the goal of mainstream security mindedness without placing false faith in an increasingly outmoded and psychologically flawed notion that behavior will change, and instead invest the time and energy in providing new concepts to management teams and policymakers that will allow the organizational directives of CISOs and CIOs to thrive despite the factors inherent of the human condition.I will end by suggesting a couple possible solutions for consideration and improvement:

1. Instead of teaching people not to click suspicious links, teach them never to click links in emails, or even better, disallow links altogether. This can be done without disrupting internal communications simply by placing links in a safe site or shared folder which the end user must authenticate into, and then notify them that the link exists there via email.
2. Instead of telling users not to write down passwords, and instructing them to construct complex and long passwords, issue them randomly generated and distributed 12-digit passwords on sticky notes, and teach them that they can easily keep them safe by adding a uniform passphrase to the beginning or end of each password. This is an idea I came up with earlier on that I call a “Brain-Token”. This allows people to only have to ever memorize one password for work at a time.

These ideas are not perfect of course, and I hope to get some feedback about how to improve them and to learn of other amazing solutions to common scenarios that currently leave security administrators placing false hope that people will stop being people. Psychology is well-researched science, and we can wield it to empower, to estimate positive outcomes realistically, and to overcome the challenges that predictable behaviors bring with them.