“We absolutely nailed it! Folks are loving this!” exclaims Terry.
“Reporting rates have increased… incidents have gone down… people are really using strong passwords! Management couldn’t be happier.” chips in Janet.
Terry and Janet, both learning designers in the corporate world, are discussing their freshly-launched security course, and how it has become an overnight sensation. They have every reason to be happy… learners and management have been singing its praise ever since it was ‘released’.
And why not? Terry and Janet have done their homework, diligently working with stakeholders to design a meaningful course. It is chock full of practice activities, and does a good job of both explaining the ‘how’, and convincing learners of the ‘why’. They have also spent considerable effort to ensure that it’s produced well, with all its associated bells and whistles, hence the learner love they are currently basking in.
Let’s fast forward a few months and see what happens. After all, the success of any initiative has to be measured by long-term adoption, and not just immediate outcomes, right?
Six months down the line, the number of security lapses has increased. Drastically. People seem to have reverted to their old ways.
Janet walks by a section of the office she rarely visits, and is dismayed to find passwords written on post-it notes stuck to computer screens. She calls up the IT department contact she was in touch with while developing the course, and he informs her that average password strength has dropped to ‘moderately weak’ from last month’s ‘reasonably strong’.
What just happened?
When the course was newly launched, it was so impactful that it motivated people to immediately go back and make their passwords stronger. And also to proactively look for any seeming lapses in security and report them. Hence the initial spike in the number of lapses being proactively reported, and the reduction in security incidents.
This continued for a while, until the effects of the course ‘wore off’. And in the absence of a system of checks and balances to keep people continuing to exhibit these behaviors, they started to slowly revert to their older habits, purely because they lacked the motivation to continue. It was simply too much effort.
The course, in the form of a single event, was a humungous success in convincing people of the need for better security, and providing them with the knowledge and skills for the purpose. Therefore, it was able to get people to demonstrate the desired behaviors. However, commitment faltered in the face of day-to-day work pressures, as happens when priority assigned to something ‘non-trivial’ goes down. And since there was no ongoing campaign to convert the new behavior into a long-term habit, the initiative failed in the long run.
So, how does an organization ensure that newly learnt behaviors become sticky enough to turn into habits? Here are a few pointers we can keep in mind:
1. Get started
Experts advise that the first step to habit formation is to just get started. Terry and Janet have already achieved this with a well-designed, engaging course that targets the right behaviors. Employees were motivated enough to strengthen their passwords, and to voluntarily come forward and report what they thought were security lapses.
2. Provide constant reinforcement
This can be done using both intrinsic and extrinsic elements.
Intrinsically, people can be reminded at regular intervals of the need for better security, and how it indirectly impacts them as individuals, and the organization as a whole. Case studies, stories, quizzes, etc. can work well in this regard.
On an extrinsic note, employees can be rewarded for having the ‘strongest password of the month’ or for reporting the ‘highest number of lapses’.
All of this can be done online or offline, or a combination of both, which should keep people motivated to continue the streak, and keep security on top of their minds.
3. Use social proofing for validation
Identify secret ‘champions’ of security, to further the cause… who are given specific tasks, such as discreetly starting a conversation on security at the watercooler, or on the company’s Intranet portal. Or sharing a security incident in another company which led to major losses.
Establish an online system where employees can display a ‘Security’ badge, which their colleagues can vote for. The employee who gets the maximum votes will have the strongest badge, and so on.
4. Design the environment for stickiness
Make it impossible, or at least difficult, to have weak passwords. Design the system in such a way that it does not accept passwords below a certain level of strength. Display posters at every work area, or possibly on every desk, constantly reminding people of the need for better security.
Ultimately, while a well-designed course can achieve needed behavior change, for the change to sustain over a period of time, what we need is habit change.
What other factors can we consider for achieving habit change in the long run? I welcome your inputs.