You receive spam by SMS (or via email) in Belgium, you can report it online to the authorities!

A while ago I posted an article stating that there was no way to report SMS spam online in Belgium. Guess what, I was wrong!

First, I was wondering if it was really illegal to send unsollicited commercial message by SMS in Belgium. I found this really nice flyer from the federal public service of economy (http://economie.fgov.be/fr/binaries/spamming_brochure_fr_tcm326-31741.pdf) explaining that the global definition of spam applies also to SMS or chat systems.

In the flyer, there was a link to a page to report such kind of behaviour to the authorities. The document being a bit old (2005), the link was outdated but our friend Google found me the new one: https://pointdecontact.belgique.be/meldpunt/en/welcome

On this official website, you can report SMS Spam (or other similar illegal activities) using the « New complain » button and the  « SPAM from unidentified party » type of report.

I’m not sure it will be quite efficient to stop rapidly the Spam SMS from coming (most smartphone allow you to block senders for a while) but it will be the start of it. And if more and more people stat to report such behaviour, it will likely have an impact.

Notice you can also report spam or harassement coming from outside the country.

The scope is quite clear from the 1st page:

« Are you the victim of misleading practices, fraud or swindle? Or have your rights as a consumer or enterprise not been respected?
Then choose the scenario that matches your problem and follow the various steps to report your problem to the competent services.
You will always receive a reply in which we will try to provide an answer to your questions.
The competent services will analyse your report and may carry out an investigation. They do not take any action in your individual dispute, nor do they provide any information concerning the investigation. For your individual problem, we exclusively refer to the reply that will be sent to you »

Now you know what to do.

Why is usability important for security management?

Why is usability important for security management? Is it even important? Obviously for a lot of people, it is not. And that’s a problem. But what is usability anyway?

Usability?

According to Wikipedia, and I find the definition pretty accurate, usability is “the ease of use and learnability of a human-made object such as a tool or device. In software engineering, usability is the degree to which software can be used by specified consumers to achieve quantified objectives with effectiveness, efficiency, and satisfaction in a quantified context of use”.

In other words, usability is the process of designing things so they can be easily used and mastered by their end users. Usability is not just about design, it is a science. It is about making our environment optimized for our brains and our bodies. As an example, usability is when you put handles to a box so it is easier to lift. Google, the most visited website in the world is an example in terms of usability: straight to the point, one field and you get what you need in one click. It even completes the words for you, as you type. There’s a reason they are number one and it’s called user experience (UX).

Nowadays, usability, neuroergonomics and even neuromarketing are at the heart of successful designs. Whatever you are selling, you better make it easy to use and even sexy. The traditional KISS (Keep it simple and stupid) design requirement has gained an additional “S” for sexy (KISSS, Keep it simple, stupid and sexy). The article I wrote about the ineffectiveness of SPAM awareness session was also an advocacy for the use of cognitive sciences insights in order to design more effective awareness material.

Why do I care?

If you are a product manager for a startup, you are probably already aware of all the usability requirements for your products. That’s were startups win the war against the old dinosaurs: “better engineered products with better usability and even sexiness”. We all learned from the master’s success: Apple. Steve Jobs knew the rules to make something usable, less buttons. Sleek design is all about simplicity.

But if you are working in security management, or as a security project manager, or even as a security architect, it seems it is more likely that you won’t care about usability. You might think that your job is to make your company secure, not sexy. And you’re right about that. Except that, when it comes to humans, you’re probably failing (in a large part). You may think: « These stupid end-users still don’t get it. » Of course, they still manage to use weak passwords. If you force strong passwords, they write them down or they use the same everywhere. They still don’t know the security policies. They watch you’re very nice slide you showed them during the mandatory security training during their induction but the next day they are already sharing their passwords with their colleagues. Don’t speak about their inability to spot a fishing attempt! Let’s not speak about your system administrators. These fools who believe they are the kings of the realm and have left so many vulnerability open in their system that the latest vulnerability report you received was so long you couldn’t finished it in one day. Hopefully, you will make a strong point during the next security steering committee to ensure these operation guys’ boss understands he must bring them back to the righteous path.

Ring a bell? Not even a little bit? I think so.

If we believe an old saying, wisdom is being able to differentiate between what you can change and what you can’t. The goal here is to focus your energy and your efforts where it matters. So, think again about your problems. What did you do? You made awareness sessions? You wrote very thorough policies and standards? You made sure they were obliged to read them, to sign with their blood that they had read your literature and that they will abide to your rules?

Did it work? How well? Be honest, some miscreants continue to refuse to follow the rules of the holy god of security. They are probably psychopaths! Or could they be just humans? What if you could increase the probability they will read your policies. Even better, what if you could improve the odds of having them changing their behaviours and embracing your security culture? You don’t believe in Santa Claus? Me neither, but I do believe in sciences!

Neuroergonomics & neuromarketing of security!

Neuroergonomics and neuromarketing are the catchwords to refer to the use of social psychology and neuro-cognitive sciences to improve your desire to use a product and to improve your ability to handle concepts, to remember things or to become addict to some applications (think about Facebook or Twitter). If people can influence what you eat, what you drink, what you wear, what you watch or what you read, why couldn’t we use this knowledge to change your people’s attitude towards security?

Does it worth it? Well, are you already paying people to communicate, to make videos, to draw cartoons but you still have too many incidents and non-compliance? Yes, so maybe you should start investing in better designed solution and put usability as a requirement for all the projects and for all the tools or “product” security wants to sell.

Concretely?

POLICIES

  • If you have an Intranet, your security policies must one click away from the first page.
  • You must have a clear organization, a hierarchy and a search engine allowing anybody to quickly find the policy he needs or the procedure.
  • Policies should go straight to the point, from the reader’s point of view, as soon as the first pages.
  • Forget lawyers or technical talks, use common vocabulary.
  • Do’s and Don’t are likely more efficient than long descriptions.
  • Use words and situation your audience are familiar with.
  • Ensure your rules are translated into actions in their process and procedures.
  • Ensure these procedures are pragmatic and easy to read.
  • Use pictures, screenshots, beautifully designed templates. Make it look more like a fashion magazine than an old book.
  • Use positive words. Any command that can be better performed by a dead man is a bad command (example: « Don’t use short passwords« … a dead man can do that very well. Rather prefer « use long secure password« ).
  • Group similar things together.
  • Be consistent. You even better be congruent (use multiple association together) like Red + Triangle to signal Don’ts and Green + Checkbox to signal Do’s. Keep consistency with the colors (Red Negative, Green, positive).
  • Use consistently the same word to designate one thing. Even if synonyms can make reading less annoying, always using the same word to designate one object or concept makes it easier to understand (even more for new concepts)
  • Prefer lists
  • Keep it as short as possible (More than 10 pages, is clearly too much)
  • Use symbols, signals, icons, pictures
  • Keep the rule of 3 in mind: if you want to explain a concept, break it down to 3 parts/steps/components, then explain the 3 sub-concepts (using 3 other steps/concepts/parts) and so on until people can understand it. You can go up to 5 « objects » but not higher.

PROCESSES

  • Imbed security processes into existing processes.
  • If a process works, don’t fix it.
  • If you can streamline it, do it, even if it is not you first job. Making people life easier will facilitate the acceptance of the controls and it might even improve the attitude of people towards security.
  • Create links between all processes so they can benefit from each other e.g. ensure Vulnerability scans feeds the CMDB to ensure consistency. (It is supposed to be like that in a perfect world, but that’s just theory)
  • Forget long swim lane drawings or decision trees spanning on 3 pages, keep it short by splitting the process.

AWARENESS

  • Changing behavior is something we do out of emotion, not based on rational thinking. Even if rational thoughts can lead to a change, we initiate this change only if we connect these thoughts with some emotion.
  • Use real concrete situation (something that happened or could happened)
  • They must be relevant for your audience (use scenario involving your audience, allowing them to identify themselves to the character)
  • Use as much as possible what they already know well (places, situations, products, application, organization, but also more personal things kids, sports, cooking, walking in the street, …)
  • Show them the concrete consequence on people when they don’t comply with the rules or the secure behavior (its easier to have feelings toward people than organization)
  • Foster self-identification to your character by using little positive details to which your audience can relate to (« Sam likes to take a coffee with his colleagues, Alice likes
  • Songs, rimes, jokes, kittens, anything that will be outstanding will help memorize. So use it when it is important (if you use the same trick too often, its efficiency tend to fade down)
  • Associate non-« sexy » items (like security rules) with more attractive one (a nice place, a smile, a cute cat picture, a beautiful woman – yes, it works for both man and woman -, a good song)
  • Repeat, repeat & repeat the message but change the format so it doesn’t get boring and so you can use various way to reach people.
  • We are all different, what works for you doesn’t absolutely work for everybody.

PS: Yes, I could make this list more « sexy » and it will likely come, but it will be in the (near) future 🙂

Your phishing awareness campaign may do more harm than good

Phishing and spear phishing campaigns become more and more elaborate, hence more difficult to identify and consequently more successful. Crelan’s 70 million € loss, early 2016 is a good example of the potential impact of such a successful social engineering attack.

As automated security systems are unlikely to detect and block the most elaborate and targeted attacks (as they need a significant number of similar emails to trigger their alerts), security officers are left with security awareness campaign focusing on developing skills to detect (spear) fishing attacks to try to mitigate this risk. It’s logical, it’s what security standards advise you to do but watch out you may be doing more harm than good!

One of the first mistakes in this approach is to consider awareness (or communication) as a goal. Any communication is aimed at instilling a change in its recipient(s). The aim of an awareness campaign is likely to change people’s behaviour and attitude so they pay more attention to the source of their emails, their contents and the rightfulness of what is asked to them. So basically, we should first have a measure of the current situation and aimed at a certain improvement in our “smart” metrics. The most obvious and significant one being: How many people will fall for a (spear) phishing email.

How do we usually do that? Often by a combination of training, online training, posters and “homemade” phishing campaigns to measure the exposure of the company and tickles our employees. In such case, we appeal on fear. Fear to contribute to a security incident, to a fraud, to a loss of money, fear to get fired.

Fear appeal is used to leverage behavioural changes as one believe the emotional reaction caused by fear will increase the likelihood of the occurrence of the appropriate, secure, behaviour. You better think twice as, like it is often the case, devil is in the details.

Fear appeal effectiveness is still a debatable question (that’s the principle of science) but mainly because it might works under some conditions. In their “Appealing to Fear: A Meta-Analysis of Fear Appeal Effectiveness and Theories” article, Tannenbaum et al. (2015) have analysed 217 articles on the subject and found few conditions making fear appeal ineffective while effects seem most apparent in women and for one-time behaviours.

However, in a review of 60 years of studies on fear appeal, Ruiter et al. (2014) concluded that coping information aimed at increasing perceptions of response effectiveness and especially self-efficacy is more important in promoting protective action than presenting threatening health information aimed at increasing risk perceptions and fear arousal”. A 2014 study of Kessels et al. using event-related brain and reaction times found that health information arousing fear causes more avoidance responses among those for whom the health threat is relevant for them.

Still, it seems there is some consensus regarding some specific conditions to be met by such communication: the communication must provide, just after the fear arousal, a solution to allow the audience to reduce this fear with a sense of self-efficacy, or, to say it simply, we must provide a simple way for our audience to fix the issue, being an easy to follow behaviour (one that doesn’t require too much psychological and physical energy). If our solution is so complex that it will (or the thought of using it) generate more stress than the feared event, our brain will likely avoid this behaviour and deny the reality of the risk (and the fear).

Latest researches in neurosciences (and more specifically in the field of neuroergonomy) provide some guidance to shape our message and solution in order to allow our audience to easily grab our communication and adopt the desired behaviour.

Like for most communication, we must avoid to saturate the working memory. What does it means? If we receive too many information at once, our brain is not able to process it at once. It is like for a lift. If there is more people trying to enter than the lift capacity, the lift is not going to move and will be stuck. It is the same for our brain. If we saturate the place where the information is stored in order to be processed (what we call the working memory).

The average span of the human’s working memory is 5 objects or, if we use Husserl’s terminology, noema. For most people, this span is between 3 and 7 objects.

But, what is an object (or noema) in that context? If I give you a phone number digit per digit (let say: 1,5,5,5,1,2,3,4,4,6,9), it will be hard for you to memorize the 11 digits of this number, each digit being an object. But, if we combine some digits together in small numbers (1, 555, 123, 44, 69), it will be easier to remember. The reason behind it being that these small numbers are also objects (noema) for our working memory and in that case, we don’t saturate it as there is only 5 objects (so, within the average memory span).

Why are the small numbers an object and not the large one? Simply because we are used to them. If you are bone in 1980, this number can become an object (as you are quite well acquainted with it) while 1256 could require 2 noema (12 and 56).

The same is true with words. Well known words (and their associated concepts) are easier to process. It is why I put multiple time the word “noema” (likely to be a new name for most readers) with the word “object” (a quite common word and clear concept) so it can be used as an “handle” to better “grasp” the new concept of “noema”. Similarly, using the metaphor of the “handle” to “grasp” a concept ease the understanding (the grasp) of the concept.

To summarize, our solutions, our expected new behaviours, must be as close as possible to something we already know in order to make it easier to grasp.

As a concrete example, if you want your user to check the validity of an email sender’s domain name (just that concept is not that easy to understand for a lot of people, so what’s on the right of the @ in an email address), you should provide a tool available in the first level of the menu or a link in the favourites website. The best thing would be to have the information integrated in the email or at a click from it.

E-commerce websites have already well integrated such concepts. They understood long ago that if you want to have a client ordering something, he must find it and be able to order it with 3 clicks or less. You maybe know the saying: “the best place to hide a body is on the second page of a Google search”. Meaning? Most people don’t go to the second page, it is a click too far.

kittenUsing pictures, drawings (simple one, keep the 3 to 7 objects rules in mind), stories, jokes help memorizing. Anything that might be relevant to the concept or totally outstanding might help too. Emotions help to memorize. If you scare people first, making them laugh or smile with your “solution” might allow memorizing it. Go kittens! (see https://www.ezonomics.com/stories/how-pictures-of-kittens-can-help-you-manage-money/).

Also, do not forget a basic principle of behaviourism… the sooner the better. If you want to foster an action, the reward must come very soon, ideally immediately, after the action. So, if you have people clicking on a link in a “test” phishing email, you may scare them by pointing their mistake but you should also immediately provide a way to avoid this experience the next time by providing a few quick tips on what they did wrong and how they should do it the next time.

Here is a nice example of a video playing just a bit on the fear and providing advices in a non-threatening, aesthetic (it matters too) and very simple way (by http://www.nomagnolia.tv/).

So, you know (a bit more) what to do now!

Toi aussi amuses-toi avec les consignes de sécurité…

Les responsables sécurité ont rarement la réputation de joyeux lurons. En général, un « security officer » qui débarque dans une réunion est souvent perçu comme l’empêcheur de tourner en rond. Si c’est le cas, il a du travail à faire car, à mon humble avis, il devrait être perçu comme la personne qui va permettre de faire avancer l’entreprise et ses projets en les sécurisants et en les rendant pérenne.

On ne le répétera jamais assez, aucun plan de sécurité, aucune politique, n’a d’utilité si elle n’est pas communiquée, comprise et appliquée par toutes les personnes concernées. Dans la plupart des entreprises, la sécurité est l’affaire de tous. Trop fréquemment, malheureusement, les campagnes de sensibilisation à la sécurité sont peu imaginative, incompréhensible, peu attirante (pour ne pas dire moche) et certaines vont même jusqu’à favoriser des comportements opposé à ses objectifs grâce à une communication et à un message inadapté.

Les compagnies aériennes n’échappent pas à la règle. Afin d’assurer la sécurité de leurs passagers, ceux-ci sont priés d’écouter au début de chaque vol les consignes de sécurité leur rappelant de boucler leur ceinture, de ranger leurs bagage à main et de respirer dans le masque à oxygène si celui-ci venait soudainement à apparaître devant eux. Si vous avez un jour pris l’avion, vous vous en souvenez peut-être. Vous vous rappelez probablement aussi que c’est un moment légèrement barbant (surtout si vous voyagez souvent en avion). Je ne sais pas si certaines enquêtes ont montré que la plupart des passagers ne se souviennent pas de ces règles élémentaires mais il semble que certaines compagnies (ou parfois certaines hôtesses ou steward) investissent dans une communication plus agréable de leurs consignes.

Il serait intéressant d’évaluer si ces initiatives augmentent la mémorisation des règles de sécurité et surtout la concordance des comportements des passagers avec ces règles. Il est fort probable que le principal avantage de ces initiatives est de donner une meilleure image de l’entreprise, plus sympathique. Il y a cependant une leçon à tirer de cela, surtout pour les responsables sécurité qui sont perçus comme barbant (tout comme leurs règles): avec un peu de créativité, on peut changer l’image, la perception des règles et aussi, probablement, augmenter la « compliance » à celle-ci. Voici donc quelques exemples de créativité en la matière. Si les aspects de communication persuasive ne sont pas toujours pris en compte, au moins, c’est amusant et ça correspond déjà plus à l’une des règles essentielles: KISSS (Keep it Simple, Stupid & Sexy).

Et vos politiques de sécurité, vous les préférez sommaires ou complètes ? Réflexions sur les deux possibilités !

Dès que l’on parle de bonne gouvernance d’entreprise, on entend très vite les mots « politiques », « règles » et « procédures ». Lorsque l’on dirige une entreprise ou une équipe, la plupart des gourous en « management » vous diront qu’il faut donner des ordres précis ou définir des objectifs SMART (Simples, Mesurables, Atteignables, Réalistes et Temporellement définis).

Sur cette base, bon nombre de grosses entreprises génèrent des dizaines (pour ne pas dire des centaines) de pages de règlements divers que les employés sont supposés connaître et que seuls les personnes qui les ont écrites et le juriste qui les a révisés arrivent à comprendre (et encore, j’ai parfois des doutes sur le sujet…). Quelle société n’a pas son « Code de bonne conduite », son « Règlement d’ordre intérieur », son « code éthique », sa « procédure d’achats », son « code de bon usage de l’Internet », sa « politique de gestion des risques » ou même son « code vestimentaire ». Et là, je n’énumère que les grands classiques, bon nombre d’entreprises ont bien plus de règles que cela, parfois séparées en fonction du public visé (utilisateurs finaux, service informatique, fournisseurs externes, département achat, ressources humaines, etc.) et parfois le tout mélangé dans un document monumental et illisible que l’on n’ose même pas ouvrir tant il nous rappelle ce Best-Seller de 500 page que l’on a jamais fini tellement il est massif. Bref, vous avez des règlements internes (des politiques internes) mais savez-vous combien de personnes les ont lues et les ont comprises ?

Les militaires, dont on pense souvent, et probablement pas à tort, qu’ils sont bien organisés et qu’ils sont plus rigoureux dans leur approche de la sécurité que la plupart des acteurs du secteur privé, ont bien compris ce problème. Un adage bien connu des généraux est qu’  « aucun plan militaire, aussi bien fait soit-il, ne survit au premier contact avec l’ennemi » ou comme le dit cet autre adage : « En théorie, la pratique et la théorie sont la même chose, en pratique, c’est différent ». En conséquence, vous aurez beau prévoir tous les cas de figure possibles et imaginables, il ne faudra pas longtemps pour que quelqu’un tombe sur une situation qui n’ai pas été prévue. Et de toute façon, ils n’auront pas lu vos 2500 pages de règles.

Doit-on écrire encore plus de politiques ?

Avec encore plus de détails ? Même si les juristes adorent vous dire que  « tout ce qui n’est pas interdit est permis » ou encore qu’ « il vaut mieux être trop précis que pas assez », il n’empêche que c’est souvent perçu comme infantilisant. Est-ce que vous travaillez avec des chimpanzés à qui il faut tout expliquer dans les détails ou avec des adultes responsables ? Pensez-vous qu’ils sont trop bêtes pour prendre les bonnes décisions ou bien qu’avec un minimum d’explication et de mise en contexte ils feront les choix appropriés ? C’est peut-être bien les réponses à ces deux questions qui devraient déterminer votre approche. Rappelez-vous cependant que personne n’aime être pris pour un imbécile, infantilisé et dépouillé de toute liberté d’action et d’initiative. C’est mauvais pour le moral des troupes et pour la créativité. Et pour la seconde, si vous avez engagé des imbéciles, peut-être faut-il revoir votre politique d’engagement… ou adapter votre communication.

Comment peut-on s’assurer que nos hommes vont pouvoir prendre les bonnes décisions ?

Nos chers militaires ont bien entendu trouvé la solution à ce problème : Le CI ! Le CI c’est le « Commander’s Intent », une définition concise et claire du but de l’opération et de l’état final désiré. Le CI peut aussi contenir l’idée que se fait le commandant du CI de l’adversaire ainsi que le niveau de risque (de perte) qui est acceptable. Grâce au CI, toutes les personnes qui sont mobilisées dans une opération doivent pouvoir agir de concert, en mobilisant leurs compétences, dans un but commun. Et si par hasard les conditions de réalisation du plan magnifique que vous avez concocté ne sont plus d’actualité, les acteurs de terrain doivent pouvoir facilement adapter leur plans pour pouvoir réaliser leur part de l’objectif fixé.

Comment traduire ce principe dans la société civile?

Certaines  entreprises ont déjà bien compris ce principe et le CI est souvent devenu le « motto » de l’entreprise. Imaginez que vous travaillez pour un fabricant de voiture, je suppose que vous pouvez facilement vous imaginer les comportements et les décisions que vous prendrez si le CI de votre CEO est, par exemple, d’ « être le fabriquant  de la meilleure voiture au monde » ou d’ « avoir le meilleur taux de satisfaction de vos clients ». Ces deux objectifs, qui pourraient être perçus comme une volonté similaire d’excellence, vont néanmoins donner lieu à des choix différents quand il faudra prendre des décisions relatives à l’investissement dans le service après-vente, le service commercial et la R&D. Néanmoins, chaque intervenant de l’entreprise pourra facilement répondre à cette question : « ma décision va-t-elle permettre à mon entreprise de tendre vers ou d’atteindre son objectif ?».

Bien sûr, cela implique que chacun connaisse son métier et les conséquences de ses choix.  D’une certaine façon, on peut se demander si le choix de politiques internes sommaires ou complètes n’est pas une décision stratégique fortement liée aux valeurs de l’entreprise et de son équipe de direction. Micro-management ou macro-management ? Contrôle total et minutieux ou travail en confiance ? Contrôle et répression ou éducation et encouragement ? Chimpanzés ou petits génies ? Le bâton ou la carotte ? Livre ou cinéma ? (OK, là, je pousse le parallèle un peu loin).

En résumé…

Vos politiques internes, et encore plus vos politiques de sécurité, doivent être alignés avec les valeurs de votre entreprise. Personnellement, je préfère éduquer que réprimander. Des politiques brèves qui expliquent ce que l’on attend, pour quelles raisons et qui donnent un contexte et des exemples concrets me semblent plus efficaces qu’une longue liste de paragraphes similaires au code pénal. Et vous, que préférez-vous ?

Effective security management: 20 tips to change your audience’s behaviour

How do we implement security efficiently in an organization, small or big?

Although some security officers seems to still believe that having security policies and a plan to implement expensive controls like IPS, IAM or DLP (you’ll notice the common use of nice marketing buzzwords and acronyms to make you believe that you should know what an Intrusion Prevention System, an Identity and Access Management or a Data Leakage Prevention system are, like everyone else is supposed too, and maybe does. But does it mean it’s the solution to your problems?) are the solution, it is not! You can believe me on this, I was thinking the same way years ago, I saw it failing too often and now, I took another approach. And that’s probably one of the reasons why I still have a lot of work as a consultant.

So, what is the first thing we should care for?

When Kevin Mitnick, one of the most famous hackers, was still hacking PABX in order to have the possibility to do war dialling on all available modem in a region for free (yes, it was a long time ago), the weakest point for most computer security systems was already between the chair and the keyboard. Whatever you do, there is always a human involved somewhere and human are harder to control and less predictable than human (even if it might not always be the case). Bottom line, a good security starts with a good communication and training plan, like for any transformation journey, as it is the only good way to change users’ behaviour (depending where you live, you might also think about torture and brain washing but in as I live in Belgium and moreover due to my philosophical convictions, I exclude those from the equation)

Is it really necessary to have a communication and training plan?

The first Palo Alto axioms of communication states that we cannot not communicate (yes, I know, double negation are complicated). Let’s rephrase it: whatever you do or do not, you communicate. So, if you don’t communicate about your security, in fact you just communicate that it is not important or that you don’t care or that you don’t have the budget to communicate. It’s BAD! If you communicate poorly, you might in fact give the same message and even worse as you might give the false impression that security is useless or even boring. Really Bad too! And as you probably know, we just have one occasion to give a good first impression. So, don’t miss it. The basic reason for any communication is to change other’s behaviour. So, if you just want to write policies for yourself and don’t bother about the others behaviour, indeed, you can skip he communication plan.

What makes a communication efficient?

If a communication is intended to change other’s behaviour (or ideas), an efficient communication is the one that will change the highest number of person’s behaviour. How can we assess that efficiency? If you do security and risk management, you should know the PDCA cycle. So, you just use it, like scientists. When you do something you try to measure the effect of your action. Fortunately, there is already a lot of people having tried different paradigms and measure their efficiency. That’s what social psychologist and marketing researcher do. And on the specific risk communication issues, Amos Tversky and Daniel Kahneman, two economy Nobel prize winner psychologists, have developed the theory of perspective, highlighting the numerous biases affecting the human when taking decisions about a risk. Lucky for you, you won’t have to read and understand all those books and articles, I am about to give you a cheat sheet to prepare your next communication.

So, practically, how do you do it?

  1. First, you have to remember the 3 basic rules of education: repeat, repeat and repeat again.
  2. Then, you have to remember that if you repeat too often a signal, it tend to be ignored by your brain. When you put your socks on your feet, you start ignoring the sensation of the fabric on your skin after a few seconds. The same way, you don’t notice most of the object in your office that are there for so long. But, if you move it or change the color, interrupt the pattern, you will start noticing again. So, the basic education rule might become something like: repeat, explain and do it again differently.
  3. Keep it simple, stupid and sexy (KISSS): use terms and analogies that everybody can understand. Your target is not a group is security experts.
    Ex.: « Security is wearing belt and braces for your first date« 
  4. Give many concrete short examples: give examples that are relevant for your audience. Use their vocabulary, the process they already know, things they do for a living.
  5. Use examples allowing people to identify themselves to the story
    Ex.: « The new employee walk into the printer room and find a confidential document on the printer, as he remember the security training, he brings the document to the security officer»
  6. Ask questions and mostly questions creating a knowledge gap, meaning your audience won’t have the answer, or at least, not the right answer.
    Ex.: « How long will a 8 characters long password last again hackers attack?« 
  7. Use positives sentences (people have difficulties with negative form, they tend to forget the negation)
    Ex.: prefer « You will take care » to « You will not jeopardize »
  8. Use emotion and feelings to describe situations, it will make it more memorable (you can also add references to sensations, sounds, colors)
    Ex: “Alice is afraid of loosing her beloved grand-mother gold ring
  9. Explain to your audience as if they were your kids or grandparents
    Ex.: “You may see Risk as the cost resulting from an incident (like having a car crash) multiply by the probability of this incident occurring« NB: I know, I Repeat myself, but what we call the knowledge curse, meaning believing the others understand what we are saying, is really killing most security communication
  10. Use precise numbers, it will be perceived as more credible
    Ex.: « You have 2.13 times more chance to die from self-inflicted injuries than from transport accident« 
  11. Naming your sources will also add credibility? (if they are credible).
    Ex.: « as stated in the Federal Statistic Death Cause report of 2009 »
  12. Link important concepts to images, Preferably known locations and persons. Use unusual associations (incongruence) to increase the remembrance.
    Ex.: « Ghandi walks into a computer shop and ask for a computer bringing serenity« 
  13. Spot the « victims » of the incident or the persons impacted by an incident. Give a face, a personality, to the victims.
    Ex.: « Alice, Bob’s secretary, is affraid of being fired after she disclosed confidential information »
  14. Provide multiple examples of the same risk. it will create an illusion that the risk is higher, helpful to trigger action & compliance
  15. Use yes sets (A set of affirmation that will be acknowledge by most people (Yes) preceding an affirmation we want them to acknowledge): As they acknowledge the first affirmations (priming), they are more likely to acknowledge the last affirmation.Once acknowledged, not complying with this affirmation will likely trigger a cognitive dissonance (inconsistency) in their mind, increasing the probability of compliance.
    Ex.: « As many, you like to keep your secret secret. You understand the risk of disclosing such information. So, You will probably keep this information secret.« 
  16. Use double « No » or paradoxical sentences:
    Ex.: « You don’t want us to take such a risk, don’t you? », « As you care about our security, you will classify the document adequately. No? » or « You may give your password to your colleague and be responsible of all his mistakes. No? »
  17. Make it look like normal: Make your expectations appear like something normal, that we should do as part of our normal behaviour
    Ex.: « As most of your colleagues, you take care of your customer’s information… »
  18. Provide a meaning to your expectations (appeal to our inner trends to make things right)
    Ex.: « Keeping our customers’ transaction confidential prevent insider trading… »
  19. In the military, it is known that no plan survives the contact with the enemy. To circonvene this, always think to provide the CI (Commander’s Intent) that will allow people to take judgmental decision.
    Ex.: « The main goal is to ensure our CRM applications remains available between 7 to 20« 
  20. If you make a presentation, speak slowly, pause for a second after important information, it will be perceived as more charismatic

Ok, I stop here. There is of course more to say but you have already more than enough to make your communication at least 3 time more efficient. Combining all these advices, you may change the odds of behavioural change from 21% to 78%! Can you do better?

Who don’t need arbejdsglaede?

Arbejdsglaede is the nordic word for Happiness at work. The video below is a nice animation from Alexander Kjerulf on arbejdsglaede (= Happiness at work). It is fun and accurate.

You can also visit the related website with videos of happy people at work! http://whattheheckisarbejdsglaede.com/

As cherry on the cake, a video that shamm make you smile, as it is all that this prince of positivism is aiming at:
Honk if you love someone

No training is (often) bad training

When we talk about training, it is common to ear that they should be given on purpose. The purpose being « doing a better job ». Likely, when someone need a specific skill she/he doesn’t have yet, it is often when we can demonstrate a Return on Investment that he/she will be sent in training.

This is quite black or white. To be or not to be skilled! In real life, people may have partial skills, or a minimal level of proficiency in a skill. Sometimes they believe they have the skill and as you might know, the worse thing than not having a quality is believing you have it (so you are certain you will never get it).

Nowadays, creating documents is not the sole tasks of secretary. They don’t exist as such anymore, they are Personal Assistant. Why, because most people, including managers, create and type their documents by themselves. Reports, emails, presentations, spreadsheets, who isn’t working with those beautiful office tools? Which percentage of users are sufficiently skilled to use these tools efficiently? In 2012, I still have seen manually generated table of contents in large documents, titles underlined using underscores, mistakes in spreadsheets due to lack of knowledge of the tools or surcharged presentation missing their primary objective: convince people. OK, they are just loosing time and efficiency. As time and efficiency are money, companies are just loosing money due to the lack of training. Is it so bad? No, if you can train them now and stop loosing money.

Though, as Jack Zenger underlined it in his article « We wait too long to train our leaders« , no training is bad training, even more for soft skills. Why? Even if you are not trained, you do practice and practicing bad behaviors is fostering bad habits. With spreadsheets and word processors, it can be corrected easily. But, when it comes to soft skills, to human interactions, it is another challenge to correct bad habits. Moreover, if a manager is a lousy communicator, improving his listening and communication skills will not be the only challenge. Having his staff letting him the chance to use his new skills, to trust him might take some time. In the meantime, as you must know, your employees are living their bad managers, even if you, as a company, are proposing attractive salary or bonuses.

Most managers I know have difficulties to manage people. Budgets, programs, projects, objectives, board seems to be somehow difficult but still manageable. People? No thank you. Conflicts, competition, motivation, expectancies, turnover, headhunter recruiting your best elements, stress, emotions management… it is not an easy task to manage human. In fact, you don’t manage them, you can just love them (or hate them, but its seems less efficient). Nevertheless, as a recent article in Le Monde was pointing out: more and more managers don’t want to be managers anymore. Companies are then loosing good employees and managers.

Of course, universities and management schools don’t prepare well to this task. Even with a degree in psychology, you won’t be ready to be a manager. Of course you have natural born managers. Some of them even became great leaders and created their own companies. But, what will the 98 other procent do?

Yes, we can train them. In fact, you MUST train them. Not tommorow when they will come to you nearly burned out. No, today! Now!

But how? What do they need? After more than a couple of decade spent working for companies and organization of all sizes, I still have the feeling that, before being bad communicators, a lot of managers are bad listeners. Too often also, we find narcissistic managers, lacking empathy, certainly a good quality to find amongst leaders. Above stress management, emotion management should be also a good skill to develop. (see Daniel Goleman video below for more insight around the emotional intelligence and leadership). Being mindful does certainly helps too. A manager able to stop, take time, take some distance, will likely be more available for his collaborators, to be more creative, to listen. Honnesty, integrity is also something you expect from Managers, as you certainly already do. Nevertheless, this honnesty must encompass his relationship with all the employee. He should not be put in such position by the organization that he cannot be honnest with them (I already wrote on Corporate values, I will certainly come back to this soon).

So, to summarize, inmy top 5 of soft skills a manager should have:

  • Listening
  • Empathy
  • Mindfulness
  • Emmotional intelligence
  • Honnesty

As these 5 skills are thightly bound together,  you might look for some holistic approach. Of course, higher in the hierarchy you start, the better.

 

Additional reading (external):

The Value of a Good Manager? People Leave Managers Not Companies!

Forbes.com: Why your employee are living?

Daniel Goleman « Social Intelligence and Leadership » sur Harvard Business Publishing on YouTube

Improved communication

How many times did you attend a meeting with a speaker reading a 12 bullets slides with unreadable text in Arial 12pt (or even worse, Comic Sans). Even if the subject was interesting, it is more likely that the monotone speech of the speaker and the overload of text (and likely of colors) led you to watch the clouds in the sky or even to fall asleep while keeping your eyes semi-open. Clearly, such communication did not reached his goal: change behaviour! Yes, we usually don’t communicate just for the sake of it, we communicate because we hope we can influence people and make them change their mind and they way of acting. If you don’t, stop wasting your colleagues’ precious time!

Doing a presentation is an art. Being a good speaker is a talent. As all talent, it requires practice and training. Before reaching Steve Jobs or Sir Ken Robinson’s level, you can already start improving your visual support, the holly PowerPoint presentation that most of you prepare as soon they have to present something. Of course it might bring clarity, structure and visual support for boring and complex numbers. Unfortunately, in wrong hands, it can also make your presentation even more boring.


Nancy Duarte’s is famous for her work on corporate presentation. Her excellent book « Slideology » might be a good start to understand the basic principles ofa good PowerPoint presentation. If you need to be convinced, I suggest you pay a visit to her web site and check her online portfolio on http://www.duarte.com/work/.


You may also profit from the reading of Garr Reynolds books: « Presentation Zen: Simple Ideas on Presentation Design and Delivery » and « Presentation Zen Design: Simple Design Principles and Techniques to Enhance Your Presentations« .

Changing your presentation, you will also notice you will change the way you present it. Good presentation requires a logical flowing structure that will also improve the intelligibility of your oral presentation.

Of course, these books are only helpful if you care about being listened. Assertivity is just one key of success, you can maybe achieve your goals without it.