How to
Jack Danahy
Aug 2015

How to Change Security Behavior: a Roadmap

Photo by Source


Photo by: Danielle Scott

An unending stream of publicly reported security breaches shows us that the number, impact, and victims of attacks are rising while the root causes are still the same weaknesses that have plagued organizations for decades: The most common targets are the users themselves, as they regularly compromise their own systems by opening malicious attachments and visiting corrupted websites, contracting malware that later spreads and corrupts all the machines it can touch.

This persistence of this weak link, in the face of so much public information and education about the threats, is clearly a warning.  It tells us that we need to step back and reformulate our security strategies, informed by two decades of missteps that we didn’t have when the Internet first came mainstream.  

In order to improve security, TechnologyCanthe changes we need to drive are behavioral, not just technical.  Technology can protect us in the short term, but we need to drive the acceptance and adoption of new habits and priorities that will have a longer and more holistic effect.  This type of change isn’t easy and is never fast.  It requires a committed and thoughtful approach that encourages more secure behaviors, which in turn requires leaders to become unstoppable engines of security change.

What follows is a process for leading organizations and users to change.  From reexamining security programs to re-educating users, this framework provides a model that will improve your likelihood of making a real, concrete, and visible difference in your organization’s security.

Phases of Behavioral Change: The Transtheoretical Model

Meet James Prochaska & Carlo DiClemente.  In 1983, they came up with what is known as the Transtheoretical Model (TTM).  The TTM describes the stages associated with creating intentional behavioral change.  They identified five different phases, each of which we can apply to security and its improvement.

We’ll use the TTM as a framework to think differently about security and the steps required to change your users’ and organization’s behavior.   We’ll start each section with the definitions provided by Prochaska and DiClemente (P&D) and we’ll transform those insights into actions.

Five Phases in Undertaking Intentional Behavioral Change


Phase 1: Precontemplation (“Why should I rethink security?”)

P&D say: “People in the Precontemplation stage do not intend to take action in the foreseeable future, usually measured as the next six months.  Being uninformed or under informed about the consequences of one’s behavior may cause a person to be in the Precontemplation stage.

This is the dangerous current state of most users and organizations.  Most think that someone else will handle security, that their actions have no real impact, or that the challenge of cyber security is intractable. To make things worse, many have been demotivated or disempowered by previous unsuccessful or unpleasant attempts to improve.

To change this, we need to establish two key messages in Phase 1:

  1. Security can be meaningfully improved with the right behaviors

  2. Users are the most critical security resource within the organization

A simple and engaging way to do this is to repurpose public reporting on security breaches, leading with a crisp assessment of the initial target in the event, including the simplest description of what went wrong.  It will most often be a system corrupted through a phishing attack or web-delivered malware, or a user being tricked into revealing some credential. It will become evident to the readers that even the most “sophisticated” breach usually begins with something simple and avoidable.  

A BecomeEvidentregular weekly message, populated with a limited number of links to news reports and consumable
external sources, will engage the interest, and the aspirations, of the organization.  There's always plenty of public fodder, and current event breaches will popular topics for conversation among the team, and a belief in an ability to avoid these mistakes will grow.

Phase 2 : Contemplation (Getting Ready)

P&D: “Contemplation is the stage in which people intend to change in the next six months. They are more aware of the pros of changing, but are also acutely aware of the cons.

Organizations and users resist the move to more secure practices because security is perceived as constraining or complicated.  Complexity and information overload causes new security technologies to become shelfware, and user education, usually an hour or a day of simplistic training, focused on rote messages about clicking and sharing.  

If you’re trying to galvanize security behavior in your organization, you have to paint a memorable picture of positive outcomes.  You told the organization that change was possible -- now you need to make it clear to them what that change looks like.


Here's some ways you can start:
  • Open communications on likely security changes, and work to surface  concerns or objections
  • Include mock-ups of future reporting and trending on expected improvements
  • Assemble a regular format and schedule for security communications.  
Getting ready should first illustrate interesting outputs before you begin detailing new policies, technologies, or requirements.

Preparation (Ready)

P&D: “Preparation is the stage in which people intend to take action in the immediate future, usually measured as the next month.

By now, the user wants to be better, and they know that their actions and activities will make things better.  Now it’s time to educate them about the specific tools, practices, and principles that will help them to be more secure.

FocusOnFirst, focus on their new actions, instead of hammering on things they can’t do.  As an example, It’s a good idea to create a process through which they can submit suspicious emails or processes, which makes them feel part of the security team.  Make it confidential if you sense that they will worry about being exposed.  Set up a mail list or wiki where they can post current events and lessons learned.  Establish positive rewards for those that participate and measures that will identify those that do not.

Then you can being educating them about any new policies or tooling.  New controls or constraints should first be introduced with a rationale based in things they can understand. If you start using whitelisting, first remind them about compromises from malicious websites.  If you are adopting two-factor authentication, share stories of stolen passwords and keyloggers. Getting ready means getting them ready to accept new security, not just yourself ready to deploy.

Action (Being Secure)

P&D: “Action is the stage in which people have made specific overt modifications in their lifestyles within the past six months.

At this point, if you have been listening to the organization’s responses and have taken the time to respond to their concerns about benefits and inconvenience, you should begin to see the products of your labor.  Having instituted reporting and communications programs in advance of actual implementation, the action of the users and the organization should be natural and organic.

ProvidingConsistentFor your part, it is here where and positive feedback will make or break this behavioral change.  As the organization see improvements and information, the cycle will begin to perpetuate itself until it becomes habituated, and you have truly changed the behaviors to those that you were looking for.

Maintenance (Staying Secure)

P&D: “Maintenance is the stage in which people have made specific overt modifications in their lifestyles and are working to prevent relapse.

While this constructive feedback loop will drive most of the momentum you need, like any engine there is a need for continued lubrication, care, and fuel.  New employees, new threats, new technologies, and new acquisitions are just a few examples of elements that can put a bump into the new behaviors.

Develop an introduction to the security culture (not that droning security training) for new additions to the organization.  Describe the purpose and expectations of the systems you have in place, and address any lapses with positive, value-based reasoning.

Security is always changing, and new threats may require new actions, so stay current.  Addressing a new type of threat can likely entail a new behavior, so apply these lessons again, in a more focused way, to add to the organizational security repertoire.

In Closing

As long as strong security is seen as an intractable goal and it is sufficient to adhere to a failing status quo, there’s no reason for organizations and individuals to change.  Turning this around requires real leaders, real engines of change, to own the aspiration that organizations can finally be more secure. Those that can inspire with this message and can conquer these challenges will create a visible and vital change that organizations desperately need.

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.