At the Security Roundtable at the UKOUG Tech 2014, an important topic was how we can convince organizations to work on improving security. This is a continuation of the blogpost series “How can we sell security”. Only this third part grew so long, I had to break it up in parts.
In the last blogpost I’ve discussed how presentation techniques can help you to bring security in the spotlights. And if you followed all my advice in that blogpost, it was a lot of work, wasn’t it? How about we use psychology in our advantage this time? Hackers do it. They use social engineering to gain access to computers. Can we hack influence to improve security?
Well maybe we can. Robert Cialdini, professor at Arizona State University, did research on persuasion and marketing and found that people sometimes blindly follow certain patterns when “triggered” in a certain way. And he wrote about it, already in 1984, in a book called Influence., and this book is already in its 5th edition. Cialdini not only tells how you can influence people, but also tells how you get influenced. For that reason alone it’s a worthwhile read.
According to Cialdini there are six principles of gaining influence:
- Reciprocity. (We generally aim to return favors).
- Commitment and consistency. (People have a deep desire to be consistent. Once someone identifies with improving security, they tend to consistently keep doing so.)
- Social proof. (“If everybody does X, we can’t be left behind”)
- Liking. (We’re more influenced by people we like.)
- Authority. (“Gartner/the Queen/an Oracle ACE/a Nobel prize winner told so”)
- Scarcity. (If Amazon says there is only one item left, you’re more likely to buy.)
I’ve been thinking how these six principles could work in our favour. In this blogpost I discuss two of them. Are you ready to become a bit more manipulative?
Christmas is a great time for reciprocity. Maybe you’ve received a christmas card last christmas from people you didn’t send one. If you’ve felt the need to send a (belated) card back, you might have felt the need for reciprocity.
You could call reciprocity “tit for tat”, but it’s more complex than that. In research it has been shown that if people receive a gift, they can feel obliged to pay back this as were it a debt. There are many examples of this. Companies that send a generous amounts of free samples, often thrive because this triggers an indebtness factor in many people who received the samples.
At first I had a hard time to come up with a resounding way how this could work for improving security. There should be a gift that can’t be considered as just “part of your job description” and should correspond well with gaining approval for security improvements.
To the receiver it has to feel as a gift. If you helped your company by take the on-call shift for two months (good grief!), you might think that was a gift, but your manager might have thought it was business as usual. A cake might be a gift, but your boss might not see how that applies to security.
But a book might just be the gift you’re looking for. Buy your manager “Ghost in the Wires” by Kevin Mitnick (a great thriller based on real life) or “Little Brother” by Cory Doctorow (great fiction that is real enought to be true) to get them more in the hackers mentality. If Hare Krishna gain influence (funding) by giving away books, why shouldn’t you? Make sure it feels like a gift to them though and not a political statement.
(I’ve given copies of “Drive” by Daniel Pink for all managers at my previous employer. Ten copies of Drive at Amazon.com set me back 59 dollars, but if I can buy informed management with that – and with that a better place to work, it’s worth it to me. They also bought me dinner at UKOUG Tech 2014. It wasn’t why I did it, but hey).
Commitment and consistency
Imagine this scenario. You know your organization has security issues, but instead of arguing with your manager about approval, time and resources, you do none of that. Instead, you give him or her a badge or pin with a text on it, like “I support security improvements”. You say “You know, security is so important these days. So many companies get hacked and their data compromized. Would you wear this badge for two weeks to show your support for the good cause?”
That would change nothing to your cause, or would it? Well, you’d be surprised. Because research shows that committing to such a small and simple thing as wearing a badge, can easily lead to a self-image “I do support security improvements” (and I show it) and eventually to consistency: “If I’m someone who supports security improvements, I should support this project”.
Psychologists Jonathan Freedman and Scott Fraser have shown that this works. They went door to door to ask if people would allow a large billboard in their yard saying “DRIVE CAREFULLY”. As you can imagine, very few homeowners would allow such a thing: 17% to be precise. But of another group of homeowners a whopping 76% said “Yes”. How? Two weeks earlier they were asked if they would allow a small 7 cm sign that said “BE A CAREFULL DRIVER”. This request was so small and reasonable, that almost everyone agreed.
When I though about it, I was suddenly reminded of a campaign at my company, Rabobank, were they asked if you wanted to be photographed as “being a security officer”. Such a small request. Why not? Looks like our (real) security officers read Influence also?