Is Security Awareness really about behaviour change?
I am going to start by being bold, I need to get this off my chest. People have heard me say this, but I think I need to say it in a way to be clearer.
As a person in Security Awareness, I am not trying to change behaviour. I am not trying to change people.
We talk about the need to have empathy in security awareness and the field of security, yet we still use terms like changing behaviour. But to have empathy isn’t based in the idea of changing people. You have to meet people where they are at, see them and their lived experiences and be able to put yourself in their position to be considerate of their needs.
If we are advocating for empathy why is everything, I read in this space always about changing behaviour. Like I am the puppet master to get people to change. When we know, that isn’t what we do, it isn’t what we achieve. If we do, it’s by chance of other things influencing the overall context a person works in.
But we give the impression in Security Awareness that behaviour change is the key. Is it though? and why do we feel we need to change people and what do we mean by that? Because i think we give people the wrong impression. We make a rod for our own backs.
We don’t work in a silo; awareness is a lot about negotiating time and energy from people to hopefully help them learn and use their knowledge. It is the reason awareness is hard and misunderstood.
We forget, maybe even overruled by others, but at the end of the day what we really want is to help and support people. Allow them to take the more secure route.
So how do we build more conscious systems, where instead of focusing on metrics of change that we focus on what is needed. Is information accessible, is it readable, does it translate into what people can really do? If we aren’t creating systems that allow people to feel safe, secure and capable then people will always struggle.
People are constantly making decisions, the security knowledge we give them needs to aid them, not change them. But to make security more approachable is not a sexy term that can be thrown around like behaviour change.
So, I don’t want to change behaviour. I believe most people try their best; they will do what they can when they can.
Until we want to see people and the landscape that they work, consider how we fit into their world, will we ever move forward? We need to see people first and I just don’t believe we see people because we are so focused on changing them.