Stop defaulting to training
Beautiful renegades, mavericks, and deviants,
Most security professionals (like you, dear reader) default to “training” and “education” when it comes to addressing the human side of cybersecurity. You might not even realize you’re doing it.
Except, if training on its own delivered fewer incidents, you’d be on a long lunch.
But it doesn’t. So you’re not.
Because training is not behavior change. Training without other interventions leads to poor results (and, maybe even worse, getting pigeonholed as “the awareness person”).
So, why this default? Well, it’s not because security peeps are idiots. Most just don’t know any better. Yet.
Training completions look tidy. But messy habits come back. And back …and back.
So does risk.
There’s so much more to your role than training and education. And there are plenty more interventions you can deploy with confidence.
Like systems that make the secure choice the easy choice. Or interventions that land in the moment. Every time.
To get you closer to that (I presume, well-deserved) lunch, I’ve listed a bunch of interventions you could use that aren’t training and education.
____________________________________________________________
👉 Read the guide: Types of interventions that change security behavior
____________________________________________________________
It’s practical, evidence-based, and draws on the Behavior Change Wheel, COM-B, the BCT taxonomy, persuasive design, human factors and the Fogg model, then translates each into examples you can embed in products, workflows, and comms.
TL;DR: You now have something of a behavior change field manual (not A.N. Other theory tour). All you need to do is take action.
I know you’re here to do more than raise awareness. Deep down, you probably know it too. Which means you can no longer accept the automatic default to “training” and “education”.
Others might take a bit of time to come round to the idea that you do more than this. But sod it. You’re here to reduce risk. And, now you’ve got the map.
Just start here. And maybe share it with your CISO, too.
____________________________________________________________
👉 Read the guide: Types of interventions that change security behavior
____________________________________________________________
— Oz A
P.S. I love helping people break out of the “training and education” pigeonhole. If you want to talk it through, book time with me here. And if nudging’s your current focus, pair the guide with Nudging: The gentle art of persuasion.
