Our brains can be our own worst enemy when it comes to following security controls. It’s not that we don’t want to follow the rules; we do. The problem is that our experiences and memories influence to make decisions based on remembered processes rather than current processes. Process designers and security educators need to factor this bias into our creations.
Cognitive biases are strange things. They tend to lurk just under the surface of conscious thought, quietly directing our behaviour like the tide pressing against an unmoored dingy. Biases have significant influence on users’ ability to comply with security controls -- not their willingness to comply.
When a security control conflicts with a deep-seated subconscious urge that contradicts the control, users will often rationalize justifications to deviate from the control even when they recognize and respect the need for it.
This isn’t a matter of wilful disobedience and it isn’t something users should be punished for doing. Rather, it’s an inherent weakness in the so-called “human operating system” that control designers and security awareness professionals must consider when attempting to influence user behaviour. We need to help people recognize their own biases first, then help them develop skills for deliberately over-riding their unconscious biases to help them succeed.
A classic example of an annoying unconscious bias is the Availability Heuristic. It’s a mental shortcut that we employ throughout the day. When we’re presented with a situation, we tend to consider the situation in terms of specific examples that we’ve personally experienced rather than on an impersonal, data-driven model. This influences our thinking, because we place more importance on what we’ve experienced … and the more recent the example(s), the stronger the effect.
This isn’t always counterproductive. Some people might call this the “voice of wisdom.” It’s reasonable to assume that a person who has experienced a specific situation before should be better prepared to deal with a second instance of it than someone who has never experienced it at all. The problem is, availability bias doesn’t ensure the examples we’re drawing from to make our judgments are rational, relevant, or reasonable given the current situation’s specific manifestation.
This is particularly troublesome given how much the technological landscape has changed over the decades. Perfectly sound responses to problems five years ago can be useless or even counterproductive now.
Take, for example, something as mundane and unimportant as presentation slide design. My colleague Nick and I constantly clash over slide aspect ratio. Not because we’ve taken two incompatible positions on the subject and have compelling arguments to justify our positions; it is because I keep reverting to making slides the “old school” way no matter how many times Nick reminds me to join the modern world.
I started making electronic slides back in the early 1990s when I was posted to an Army Medical Battalion at Fort Hood, Texas. One of my jobs as a staff officer was to help the Battalion HQ, our subordinate Medical Companies, and our affiliated Medical Detachments prepare and brief their monthly Unit Status Reports.
Every month, I’d help the six lower-level commanders fill out their worksheets and I’d use their data to assemble our consolidated battalion-level report. Then I’d generate all the briefing slides for the seventeen separate meetings that were required to run the reporting process from start to finish.
Back then, we used a legacy application called Harvard Graphics on our 1980s vintage, DOS-based PCs. It was unique for its day because it could import graphs and tables from files and other applications, making it the best available tool for presenting the data that commanders and their staff officers would each use to brief their next-higher echelon about their issues and what they were doing to address them. Once finalized, we’d print our electronic slides into plastic sheets that could be presented on an overhead projector or actual photo slides for 1960s style projection. 
These things. Photos printed on transparent plastic set in a cardboard frame. Put a light source behind it and “project” it on screen in a dark room. Imagine how difficult it was to create these and you’ll understand why some experienced colleagues sometimes seem reluctant to make edits to their presentations.
So, I learned to make slides when every slide had to be generated as a single file – no slide “decks” back then, the way PowerPoint does it. We had rules around standardization for everything from the font size to the slide size based on the constraints of our PCs, our applications, our printers, and our projectors. Those rules stuck.
Of course, technology has evolved. By the time I got to Fort Rucker in 1996, we’d all starting using PowerPoint. Nonetheless, the old rules governing Army slide-making were carried forward: 24-point main bullets below the title, no more than two levels of sub-bulleting, sans serif fonts whenever possible, and always maintain a 4:3 aspect ratio in case you get to present on a television or computer monitor. As we all mustered off active duty and joined the corporate world, we carried those rules with us like they were holy commandments.
My colleague Nick was in fourth grade when I was internalizing all of those “unbreakable” rules. He was in high school during the first Dot Com Bubble and attended university during the ascendency of laptops and LCD displays. By that point, everyone was using PowerPoint and the norms surrounding slide design were changing. He had no difficulty shifting from the classic 4:3 slide aspect ratio to the new 16:9 “cinema aspect” ratio.
This brought us into conflict last year when we were designing new iterations of our slide decks for the live version of our new user security training course. I wrote the first drafts using the standard company .PPTX template. When Nick went to convert them into a computer-based training module, he noticed that the course would play better in 16:9. He asked me to switch to the company’s other standard .PPTX template so that conversions would be easier for him.
Given how much we do in an average day, any process change that saves us time is a huge help.
You can guess what happened: I created one new version in 16:9, then immediately defaulted back to 4:3 out of unconscious habit. Nick called me out for it and kept doing it. It’s become a running joke between us, as I’m compulsively drawn back to making slides “by the book” … based on a book that’s been obsolete for over a decade. The problem isn’t a lack of will, skill, or understanding. It’s a matter of deep-seated subconscious bias.
Having made thousands of slides and slide decks over the years, my instinct when starting any new slide project is to do things “correctly.” The mountain of examples I have stored in memory make me easy prey for the Availability Heuristic.
Moreover, every new project I start based on the “old ways” acts as reinforcement. It’s embarrassing, yet a strong example of how our brains betray us.
Fortunately for me, slide aspect ratio doesn’t factor into any security controls. It does, however, help Nick and I remember that we must factor people’s experience and exposure to concepts into our training. We can’t reasonably expect people to follow guidance that contradicts years of conditioning.
To affect positive behaviour change, we need to present new conduct as a clear break from past-practice, and then reinforce our training with interesting and personally relevant examples that people will remember. We counter the Availably Heuristic by front-loading our training with new ideas that frame the guidance as a reasonable response to a new situation rather than a change to legacy process. This helps people adapt to the change faster and more reliably.
 When I relate stories of those “olden days” to my Gen Z kids, they howl with laughter. Then they ask how we managed to fit such bulky equipment on our Conestoga Wagons.