Do you ever wonder whether all those security-awareness posters, coffee mugs, pens, mouse pads, and sandwich-bag clips are having any effect at all to improve security?

Do you ever wonder whether all those security-awareness posters, coffee mugs, pens, mouse pads and sandwich-bag clips are having any effect at all to improve security?

Actually, they may be making things worse – if they violate the principles established by psychologists.

My good friend and colleague, security-awareness guru K Rudolph of Native Intelligence describes how to use the science of persuasion to improve security awareness messages. Everything that follows is entirely K's work with minor edits.

* * *

Robert B. Cialdini, Regents' Professor of Psychology and Marketing at Arizona State University, is considered an expert on influence. He studies and writes about the science of persuasion. He's one of the authors of Yes!: 50 Scientifically Proven Ways to Be Persuasive – my favorite book about social-psychological research on persuasion.

Yes has a chapter about a common mistake that causes messages to self-destruct. The authors tell the story of former graduate student who had visited the Petrified Forest National Park in Arizona with his fiancée. At the park's entrance a sign stated, "Your heritage is being vandalized every day by theft losses of petrified wood of 14 tons a year, mostly a small piece at a time." The student was shocked when after reading the sign, his normally ultra-honest fiancée whispered, "We'd better get ours now."

This incident inspired the authors to design an experiment where they posted two different signs. One used the concept of "negative social proof." It read, "Many past visitors have removed the petrified wood from the park, changing the natural state of the Petrified Forest." That sign also showed a picture of several visitors taking pieces of wood. The experiments placed a second sign to simply convey that stealing wood was not appropriate. The second sign said, "Please don't remove the petrified wood from the park, in order to preserve the natural state of the Petrified Forest." The accompanying image showed a lone visitor stealing a piece of wood, covered by the universal "No" symbol of a red circle with a slash through it.

The experimenters placed marked pieces of wood along various pathways and observed how the signs affected the rate of theft. They switched the signs at the entrance to the pathways, and they also used pathways with no signs posted as a control condition.

The results and analysis?

• Where there was no sign, 2.92% of the wood pieces were stolen. Where the social proof sign (stating that many visitors had removed wood) was posted, the theft rate increased to 7.92%. Where the sign asked people not to steal the wood and depicted a single thief, the theft rate decreased to 1.67%.

• Put simply, social proof refers to our tendency to go along with the crowd and follow the most popular course of action. We do things that we see other people like us doing.

• Using negative social proof, e.g., communicating the popularity of an undesirable behavior, focuses the audience on the prevalence, rather than the undesirability, of the behavior.

• The authors recommended that the park management reframe the statistics to focus attention on the number of people who respect the park's rules, which turned out to be more than 97%.

Here's an example of how I applied this lesson to security awareness. To catch peoples' attention, I like to introduce each awareness topic with something unexpected – a humorous quote, an unusual image, or a statement designed to elicit an audience reaction of surprise, "I didn't know that," or, "I never thought of it that way."

Todd Snapp, president of RocketReady, frequently speaks to audiences about the human side of security. He often asks the audience to guess the most common passwords that his team of penetration testers finds in organizations where the passwords requirements include using characters from at least three sets (e.g., uppercase, lowercase and numbers) and the passwords had to be changed every 90 days.

Audience members usually call out with guesses, but they rarely guess the answer. When Todd tells them, there is usually a collective groan and head slap as audience wonders why such a simple and retrospectively obvious answer didn't occur to them.

The answer? The season and the year: Fall2008, Winter2008 or Winter2009.

Based on the audience reaction, I decided that this tidbit of information would be a good way to introduce the topic of passwords. In the next e-learning course module for passwords, I worked on, I placed a "Did You Know?" graphic followed by a quote from Todd's presentation starting with, "The most common passwords we find …".

About a week later, the light bulb came on when I read Yes! I realized that by presenting the information as I had, I was conveying the wrong message – despite the implied disapproval of choosing passwords that are easy-to-guess – that such behavior is common. The quote acted as strong social proof that many people just like the audience choose these easily-guessed passwords.

This realization made me wonder how often we misunderstand the impact of our messages.

I immediately changed the introduction to advise people not to choose the season and year for passwords and to focus their attention on a positive behavior. I used an image showing people who had chosen strong passwords speaking disapprovingly of a single person in the organization who used the season and year. This made it clear that people who use weak passwords are in the minority and are disapproved of by their co-workers.

So remember: emphasize the deviance, not the popularity, of insecure behavior.

K Rudolph, CISSP is the founder and Chief Inspiration Officer of Native Intelligence. K is an accomplished writer and lecturer who was honored in 2006 as Security Educator of the Year by the Federal Information Systems Security Educators' Association (FISSEA).