Recently I attended the Human Behavior Design course by Dr. BJ Fogg. One of my key take aways from the course is his Behavior Model and how it applies to security awareness training. By understanding this simple model (I highly recommend you take five minutes to check it out), you begin to understand why so many of our assumptions about awareness can fail. According to the model the key variables to changing behavior are Motivation and Ability, the greater you increase either variable the more likely you change a behavior. The problem is most security professionals are far more motivated to stay secure then people. Security is our job, it is our passion. That does not mean it is everyone else's. Combine this with how difficult security can be for others, you begin to understand why we may think changing a behavior would be so simple, yet it is so difficult for most. Take passwords for examples. I have read numerous posts from security professionals bemoaning users as being lazy, stupid or worse because they are not maintaining good password security. But let's look at this from the ordinary computer user's perspective. They do not live for security, they do not even want to think about security. They want to get on their daily lives (just like I do not want to have to think about maintenance for my car). So their motivation is much lower then ours, security is not their passion. But let's look at ability also. We make fun of people for not creating long, complex passwords and making sure they have a unique password for their 100+ accounts. But then we fail to show them how to do this. This is why we have to make strong passwords easy for people (two-step verification, biometrics, password managers, etc). Ultimately what I love about the Behavior Model is that it makes us security professionals stop asking what is wrong with users and makes us start asking what may be wrong with us or approach to security awareness.
