Information Security, Lizards, and Elephants

Real information security begins when employees make security-aware decisions with their lizard brain.

Achieving security awareness is really about the art and science of behavior modification—turning mindless habits into mindfulness. And, as you might expect, mindfulness begins with … the mind.
Today we’re entering a golden age of neurology, and its many developments are not lost on heads-up corporate executives seeking to advance their market positions. In fact, the wealth of new insights about human behavior has launched entirely new fields, including neuro-economics and even neuro-marketing! So why not neuro-security? The idea here is that if we can understand the workings of the human brain in the context of information security, then it follows that we can change, improve, or otherwise shape habits, practices, and other behaviors to more effectively achieve the organization’s security goals. So if there was ever a time to get one’s brain wrapped around the concept of cognitive neuroscience, it is now.
Simon Sinek, in his book, Start with Why, draws fascinating correlations between the what, how, and why of human behavior and the respective areas of the brain that control them. As it turns out, decision-making and the ability to explain those decisions exist in different parts of the brain: there’s the neocortex, the home of conscious thought, and the “limbic brain”—aka the “lizard brain”—where our so-called “gut decisions” come from. “Don’t click on that link,” says the lizard. “It feels fishy.”
Of course rational information is also important, but decisions and their resulting behaviors really start with why—the emotional, limbic-based component of the decision. Absent that why, a decision is simply harder to make. Sinek explains, “The failure to communicate the motivating why only produces stress and doubt. With no clear understanding of why, the initiative—and the opportunity—flounders.” And that is why addressing motivation is so essential in adult learning, and why this aspect is baked into all our security awareness courses.
Julie Dirksen, in her book, Design for How People Learn, likens the two aspects of the brain to the elephant (the limbic brain) and its rider (the neocortex). “If you want to get and maintain your learners’ attention,” she writes, “you need to talk to the automatic, emotional, visceral brain [the elephant] as well as the conscious, verbal, thinking brain [the rider.]” Respecting both is essential to fostering and cultivating motivation—and producing the behavior change you’re after.
That all this neurology dovetails so neatly with the principles of adult learning means you now have at your disposal the tools to marshal the levels of employee motivation you need to succeed. This matters because good security awareness training addresses not only the what, but the all-important why. The behavior changes that result play both inside and outside the walls of your organization. When applied inside, it changes the culture. When those cultural values are manifested on the outside, it changes the way your customers think of you. Because information is the engine of business—and ultimately what differentiates your company, products, and culture—then making it truly secure via the security-aware attitudes and behaviors of all your people just makes good business sense. And that’s something to think about.
Image Credit: Jagdeep Rajput

Share this Post