The subject of habit has become popular in recent years: Stanford’s B.J. Fogg, Charles Duhigg (The Power of Habit), and Chip and Dan Heath (Switch) are just a few of those tackling the subject of behavior change. But it turns out there there really is nothing new under the sun: Aristotle, way back in 350 BC, beat them all to the punch when he said, “We are what we habitually do. Excellence, then, is not an act but a habit.”
Aristotle, ever the pragmatist, preferred, in contrast to his mentor Plato, the empirical approach to things—and with an emphasis on particulars. And he certainly understood the power of particular habits when it came to behavior change. This, therefore, makes him an excellent guide in the development of good work habits (security awareness habits in our case) — habits that can help bring behavior change that in turn lead to organizational excellence and a strong security culture. And that’s what we’re after.
So how do we go about it? Is achieving excellence in security awareness simply a matter of presenting information in an annual PowerPoint and hoping it leads to sustainable behavior change? No, not even close. We already know that new knowledge, while obviously necessary, is also insufficient on its own to generate behavior change that lasts, let alone become part of the culture. Simply knowing something isn’t enough to cause change. For that to happen, people have to feel something. They have to be motivated. They have to understand and connect with the importance of achieving the goal. And then they have to practice it. Aristotle knew all that. In fact, he left us with three easy steps for creating true and lasting behavior change:
1. FRAME IT
Getting to the nub of things was a big deal to Aristotle. You know Occam’s razor—the idea that the simplest explanation is the most likely one? He stole that from Aristotle. It turns out that keeping things simple is actually the key to proper framing. And you keep things simple by shrinking them. The Heath brothers, in their insightful behavior change book Switch, say of this vital step, “Don’t think big picture; think in terms of specific behaviors.” In other words, frame a series of smaller pictures. B.J. Fogg is onboard with this idea, as well. He advises translating big target outcomes (a security aware culture, for example) into small—even tiny—behaviors (e.g., creating strong passwords). Making change small, safe, and do-able makes change easy. It’s just the way the brain works. So while the big objective is a change in favor of security-aware behaviors (and not simply awareness), making that behavior stick requires framing the objective one small, particular habit at a time.
2. SHAPE IT
When it comes to security awareness training, you’ve not only got to deliver learning, but a bit of unlearning, too. To these ends, Aristotle knew that in order to produce “good and virtuous citizens for the polis” he needed to foster proper habit formation—and habit breaking, too—in his very systematic approach to teaching. He emphasized that virtue is practical (the virtue in our case being security awareness), and that the purpose of ethics (security-minded behaviors) is to become good (competent in the ways of security and privacy), not merely to know. And again, he knew that in order to bring about the big objective (a security-aware culture), he had to build step by step the small behaviors that would ultimately lead to the desired outcome.
Central to effective training is engaging learners in ways that they will appreciate as relevant, practical, and worthwhile—even within the narrow contexts of their specific job functions. When designed this way, the training is actually self-motivating. And when the training also taps into their personal and professional motivations, learners really buy in. Good training is, therefore, embedded with both cognitive and emotional messages. But good training is also modular, meaning it’s able to focus on those very particular “small” behaviors you seek to transmute into lasting habits.
3. SUPPORT IT
While good training is an essential component of a security awareness program, it’s rarely sufficient on its own to bring about real behavior change. After all, simply passing a test does not automatically translate into good security practices. The fact is security-aware behaviors must be developed and fostered, not merely taught. And that takes practice and persistence. This is why Aristotle relied upon repetition as a key to developing good habits. Change is not a static event, but a continuous process of building—and sustaining—excellence. The ongoing reinforcement phase is crucial to sustaining the change.
There’s one other vital aspect in ensuring the success of your behavior change initiative. Programs like these often fail because of a lack of executive and environmental support. The leadership of the organization must not only endorse the desired behavior, but model it, too. (As Aristotle said, “He who has never learned to obey cannot be a good commander.”) The Heath brothers call this the “Grow Your People” phase, and it’s where top executives can do much to cultivate that essential sense of common cause and direction. Only then can you begin to bring about a culture of security awareness. “Change is easier,” the Heaths say, “when you know where you’re going and why it’s worth it.” And it most certainly is worth it.
Want to learn more about what makes great security awareness training and reinforcement? Check out our free eBook, 3 Steps to Awareness Success, or our white paper, Zero Information Loss: A Keystone Habit to Drive Business Success. They may not be entirely Aristotelian, but they will definitely help your organization develop good, virtuous, and security-aware citizens.
Image Credit: A. Dagli Orti/© DeA Picture Library