Mental Models: Understanding how people think will help you create a better security program
My take on security awareness training is not exactly a secret. One reason is that my company specialize in helping organizations create effective security culture programs. More important is my deep interest in the human mind, and human interaction.
I am going to share with you some of the techniques we apply when we communicate security awareness, security culture, and how the human mind interact and intersect with security. This first post will look into mental models. Later posts will discuss personality types, how to communicate with different types, and how to design a complete security culture program for success.
Mental models
According to scientists like Daniel Kahneman, our brain comes with different modus operandi. One requires a large amount of energy, is slow and inefficient and usually quite accurate, and another is fast, efficient and — flawed!
If we accept this idea, we can think of our brain as a child’s sorting box — the box where you have different holes which match different shapes. Your quick brain takes the input (what you read, hear, see, smell and so forth) and try to match it to an existing pattern. It´s like the child picking up a piece, and trying out different holes in the box until it finds one that fits.
When a matching model is found, your brain reports back to you “Job´s done!” release some “feel good” drugs, and move on.
This method is very efficient and it allows you to quickly digest large amounts of data and deliver the results your are expected to.
It is, however, not without flaws.
One drawback of this method is that the number of models in your brain, matters. If you do not have the right model (i.e. you have not yet learned it) in your mind, your brain is likely to try to fit the input into one of the existing models. Just like a toddler trying to fit a square into the circular hole in the sorting box. Sometimes that square fit in that round hole too — and the toddler is happy. Your brain acts the same way — if your input match a model, it stops searching for a better match. This may be you, jumping to conclusions.
Another approach your brain use if it is not able to find a matching model, is to just dismiss that information. “If I can´t understand this information, it simply does not matter.” it tells itself, forgets about the information and continue to save energy. This may be you, not believing what you read.
More importantly, most people we security people interact with, lack the same mental models we use when communicating with them. Since they do not understand us, they are not able to relate to our message in a way that makes sense to them, and their blanks go down. You´ve seen this, I´ve seen this.
Does this mean we should stop teaching them? Does this mean that security awareness training is a lost case? Of course not. It simply mean you must be:
Helping people “get” you
Understanding and accepting that your brain use mental models may help you make more sense of other people, and of yourself.
If we accept the premise that mental models matters, we can start working with introducing new mental models to our co-workers. We can also adapt our message to their existing mental models. The first step is for you to realize that your co-workers mental models differ from your own. Next, start learning as much as you can about their models, and finally adapt your message to make them understand.
Being stubborn
If you prefer not to learn about your co-workers, and continue to force them to adapt to your message, you are less likely to succeed. You will continue to complain that training is not working.
The funny thing is that the more you complain, the more you enforce your own mental models. And guess what? Your brain starts to filter out anything that may prove you wrong!
So even if I can show you training programs that work, you will not believe it.
Funny, isn´t it?
