Should you train secure behaviours or teach awareness theory?

Security Awareness Behaviour or Theory?

Lots of teachers, not just security awareness professionals, wrestle with the decision to train a new behaviour with or without teaching the underlying theory. Should we just teach people to lock their workstations when they leave it, or try to convince them of why it is a good idea? When is teaching the behaviour more important than explaining the theory? When is theory more important?

These are complex questions that became very simple for me one day at the supermarket checkout.

“There is an unexpected item in the bagging area”

A number of years ago, a large supermarket in my city installed self-service checkout stations. You scan your items, bag them, and pay at a specialised checkout kiosk, all without assistance (except for a pre-recorded voice that steps you through the process). When someone knows how these work, they can be very speedy and efficient. When someone doesn’t, these kiosks can become a massive pain.

On one particular day, I was using a self-checkout station when I heard the automated voice of the machine beside mine telling an increasingly frustrated customer that he was using the machine incorrectly. He was obviously new to these types of machines. With only a handful of items to purchase, what should have been a very simple transaction was becoming a disaster.

After a moment of watching him, I realised what the problem was. First, the customer did not know English well, so the unhelpful automated instructions were especially unhelpful to this person. Second, after he scanned his item, he placed it in the bagging area, then leaned against the machine (and a little on the bagging area) to get closer to the screen. The leaning behaviour was repeated every time he scanned an item, and this is what was causing his problem.

The machine never explains that the bagging area is actually a scale that weighs what you place on it to determine if what you placed there is what you scanned. In fact, not a lot of people know this. So, I approached this man and simply told him that it was a scale and not to lean on it, hoping that this would help to make everything else make sense. But the language barrier was too great. Theory was not going to be possible.

What to do in this situation? Knowledge transfer was not an option. That left me trying to train a new behaviour in a frustrated stranger when the behaviour was only going to be needed for approximately 30 seconds.

Once more, with feeling!

With my warmest, most reassuring smile, I reset the machine, took his first item, and demonstrated a short, highly flourished sequence of behaviours to scan and bag the item. When the machine signalled success, I looked at him, and he had the most incredulous look on his face. Perhaps I used too much flourish…

He looked around at the other customers, who were not showing the same flourishes but still successful, then back at me. Again, I flashed my smile and handed him his second item. He approached the machine and, bless him, he mimicked my every move, complete with flourishes (though not with my confidence). The machine signalled success. He was floored.

Then he stepped back, and I could see him picturing the sequence in his head. It dawned on him. He placed his hand on the bagging area, looked at me, and smiled. I smiled back and went on my way. Behind me, the machine kept signalling success.

We tend to prefer teaching theory

What kind of a student was this customer? He was:

  • intelligent
  • reasonable
  • motivated to success (he wanted to purchase something)
  • curious and daring (he chose to use these machines even though he had never used one)

This is the kind of student we all hope to have. But what do we do when we get this kind of student? We tend to think that we need to go straight to theory because they can handle it. Also, because theory is a LOT easier to teach and test.

We also might tend to reach for theory because we have experienced many people reject new behaviours and demand to know the underlying theories. They ask, “But why?” So, to counter the demands, and to lower the chances for conflict, we start with theory.

And, did I mention, theory is a LOT easier to teach and test?

Theory is abstract

The problem with theory is that it is abstract. By definition. Using abstraction in teaching requires that the learner is able to connect the abstract idea to something real. To do that, they need to already know how the theory can be applied in practice, consistently.

When you teach a kid how to tie their shoes, you do not explain the theories of the analysis of forces along the vectors of the laces, placed in overlapping opposition to each other, to ensure consistent tension along the length of the shoe, resulting in an optimal fit and a reduction in the chances of chafing (a result of friction) or the shoe falling off (a result of gravity). … did you get all that?

That’s waaay too much theory. Way too much abstracted information to give a mind that does not have experience in relating theory to practice. Even for an adult, even though all of it is true, and each fact applies to tying one’s shoes.

No, when you teach a kid to tie their shoes, you tell them to cinch the laces, and then tell them a story about some kind of woodland animal running around trees and into holes. Cultural choices may vary the details.

Theory is narrative

But wait! What does a woodland animal have to do with shoes or laces? Isn’t the story an abstraction?

Yes!

The story provides a guide for the lace tie-r to remember the steps and to successfully apply the behaviour. But so does the physics-based approach mentioned above.

The learner who successfully understood the physics theories would use those theories to construct a shoe tying approach based on an analysis of forces. Each element of the theory providing guidance to what needed to happen. It’s a story with fewer woodland creatures, but a kind of a story, nonetheless.

Theory only affects behaviours when it provides an applicable narrative for the learner.

As we have seen, there are a lot of conditions in that statement. The theories need to:

  • be understood by the learner
  • be applicable by the learner
  • apply directly to the stages and actions of the behaviour
  • inform the learner when they face a decision point in a behaviour

If your teaching material does not do these things, then your material has a low chance of affecting behaviour. Most material only satisfies the first two points, and the first two points are the easiest and most often tested.

Your Turn

Do you spend most of your time explaining “why” but not tying those reasons to specific actions?

Do you calculate the risks, or quote statistics, or list what others in your industry do?

Does your phishing material talk about the “bad guys” but not exactly how hovering over a link defeats one of the biggest tools phishers use?

If so, then you need to review your material to see how to increase the applicability of your material to desired behaviours at different stages. Each theory has to have a very good reason to be communicated if it doesn’t tie to an action. Then, if it needs to be communicated, find a way to build it into a narrative for the behaviours and actions you want to see.

Instead of:

  • “This is policy”
  • “Phishing attempts have increased 20%”
  • “They want your login info”

Try:

  • “Locking our computers is something we all need to do, and if someone walks away from their computer without locking it, gently say, ‘remember to lock your computer’. We all want to help each other help secure the organization.”
  • “Phishing attempts are on the rise because they work. But not on you, not after this training!”
  • “They hope you won’t notice that the link is totally fake. But all it takes is for you to read the link.”

When behaviour? When theory?

Back to the frustrated customer.

The reason I think my training approach worked is because the behaviour highlighted staying away from the bagging area (with flourish). If he never gained insight into why the behaviour was working, even if his behaviour slowly degraded over time, just following the sequence of steps would help him. But the behaviour forced him to think about how this particular sequence of actions resulted in success. He, himself, developed the correct theory that touching the bagging area was bad and adjusted his behaviours to match his theory.

So, when should you choose to train a behaviour or teach a theory? If you need to choose one or the other, then you should train a behaviour if the learner cannot apply the abstraction of a theory, either due to a barrier on the learner’s side or due to the theory not being directly applicable as a narrative. You should teach the theory when the learner needs help with a narrative that guides their actions.

But as you can see, your greatest impact is leveraging both behaviour and theory to support each other: narrative, in context, directing actions.

For tips on how to overcome a learner’s barrier to applying a theory that is otherwise applicable, read my post here.

Leave a Reply

Your email address will not be published. Required fields are marked *