Security Behavior Change

How to use social proof as a superpower in security awareness training

Masha Sedova

Published on 19 March 2019

Security Behavior Change

Question: Would you be more likely to do something simply because someone told you, or because you knew your peers were already doing it? Chances are, it’s the latter. Study after study shows the power of social proof in influencing behaviors. Take energy software company, Opower, as an example.

In addition to sending consumers a report on their own energy use, Opower also shows how they compare to their community’s average energy use. Additionally, they grade each household on their energy:

  • Two smiley faces for great conservation (using less than 80 percent of what their neighbors do)
  • One smiley face for good conservation (using less than most of their neighbors)
  • No smiley face for bad conservation (using more than most of their neighbors)

They found that comparing one household’s behavior to their neighbors was strong enough driver to improve their energy conservation.

So, what can we learn from this as a security industry? We’ve actually found a very similar phenomenon in security training: comparing an employee’s security hygiene against others and using social proof as a motivator can be very powerful. Case in point: If you simply told your employees to use LastPass to store passwords versus told them that 300 of their co-workers or the CEO uses it, which message do you think would sway the non-users? Chances are, it’s the fact that colleagues or the CEO use it that will move the needle because people look to their peers first before doing something new or making a decision.

Especially if you find that no matter how much you train your employees they continue to utilize weak passwords, forget to use password management tools, and click on phishing links, chances are they need better motivation. This is where social proof can come in, because people need proof from others that something is worthwhile to do.

The Proof on Social Proof

There are ample studies today on the power of social proof in influencing good behaviors. A study by researchers at Carnegie Mellon University and Facebook found that just by showing people the specific number of their friends that used security features drove 37 percent more viewers to explore those security features. To test this, they showed 50,000 Facebook users one of eight security feature recommendations (e.g. login notifications, login approvals, trusted contacts, etc.). Seven of them had social proof and one did not. They discovered that simply by showing people that their friends used the feature drove more awareness and adoption of those features than the non-social recommendations.

Similarly, a study conducted by Sauvik Das of Georgia Institute of Technology found that a Facebook prompt to install security controls (such as two-factor authentication) was 1.36x more successful when using social proof, by leading with text like “108 of your friends use extra security settings.”

We’re already familiar with many forms of social proof, such as:

  • Celebrity endorsements for products
  • Clubs intentionally creating lines outside to draw interest and intrigue
  • Facebook widgets showing you how many of your friends already ‘Like’ something as a driver for you to ‘Like’ it, too
  • Asking a friend or trusted peer what product they use and buying it that day on their recommendation alone

In all of these scenarios, other people’s use of something can altogether sway an opinion or decision. Specifically, many of these studies, as well as our own research, have found that showing someone that a peer they know or look up to (versus a population at large) is doing or buying something has the most pull.

This is why celebrity endorsements or Facebook social proof work so well.

An example of celebrity social proof

Whether it be a favorite blogger, pop artist, or your best friend, knowing that someone you respect and trust does something can be just the motivation needed to adopt a new habit or buy a new product. On the contrary, social proof can go wrong when you see that someone you do not like uses or does something — that can, in fact, deter behavior. This is why it’s important to know your audience (your employees) and find the appropriate influencers to effectively influence their behavior.

So, what if you could show your non-compliant employees that many of their peers are practicing good security behaviors? And what if you could even build in rewards to motivate them for improving their behaviors over time? Social proof as an integral part of security awareness training can mean the difference between useless training that leaves you no more secure, and building an army of security advocates to strengthen your company’s barricades.

How to Bring Social Proof to Security Awareness Training

How exactly do you begin to leverage social proof in security awareness training? And how can you do so in a positive way where employees don’t feel singled out? This is the exact challenge we set out to solve with Personal Snapshot, part of the Elevate Platform. Similar to the way in which Opower reports on consumer energy usage, we send employees reports on their own security behaviors, showing them information such as:

Comparing their behavior to their team’s and showing them how they can improve (the last part is key)

Highlighting when influencers, like the CEO, are also exhibiting a behavior

You see, while we found that social proof was powerful in and of itself, giving people a way to improve on their results is even more beneficial. For example, we offer employees resources in their personal snapshots to strengthen their skills so that they can uplevel their score and see it improve over time.

At RSA Conference in San Francisco in March 2019, I spoke alongside Elevate customer Aika Sengirbay from Autodesk. Aika shared the results her company has seen with rolling out Personal Snapshot and leveraging social proof. At launch, 60% of employees reviewed their snapshot, resulting in decreased clicks on phishing emails, increased reporting of suspicious emails, increased password manager usage, and 1800+ visits to the training resources linked in the emails.

With better training and built-in motivation, employees can become your first line of defense against cyber threats. By creating a reality where employees are a central part of solving security problems (rather than contributing to them), we finally give ourselves a chance against the sophisticated attackers targeting companies today.