Do You Care More about What Your People Know, or What they Do? Coming to grips with the knowledge-intention-behavior gap

Those of you who have been following the release of my book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us about Driving Secure Behaviors (https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers/dp/1119566347) will have undoubtedly noticed me including this line over and over: “Do you care more about what your employees know, or what they do?”

That question flows from a concept that I call the knowledge-intention-behavior gap. Let’s take some time now to flesh-out that concept. To do so, I’ve included an excerpt from the intro to Chapter 4: Behavior Management 101 for Security Awareness Leaders.

Enjoy: 

--------------------- Excerpt from Chapter 4 ---------------------

Let’s start with a question that I asked back in Chapter 1: Do you care more about what your employees know, or what they do? When it comes to the security of our organizations, actions speak louder than words. And actions speak louder than mere head knowledge. After all, it doesn’t matter if your employees can verbally recite all the hallmarks of great password management if they never put that knowledge into practice. And even when your people read your flyers, posters, and newsletters on how to spot a phishing email and pass your phishing training module with flying colors, it’s all worthless if they fall for a phishing attack during the hustle and bustle of real life. Actions—not head knowledge—will determine whether your organization is breached.

Actions—not head knowledge—will determine whether your organization is breached.

As humans, we all struggle with behaviors. Our bodies sometimes just behave on autopilot, without consulting the logical/reasoning part of our minds. Think about times when an object—let’s say a pen—has started to roll off your desk and your arm seemed to quickly reach over and try to catch the pen before it falls to the floor, maybe even knocking over your coffee mug along the way and causing a bigger mess than if you did nothing. What happened? Many times, you didn’t consciously decide to try to catch the pen. Your mind quickly processed the situation and made the decision to intervene without consulting your logical self.

We are dealing with what I like to call the knowledge-intention-behavior gap. People may have the knowledge they need to make a wise decision, and they may even have the intention to make wise choices, but even the right knowledge and intentions don’t naturally translate to their associated and implied behaviors. Here’s an example of the knowledge-intention-behavior gap that I’m sure you can relate to. Each year many people make New Year’s resolutions. They want to lose weight, eat healthier, save more money, and so on. But the unfortunate truth is that most people don’t keep those resolutions even though they are new behaviors that the person wants to do and believes will be in their best interest. Of the people that make New Year’s resolutions, more than 27 percent give up within one week[PC1] , and more give up each week following. Even more discouraging is that the success rates for people who keep their resolutions are also impacted by their age. Roughly 38 percent of people in their 20s are able to keep their resolution, but that number drops dramatically, to just 16.3 percent, for people older than 50[PC2] . This is significant. We’re talking about behaviors that people genuinely want and intend to embrace, but the pace of life, effort involved, and other factors work against the behavior, and the person falls back into their old patterns and habits.

When it comes to the human side of security, you must treat the knowledge-intention-behavior gap as a fundamental law of reality that affects any behavior that you hope to encourage or discourage. As security leaders, we need to stop expecting to make people more secure by simply exposing them to more information. Information will always have its place, but for a person to act on information, you must first somehow navigate them into a context where they are able to intentionally reason through the situation that they are in. That’s difficult.

When it comes to the human side of security, you must treat the knowledge-intention-behavior gap as a fundamental law of reality that affects any behavior that you hope to encourage or discourage.

Like instinctively grabbing for the pen falling from the table, most of the security-related actions your people take on a day-to-day bases are reactive; so, they are not likely going to decide to stop and do the hard work of reasoning through their situation. Instead, your people will almost always do what is easiest, what is habitual, what is quickest, or what is most like what they’ve done in the past.

THE THREE REALITIES OF SECURITY AWARENESS

At the risk of over-repeating myself, I’m going to list three statements that I’ve written a number of times so far. Let’s call these the three realities of security awareness:

• Just because I’m aware doesn’t mean that I care.
•  If you try to work against human nature, you will fail.
• What your people do is way more important than what they know.

Keep these in mind as you design your program.

This chapter is all about trying to work with the realities of human nature so that you can build secure behaviors. When you embrace behavior management as a central goal and methodology for your awareness program, you’ve stepped into the transformational zone. I’ll cover a lot of theory and different models for behavior and why people do the things they do. Heads-up: Don’t be surprised when you start thinking about how the principles of behavior management are useful not only within the security context but across multiple areas of your business and personal life.

--------------------- End of Excerpt ---------------------

I hope you enjoyed that snippet from the book. That was the intro for Chapter 4: Behavior Management 101 for Security Awareness Leaders. Let’s continue the discussion. If you like what you read, you can order Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us about Driving Secure Behaviors on Amazon(https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers/dp/1119566347) or your favorite bookstore (https://wiley.com/buy/9781119566342).

I’ve also created a special LinkedIn group related to all things security awareness, behavior, and culture. You can request to join here: https://www.dhirubhai.net/groups/12207804.

-----------------------------------------

 [PC1]New Year’s Resolution Statistics (https://www.statisticbrain.com/ new-years-resolution-statistics/)

 [PC2]Ibid.