How companies can use language to engage staff and change risky security behaviors.
The Verizon Data Breach Investigation Report consistently points out that human beings are at the center of data breaches. To reduce the impact of the human element in cyberattacks, companies attempt to improve the security behavior of employees.
Security awareness training is the method behind attempts to reduce attacks through behavior modification. However, people continue to click malicious links, share passwords, and fall victim to Business Email Compromise scams. The elusive 'security culture' that security awareness training strives to create needs another level of 'culture' added.
I have been working for two years on a research project looking at how proverbs help to encourage cooperation in groups. This cooperation is precisely what companies need to build a cohesive security culture.
Proverbs persist in human language because they mean something to us and challenge our way of being. But, as the title of this article implies, proverbs could also hold the key to helping people prevent cyber threats. That is a bold statement, but bear with me.
People, proverbs, and cyber threats
People continue to be the focus of the cybercriminals’ attention, with research showing that 1 in 3 employees will click a malicious link in a phishing email. In the UK, for example, £1.2 billion ($1.5 billion) has been lost by consumers to fraudsters. Cybercriminals love phishing as it reaches deeply into an organization's heart and manipulates its people's behavior.
How people behave is a fascinating subject – it’s been an interest of mine for as long as I can remember. Working in the tech sector, I've come to realize that understanding human behavior is integral to the design of identity systems. Cybercriminals understand human behavior all too well – modern cybercriminals use tricks like those of their non-digital counterparts from the past to manipulate behavior, only dovetailing the tactics within a digital medium.
I’ve spent the last two years researching how people cooperate in groups. Normally, this type of research uses Game Theory, where experiments are carried out in a lab. Instead, I turned to 'nature's lab,' using proverbs to identify the frequency of various behaviors.
You may be asking why I chose proverbs to identify different behaviors. Proverbs have a deep history and wide cultural use. Their simplicity and metaphorical nature hide how important and powerful these pithy statements of wisdom are in cultural evolution.
The research found proverb data from the most well-known proverbs in six countries (known as the 'paremiological minimum') and an International Database of Proverb Types, the Matti Kuusi database. The isolated proverbs were then mapped against one or more of the nine evolutionary behaviors. What I found out made me realize that proverbs are powerful.
My research fits security awareness training because it concerns people and behavior. The behaviors of focus in the research listed below include the type of behaviors that cybercriminals exploit. Being able to manage the way people react to a specific trigger can help to protect people, too.
The proverbs used in the research offer a glimpse into how companies can use language to engage staff and change risky security behaviors. Proverbs can act as the cement of a human firewall and can be used to modify security behaviors so that our people can react to cyber scams and phishing effectively.
The evolutionary behaviors
The research focused on nine evolutionary behaviors (A to I map to the pie charts below):
- A: Cheat deterrence
- B: Honesty (exploited by cybercriminals)
- C: Tit for tat
- D: Tit for two tats
- E: Conformism (often used by cybercriminals)
- F: Reputation (often used by cybercriminals)
- G: Nepotism
- H: Pay it forward
- I: Altruistic punishment
These behaviors have been a focus of research in human evolution and the evolutionary dynamics of group cooperation. Each of the nine behaviors has been identified as playing some part in the development of mechanisms such as altruism, reciprocity, and cultural group selection (CGS, an important aspect of group cooperation).
CGS and prosociality (positive social behavior) are strongly correlated, according to a paper by Francois. P. et al. on intergroup competition and prosocial behavior in a business setting. The paper concluded that companies encouraging cooperative behavior and group norms were more successful. Research from people such as Maynard Smith, Trivers, Nowak, Tooby, and Cosmides, amongst many other luminaries in the field, has created a rich tapestry of knowledge around which behaviors form the basis for cooperation and adherence to social norms.
Social norms are the key to the lock in the security awareness door. Conformism is how social norms are enforced, no matter the social norm. Examples include answering a phone call with a "hello" and clapping to show appreciation after a performance. Times and events change social norms. For instance, during the COVID-19 pandemic, using the 'elbow bump' rather than shaking hands became a social norm.
Research has shown that group norm behavior is encouraged through actively promoting conformist behavior and is enforced through cheat deterrence and punishment of anti-social behavior. It turns out that “Honesty is the best policy,” especially to keep a group free of cheats and for that group to thrive. You can see how this can be extended to the behavior of staff in an organization – creating an environment of “One for all, and all for one” can be a way to build an effective human firewall and generate that all-important culture of security.
My research shows that specific behaviors (and associated proverbs) are found at higher frequencies. What is particularly interesting about this, and what fits neatly with security awareness training, is that these behaviors are:
- Cheat deterrence
Some examples of proverbs that fit the criteria for those three behaviors and which you may recognize are:
- Cheat deterrence: “Once a thief, always a thief”
- Honesty: “Honesty is the best policy”
- Conformism: “When in Rome, do as the Romans do"
How can we use proverbs in security awareness training?
Over the years, technology has become intimately woven into the fabric of our lives, and our behavior has adapted to use digital tools effectively. A simple example of the misuse of digital behavior is using dark patterns in UI/UK design to 'encourage' people down a preferred pathway to buy a product or use a service.
How to manipulate people into doing your bidding can be used for both good and evil, as phishing emails attest. This brings us to how we can apply the pithy statements known as proverbs to security awareness training.
The first thing to note is that proverbs work; the persistence of proverbs across history and cultures is evidence of this. My own research shows that proverbs encourage certain behaviors that ensure healthy group habits – behaviors like honesty.
These same types of proverbs can be used to enhance human-centered security awareness training, incorporating them into interactive sessions with staff. Proverbs encourage employees to act in a particular manner, such as being aware of dishonesty or cheating behavior.
Social norms can be extended to include expected behavior when using emails and websites (digital norms). These digital norms can be enforced through conformism, using proverbs in training sessions to ensure that digital norm behavior sticks – proverbs are especially easy to remember.
You could make your own proverbs up or run a staff competition to create them. For example, you could ask staff to turn a well-known proverb into a security awareness proverb: "Don't upset the apple cart." This is about conforming to social norms and could be transformed into a security awareness proverb such as, "Think before you click."
Proverbs may seem trivial as we are so used to them when we watch movies or read books, but this widespread use belies the power of these pithy statements. When wielded well, the proverb can change behaviors that make people susceptible to behavior manipulation by cybercriminals.
You can view the full data set from my research here: Morrow, S. (2023): All for one and one for all: proverbs, prosociality, and the evolution of cultural norms. Durham University. (dataset). DOI.
More from Cybernews:
Subscribe to our newsletter