The human preference for consistency could boost security – but in practice it often does the exact opposite
Why does folklore suggest we spend 3 months’ salary on an engagement ring?
Why, when we get married, do we vow to stay together for life, no matter what happens?
And why do people choose to stay with a partner following infidelity?
The single word “love” might be an adequate answer to each. And it’d be churlish to suggest that didn’t come into it.
But another factor might help explain all three. And it’s a factor that could help prevent more cyber attacks.
That factor is the human desire for consistency.
Our desire for consistency
Our desire for consistency has been highlighted in academic literature for decades now – a 1968 study published in the Journal of Personality and Social Psychology is a good example. In the study, researchers asked people waiting to place horse-racing bets how confident they were they were in their selection. They also asked people the same question immediately after bets had been placed.
Strangely, researchers found the mere act of placing the bets caused confidence to soar. People were more confident in their selections after placing bets than people were moments before.
Researchers theorised that, after betting on an outcome, it would be inconsistent to suggest the outcome was unlikely. Therefore, we believe a selected outcome to be more likely moments after placing a bet than we do moments before.
Academics believe our desire for consistency to be evolutionary. Consistency makes us trustworthy. It also keeps us from behaving erratically, and makes our behavior predictable. As such, when given the chance, we like to demonstrate how consistent we really are – and not just when it comes to betting.
Consistency nudges us along paths we might never otherwise take – from standing by romantic partners following infidelity to making larger charitable donations after signing petitions.
The security community is yet to intentionally leverage our desire for consistency. But it wouldn’t take much for us to begin to do so.
Intuitively, today’s security awareness programmes seek to enhance people’s knowledge of threats, dangers and best practices. When people know the true risks, it’s assumed, they’ll become more cyber-cautious.
It’s a logical approach. But, actually, it doesn’t appear to be doing a great deal of good.
Despite security awareness campaigns continually banging the same drum, people are still commonly cited as the single biggest cause of breaches around the world. People are still routinely highlighted as an organization’s ‘weakest link’ (a phrase we don’t necessarily like but understand the sentiment behind).
So are we making things much more difficult than they need to be? Perhaps improving people’s knowledge – a difficult and expensive task of apparently limited efficacy – shouldn’t be our sole area of focus.
Thanks to our desire for consistency, if we can change the way people behave in practice in a small way, changing behavior in a big way should become a great deal easier.
Training people to lock devices when leaving a desk unattended might lead to fewer people downloading unauthorised software.
Training people to install security updates promptly might lead to fewer cases of social oversharing further down the line.
After choosing to behave in a secure manner in a simple way, people are much more likely to identify as security-conscious. And security-conscious people go out of their way to maintain their identity. Not doing so would be inconsistent; something people prefer to avoid.
When the focus of awareness campaigns becomes changing behavior – as opposed to improving knowledge – our desire for consistency automatically becomes an asset. The human desire for consistency could easily help people become more cyber secure.
However it’s worth noting, the effect works both ways: after repeatedly failing to lock an unattended device, people might start to believe cyber security is unimportant. In turn, they’re more likely to engage in risky behaviors further down the line.
At present, given people are typically indifferent, apathetic and skeptical about cyber security, our desire for consistency is probably working against us.
By focusing on changing people’s behavior (which we’re happy to report CybSafe demonstrably does) – as opposed to just improving knowledge – we may be able to keep people consistently safe.