4 min read

Behavior Change Marketing and Cyber Security

Behavior change marketing isn't new. And it's been in use for just about forever. We see its use for traditional marketing everywhere. It's time to use it internally to drive positive cybersecurity behavior.
Behavior Change Marketing and Cyber Security
Photo by Jon Tyson / Unsplash

Why are some marketing campaigns so compelling?

Behavior Change Marketing borrows from the tenants of psychology, sociology, and communications theory to develop strategies for convincing target audiences to not only change their mind, but also change their behavior.

That sounds like something we should be leveraging, right?

This is not new. In fact, you probably exhibit behavior that is a direct result of behavior change marketing. Singing Happy Birthday as you help your child wash their hands or picturing the gruesome images of smokers' lungs when you see someone smoking are examples of successful behavior change marketing campaigns led by the CDC.

How can we leverage this to influence positive security culture?

In 2011, three researchers, Susan Michie, Maartje M van Stralen and Robert West, set out to determine what drives behavioral change. Their results aren't too surprising.

Three primary components drive behavioral change.

Motivation, capability, and opportunity.

Opportunity is an external factor. In our case, cyber security needs to provide the opportunity for positive security behavior. Think tools, technology, and processes. There is no shortage of these in cyber security.

Motivation and capability are internal factors. This is where behavior change marketing comes into play.

We need to motivate and educate through marketing.

What comes to mind are newsletters, emails, splash pages, etc. However, we need to go further than that. Those digital marketing items must be compelling and thought-provoking to influence positive change.

To get started, you must understand what already motivates your target audience.

Use that as your foundation. The message should start by framing the positive consequences of the proposed behavior. Then, it should identify the negative consequences of discouraged behavior. The negative consequences should identify associated risks directly applicable to your target audience. Think back to our foundation.

Rewarding positive change is equally important. There is no end to resources debating how to motivate employees to do good work. However, there does seem to be a general consensus.  

Making employees feel good about their work by recognizing their contributions in a specific, meaningful way is generally more impactful than cutting them an extra few percent on their annual bonus.

Challenge coins, public recognition, and verbal appreciation in private are all ways to reward positive security behavior.  

This is a fun story from a previous employer. We had started a challenge coin program. They were custom challenge coins that we handed out for positive security behavior. The coins were slowly gaining popularity as we handed them out. At one point, there was a team that wanted the challenge coins. After a big red team operation involving infrastructure that this team maintained, the team worked endlessly to resolve numerous issues and push new features to remediate the identified risk.

This was an understaffed team that ended up working long hours. This wasn't required, and no one asked them to work overtime. But they did. The prestige of getting an Offensive Security Challenge Coin drove them to go the extra mile.

I don't encourage working unhealthy hours, but this was a perfect example of rewarding positive security behavior and a positive marketing campaign.    

A common theme here is marketing. Your red team report is marketing, your penetration test report is marketing, and your compliance report is marketing.

Let's discuss red team reports. The general audience for a red team report is generally the blue team.  Ask your blue team for their favorite threat intel reports and malware analysis blogs. Chances are, those reports and infographics are in a format you should start using.

Let's take an example. Let's say you just wrapped up a Red Team operation. You used a novel technique that isn't widely known. You place all the details in a standard report and attach an excel spreadsheet with the IOCs.

This works, but the blue team must switch from their regular programming to parse your deliverables.  

Let's say you do all those things but give them an infographic in the same format their threat intel reports use. Now you're speaking their language, and they are likely less resistant to implementing your suggestions. That's marketing.

To recap, everyone in cyber security should think in terms of marketing. Ask yourself, who is my audience, and why is this compelling to them? If it's not, then make it compelling.

Additional Reading:

How to build an effective red team
This post is a collaboration between myself and Samantha Davison, Trust Engineering Leader. Sam is an expert in transforming security…
Brianna Malcolmson has a fantastic blog post on behavior change marketing, specifically for red teams. You should read it. 
Motivating Employees Is Not About Carrots or Sticks
Leaders often rely on the carrot vs. the stick approach to motivate employees, where the carrot is a reward for compliance and the stick is a consequence for non-compliance. But this is an outdated approach that never really works well. Motivation is less about employees doing great work and more ab…
General article on motivating employees.
The behaviour change wheel: A new method for characterising and designing behaviour change interventions - Implementation Science
Background Improving the design and implementation of evidence-based practice depends on successful behaviour change interventions. This requires an appropriate method for characterising interventions and linking them to an analysis of the targeted behaviour. There exists a plethora of frameworks of…
The research article for those three items that drive behavior change.