Information security officers and managers are constantly looking for ways to encourage colleagues to comply with security policies. The paper "Social Psychology and INFOSEC: Psycho-Social Factors in the Implementation of Information Security Policy" summarizes a number of principles from social psychology that can help practitioners in our work.
In the July/August 2009 issue of The Atlantic magazine, writer Bonnie Tsui has an interesting article entitled "Greening with Envy: How knowing your neighbor's electric bill can help to cut yours." The author summarizes research by Professor Robert Cialdini, PhD, who has specialized on ways of influencing behavior in the work force.
Tsui notes that Cialdini has studied the effects of telling subjects about the behavior of other people – neighbors, other guests in hotels – in trying to encourage prosocial behavior such as reducing electricity usage or reusing linens and towels in hotel rooms. Subjects informed of what others are doing – for example, through notes on electric bills comparing each household's consumption with the average of its neighborhood or by putting little signs in the hotel rooms telling guests that "the majority of guests 'in this room' had reused their towels" – were much more likely to conform to the desired behavior than those with simple admonitions devoid of social norms.
It seems that "When made aware of the social norm, subjects tended to adhere to it." Cialdini thinks that the pressure to conform is largely unconscious and calls it "social proof." Cialdini has a wealth of materials on his Web site about his work.
So how can we use social proof in our information security awareness programs? Here are some ideas:
• Post statistical information about the rate of compliance with various security measures where people can see the information; e.g., "The current rate of secure passwords at OurHappyCompany is 84% and rising!" or "The current use of Post-It™ Notes showing passwords and that are hidden around the workplace has dropped to only 22% this month."
• Use comparison statistics about compliance rates to encourage healthy competition among work groups; e.g., "The Gzornoplatz Management Team has achieved an average of 78% compliance with our screensaver timeout policy; your group's current compliance rate is 71%."
• Provide individual information to each user in a periodic report; e.g., "The average rate of piggybacking into secure areas of the buildings has fallen to only 13% this quarter; your rate of piggybacking, as measured by examination of our log files, is only 4% of all your entries: congratulations and thank you!"
• Have rotating messages appear about different applications; e.g., "The current rate of effective use of the CC and BCC lines in e-mail messages has risen to 47% of all e-mail messages with multiple recipients for this year according to the latest sampling by the Information Technology Help Desk Team. Your current statistic is 36%."
I'm sure that readers will have lots of ideas for how to apply Cialdini's research findings. I suggest that everyone pitch in using the comment feature of this column to share these ideas.
After all, 82% of all readers are cooperating with….