Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Security Awareness Content: Challenges of Using Punishment

Punishment is evident in all aspects of our life to everything from getting drivers to stop speeding, to getting the dog to not bark at the mailman. Because of this, it is no wonder that several go to punishment when wanting to change user behavior. While punishment is a very powerful tool- that can produce almost immediate change in behavior- it is very hard to control and very hard to maintain. For these reasons, I rarely recommend using punishment when creating and effective security awareness architecture.

sexWhat is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.

Security Awareness Content: Challenges of Using Reinforcement

Imagine that you are the head of security awareness at an organization (not a stretch for some) and have been charged with getting people to report issues to the help desk. You decide, in your infinite wisdom, to encourage them to report issues to the help desk by giving them $1 each time they report a valid problem. The week after implementing the new reward program the number of issues reported to the help desk has increased 100 fold. You program is getting great results. Not only are 99% of phishing attacks getting reported but shoulder surfing is down, you know when devices are lost, and compromised computers are being reported to the help desk rather than being discovered by them. Things are coming up roses.

See any problems here?money

Of course you do! The budget for this program is going to be INSANE! No practical business will support paying $1 for each ticket at the help desk for any longer than 6 months- MAX. This leads into the second, and biggest problem with using reinforcement. If the only reason that users are reporting issues is because of a reward, the minute that the reward is removed the desired behavior plummets. Unless you can replace the reward with something of equal subjective value their incentive is gone and the trained behavior is lost.

*Finding something of equal subjective value to cash on a large scale is damn near impossible. I only say ‘damn near’ because I’m sure there is some magical place out there that can do it but I’ve never come across it. *

Finally, lets say that instead of $1 you gave them a free lunch- because your users really like lunch. How long will that be an effective reward? My guess is that after about a month of free lunches have been accrued the value of the reward will go down dramatically and so will your behavior. Suddenly, you have to switch the reward to something else – of equal subjective value- to keep them responding.

Vicious cycle anyone?

How to Use Reinforcement to Your Advantage

As you can see, reinforcement is a tricky thing but when can we use it to change behavior.

Lets go back to the help desk problem. Instead of paying for each help desk ticket, indefinitely, you make it a charity fundraiser for the holiday.

“Every time you call the help desk, $1 will be donated to buy gifts for families in need. Weekly progress will be reported!”

Some of you might look at this and say “even if we had the budget for that, we still have the same problem of removing the reward and loosing the behavior once the fund raiser was over” but consider two very important differences.

1-    The reinforcement has a clearly defined ‘end point’ that has nothing to do with the user, the company, or their behavior but is a product of the reward. The gifts have to be bought at some point otherwise the fundraiser was pointless. Essentially you are isolating the reinforcement contingency and increasing your chances of the behavior persisting after.

-Not to mention periodic fundraisers to increase behavior –if needed- are MUCH more sustainable to the budget than constant reinforcement.

2-    The second and most important is how closely the reinforcement (e.g., $1) and behavior are paired. In our first example the employee saw the DIRECT effect of calling the help desk on their pay check therefore it was very closely paired to their behavior

Just like if Pavlov’s dogs were fed EVERY time the research assistant came in.

The minute that the user realized the reinforcement was removed, the behavior that followed stopped (i.e., calling the help desk).

Back to Pavloc: The dogs would eventually stop salivating once they knew that the assistants were never going to feed them.

In our second example, the users see the money increase but it is NOT directly related to each time they call the help desk. Instead it goes into an anonymous pool that may jump $100 a week even if they just called the help desk once. Since the reinforcement is not closely tied to each behavior they perform, the chances of the behavior persisting after the reinforcement is removed increases significantly.

*For a more detailed look at this process see my previous blog on Pavlov and his dogs.

Based on all of this, be careful when using reinforcement. While it may provide an immediate result, it’s something that needs budget and time to maintain. If used wrong, you will just be setting yourself up for an uphill battle.

How to Build Rapport with Anyone

building rapport

Quick – off the top of your head, what’s one of the most valuable sales and business skills that anyone can possess?

Let me give you a hint…  It’s not negotiation, it’s not copywriting and it’s not networking.  In fact, it’s the ability to build rapport with everybody you encounter!

When you’re able to build rapport with a diverse range of people, you improve your ability to form the relationships needed to advance both your personal and professional life.  Whether you’re petitioning your boss for a promotion or trying to convince a new senior-level buyer to purchase your company’s product, being able to develop rapport immediately gives you the edge needed to get things done.

But if forming person-to-person connections doesn’t come naturally to you, don’t worry!  The following steps to building rapport with anyone are easy to implement and can quickly make a major difference in the way you interact with new people:

Step #1 – Mirror your subject’s body language

One of the most important contributing factors to rapport is your body language – and one of the most important things you can do to build rapport using this tool is to mirror your subject’s posture and gestures.

This is important for two reasons.  First, mirroring body language creates an unspoken level of comfort between you and your subject.  When we see ourselves in the people we’re talking to, we naturally feel more at ease – making this technique a powerful way to minimize barriers that would otherwise threaten to derail your conversation.

At the same time, keep in mind that we all have nervous physical habits that manifest themselves whenever we’re uncomfortable.  This could include things like constant leg tapping or tightly crossed arms – whatever your case may be, these behaviors telegraph your lack of confidence, diminishing the rapport you hold with your partner.

By mirroring your subject’s body language, you’ll be able to prevent these behaviors on your part.  Just be careful to not mirror your subject’s own nervous habits!

Step #2 – Match your subject’s vocal tone and pacing

Next up, focus on your voice in order to build rapport with your subject.  Again, we tend to respond more favorably to the people who look and sound like we do, so any of the following techniques could come in handy when it comes to forming new relationships:

Match the tone your subject is using – Is your subject speaking loudly or softly?  Does he tend to speak from his diaphragm or his nasal passages?  Are his sentences spoken in a way that sounds authoritative or unconfident?  While it’s important that you avoid coming across as condescending, allowing some of these vocal qualities to filter into your own speech is a great way to build rapport.
Match your subject’s vocal pacing – Listen also to whether your subject is speaking slowly or rapidly.  Though many people tend to think of vocal speed as something natural that can’t be controlled, it is possible to modulate your voice in order to better match your subject’s.
Match accents carefully – One advanced rapport-building technique is to allow some of your subject’s accent to slip into your own speech (whenever his native accent is different from your own).  Although it’s tough to do so without appearing to mock your conversation partner, mimicking this vocal element in a subtle way can build a major bridge of rapport between you.

Step #3 – Repeat and affirm

Aside from the ways in which you can manipulate your own physical and vocal performance, one simple technique for building rapport is to simply repeat and affirm the things your subject says to you in conversation.  As an example, consider the following conversation:

Subject: “So, you’re telling me that you need to raise your rates?  That’s unacceptable – it’s been a tough year for my company and we don’t have the extra budget for this.”

You: “Subject, I know it’s been a tough year for your company and that budgets are tight.  I completely understand, but I hope you can see that…”

In this example, you could have just as easily responded to the subject with a careless, “It doesn’t matter what your budgets are like – our rates are going up.”  However, by taking the time to repeat and affirm the subject’s concerns, you’re building rapport that could go a long ways towards helping the two of you resolve the situation successfully.

Step #4 – Assume rapport from the start

Finally, be aware that one of the biggest inhibitors to building rapport is the discomfort experienced upon meeting and interacting with new people.  And really, it’s natural to be afraid of saying the wrong thing or looking stupid in front of a new contact.

But here’s the thing…  Everybody feels that way!  It’s not that you’re the least confident person in the world – just about everybody in the world goes through the same type of social anxiety at various points throughout their lives.

So if everyone else feels as nervous as you do in social situations, one simple solution is to assume rapport from the start.  Treat everyone you speak to as if you were already close friends – effectively negating the discomfort that many people feel when interacting with new people.  With practice, you’ll find that assuming this level of rapport puts people at ease and makes implementing the steps described above feel much more natural and much less like an uncomfortably foreign process you’re working towards artificially.

Any other recommendations on how to build rapport with the people you encounter in your personal and professional lives?  Share your tips in the comments section below!