We’re all creatures of habit. Often, this is to our advantage, as a good habit helps us remember to perform crucial actions that keep us safe. When changing security processes, though, people’s learned habits can prevent necessary changes from taking effect.
Do you have a regular routine before leaving the house in the morning? Personally, I check that all my required equipment is in place: wallet > keys > phone > watch > ID card in that order. If anything isn’t where it’s supposed to be, I stop and secure the missing item -- a habit from my military service. This personal sequence has saved me from embarrassment and inconvenience many times.
Habits are powerful things. A good security practitioner leverages the power of habit because, as Perry Carpenter explained in his new book Transformational Security Awareness: “We are creatures of habit: We like to do things in the same way that we’ve done them in the past. Our bodies and minds reinforce this by creating habits (patterns of behavior that become automatic). Breaking a habit is difficult because the habitual behavior is deep-seated and can even be comforting to us.” 
We try to promote certain security controls as habits when we teach. Little things, like “always check that your photo ID badge is showing when you enter or leave a room.” A habit like this facilitates strong physical security so long as it’s common throughout the organisation. Another one is “always lock your workstation when you leave your seat.” This helps prevent others from accessing company information resources through your authenticated network account.
Unfortunately, habits can work against us just as often as they work for us. Once a behaviour pattern is internalized and applied subconsciously, we stop thinking about it. We let our body run on cruise control even when our learned behaviour is wrong for the circumstances.
Rational people will try to use the lifts during a fire evacuation. This is why fire drills are necessary: by forcing people to practice evacuating via stairwells, it teaches a new habit to counter the default behaviour. More on this below.
A funny example of this came recently from my colleague Nick. You might remember him from last year’s article How the nonsensical can make sense in cyber security. Nick still leaves his empty wallet lying around but never forgets his mobile phone. He’s a creature of habit.
Along those lines, Nick was bursting to share a funny story with me. With a huge grin, he asked me a riddle: “I bought two mops this weekend. How many mops do I own?” When I answered, “at least two, mate” he laughed and told me “zero mops!”
As Nick described it, he decided to thoroughly clean his flat this weekend, adding a mop to his list of groceries. At checkout, he paid his bill, pocketed his receipt, and dutifully scooped up all his bags as a matter of habit, and strolled home. It was only after he arrived back at his flat that he realized he’d left his brand-new mop at the store. It was too large to fit in a standard disposable grocery bag, so his mind passed right over it as he was completing his usual shopping routine.
“I wasn’t going to fuss over a two-dollar mop,” he admitted. “and I had time. So, I walked back to the store, found a much better mop, and bought it. I figured it was a ‘win’ since my new five-dollar mop was the kind I’d really wanted in the first place.” Feeling chuffed, Our Nick took his prize to the self-checkout till, paid for his purchases, scooped up his receipt and all his grocery bags and walked home … again, without a mop.
Hopefully someone got some use of them. Poor forlorn mops …
Nick’s story illustrates a critical problem affecting all security awareness programs: users’ habits will beat their good intentions every time. When people operate on automatic pilot, whatever behaviour they’ve internalized will run without considering changes in context, circumstance, or protocol. People will keep doing what they’ve always done.
Obviously, this can be a problem. It hits us hardest when trying to introduce incremental change to existing processes. When people have internalized a standard behaviour, adding new steps or inputs can fail outright because people keep following their last-known-good protocol. To mitigate this, new processes need to be engineered to either include interrupts (i.e., process breaks that force someone to stop their habitual routine and apply the change) or else nullify the previous process. Both methods are disruptive, but necessary. They stop the established habit from running fully.
This disruptive change doesn’t have to be left up to the end user. Had Nick chosen conventional checkout, his cashier could have simply handed him his new mop with his receipt, it would have broken his usual pattern of pocketing the receipt before securing his plastic bags. The interrupt would have forced him to juggle the unwieldy mop with one hand, thereby compelling him to factor the new input against his standard practice.
One of the best ways to see what interrupts or process changes are required is to gather a select group of disinterested testers. Teach them the new process on a Monday, then bring them back the following week under a different pretence and observe them. By letting the initial new process information settle to the back of their minds (metaphorically), you’ll increase the odds your testers will act according to their established habits rather than on your changes. If at least half of your test group forgets to follow the new process, that’s a sure sign you need to change the new process to make it sufficiently different to force users out of their established habits.
 Page 86. The book’s full title is Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Security Behaviors. Highly recommended.