Unless you’ve been living under a rock for the last ten years, you’ve probably heard Simon Sinek speak. His first Ted Talk on YouTube has almost 40 million views and he has authored four New York Times bestsellers, all with a simple message: “Start with Why.”
Simon Sinek argues great leaders inspire action by starting with “why”—the purpose, cause, reason or belief that inspires action. I would argue great security awareness training works the same way.
Unfortunately, most security awareness training focuses on the “what”; that is, “what” the learner needs to do to minimize the organization’s information security risk. At first glance, focusing on the “what” makes a lot of sense, as it’s the most efficient approach. After all, the training must explain the “what” in order to describe the actions (or inactions) we are asking the user to make.
My argument, which I think Simon Sinek would agree with, is that focusing on the “what” might be efficient, but it is not necessarily effective. That lack of effectiveness is a common complaint I hear from potential customers about their current Information security awareness training programs.
Here’s the problem: in the absence of “why” your employees can understand “what” you are asking them to do, but knowing that won’t change their behavior.
Sinek outlines the biological basis for this. In the human brain, the neocortex corresponds to the “what” and is responsible for rational and analytical thought. The limbic brain correlates with the “why” and is responsible for feelings like trust and loyalty, and also decision-making. You make a decision in the limbic brain based on “why” and then you rationalize that decision and execute it based on “what.”
From a security awareness training perspective, that basic understanding of the brain is why Pivot Point Security’s online cybersecurity awareness education program invests so much time explaining “why” through compelling stories and demonstrations. This makes our episodes a bit longer than some of our competitors’, but it also makes them more effective.
In terms of time spent, our approach may slightly reduce the efficiency of your security awareness training in the short-term. But it catalyzes the cognitive change necessary to significantly reduce the likelihood of security incidents, which is a longer-term, higher-value efficiency story that your management will want to hear.