Everyday it seems that we receive more news about another loss due to a data breach. The reasons are many and the impact ranges from the 1 billion+ Yahoo! Accounts that are costing the company’s new owners $50 million to settle the related lawsuits, to the man who recently had his $650 World Series ticket stolen after he posted a picture of it on Instagram.
Whenever anyone asks me for recommendations on how to make cybersecurity awareness and information stick with their employees and colleagues and bring about real behavioral change, I tell them about my PERMAnent theory.
Full confession: Before I started working in the IT and Cybersecurity space, I spent over a decade as an educator. My background in educational pedagogy has helped to shape my approach to engaging and informing those around me. So, my PERMAnent theory is one that I developed as a teacher and brought with me when I started working in this arena. I use it for engagements with my direct reports and colleagues. I have found it works well in all manners of learning opportunities.
The key foundation to PERMAnent is that the bulk of the responsibility lies with you, not the other person. You must offer these opportunities in order for the other party to have success. All aspects of the theory are equally important and necessary. Skipping any of these can result in gaps which leave the person vulnerable to failure, something you never want to do in any setting.
Let’s take a quick look at each of the steps through the lens of cybersecurity awareness.
Plan – As Antoine de Saint-Exupéry once stated, “A goal without a plan is just a wish.” If your goal is for your employees to not fall victim to cybersecurity attacks, then you must have a plan for how you are going to facilitate that happening. Your plan must include how to make the goal one that is shared, as well as how the remaining steps will be addressed to reach the goal. It is also vital that this planning be long term. The cyber world is one that is in constant flux, so a “one and done” approach will only buy you a short-term, temporary gain.
Educate – If you want people to do the right thing, you must first tell them what the right thing is. Spotting a cyber attack, properly responding to an attack or understanding your company’s policies around cybersecurity are a posteriori knowledge – no one is born with it. You must take every opportunity to teach users the information that is critical for the success of your shared goal. You must also take into account that (1) few people learn information the first time they are exposed to it and (2) people have different learning styles. Do not be afraid to offer the same information in different formats. The employee who does not learn when they hear it may be very successful when they see it or experience it.
Reinforce/Rehearse – With this step, you must choose the option that is applicable to your situation. If you are dealing with knowledge, you must reinforce. If you are dealing with actions, you must rehearse. This is the difference between offering your employees monthly reminders of policies or a newsletter (reinforce) versus completing simulations for phishing awareness or running incident response drills (rehearse). In a strong cybersecurity program, both of these are used on a regular basis.
Model – YOU are a critical factor for the success for your organization’s cybersecurity training. You cannot have the mindset of “do as I say, not as I do” in cybersecurity. Employees look to their leaders and respected colleagues to determine how to respond. Your behavior in relation to cybersecurity will have a direct impact on your employees’ success in meeting your shared goal. You do not want your employees quoting Ralph Waldo Emerson at you: “What you do speaks so loudly I cannot hear what you are saying.”
Affirm – In sports, when our favorite team scores, we all celebrate. The same is true for the successful reaching of other goals, including an improved cybersecurity stance for your organization. If you want good behavior to continue, you must acknowledge, praise and reward it. Your employees should hear what they are doing right more than what they are doing wrong.
As much as we want to act as if our employees are as easily programmable as the technology they use, they are not. To change behavior, we must invest, engage, repeat. It is that simple.