By Jason Hoenich on Dec 1, 2018
The secret to effective security awareness programs is having a foundational understanding and knowledge of behavioral science, behavioral psychology, and neuroscience concepts. What? It's the science behind why we do what we do, how we're motivated to make decisions by things around us, and how most of the time - we have little actual control over our choices. Understanding these cognitive concepts will help boost your programs into the stratosphere.
Habitu8 was founded by security awareness professionals who have obsessed over these books, podcasts, and blogs for the last 10 years. Jason Hoenich (founder, CPO) can get sidetracked for an entire day talking about these books and resources, and how they helped him build security awareness programs for some of the world's most well known companies like Disney, Activision Blizzard, and Sony Pictures.
Here is his list of crucial reads & listens for those eager to boost the effectiveness of their security awareness programs.
In no particular order, of course...each entry will include an excerpt from an external source along with a statement from Jason as to why it is relevant.
1. Start with Why - Simon Sinek
In studying the leaders who've had the greatest influence in the world, Simon Sinek discovered that they all think, act, and communicate in the exact same way -- and it's the complete opposite of what everyone else does. Sinek calls this powerful idea The Golden Circle, and it provides a framework upon which organizations can be built, movements can be lead, and people can be inspired. And it all starts with WHY.
Starting with WHY works in big business and small business, in the nonprofit world and in politics. Those who start with WHY never manipulate, they inspire. And the people who follow them don't do so because they have to; they follow because they want to.
Drawing on a wide range of real-life stories, Sinek weaves together a clear vision of what it truly takes to lead and inspire. This book is for anyone who wants to inspire others or who wants to find someone to inspire them. (Goodreads)
For me, this book is a foundational requirement for any security awareness professional or CISO. The concepts in this are so important and it is such an easy read. Once I read it and adjusted my approach to include this concept - my entire program morphed nearly overnight. Why? But why? But why? So powerful.
I continue to use the start with why approach nearly daily in almost everything I do or problems I'm trying to resolve. It goes behind security awareness, I use it in personal life issues and projects - it is just something everyone can benefit from reading.
2. Building a StoryBrand: Clarify Your Message So Customers Will Listen - Donald Miller
Donald Miller’s process is a proven solution to the struggle business leaders face when talking about their businesses. This revolutionary method for connecting with customers provides readers with the ultimate competitive advantage, revealing the secret for helping their customers understand the compelling benefits of using their products, ideas, or services.
Building a StoryBrand does this by teaching readers the seven universal story points all humans respond to; the real reason customers make purchases; how to simplify a brand message so people understand it; and how to create the most effective messaging for websites, brochures, and social media.
Whether you are the marketing director of a multibillion dollar company, the owner of a small business, a politician running for office, or the lead singer of a rock band, Building a StoryBrand will forever transform the way you talk about who you are, what you do, and the unique value you bring to your customers. (Goodreads)
This book blew my mind when I read it. This is another short and simple read that provides so much amazing guidance. As security awareness practitioners, we often struggle with why our coworkers won't pay attention to our messaging. We assume we're doing all the right things by providing them lists of information and weekly emails. This book made me realize that if I didn't have a strong brand that was trusted and recognized within the company, my messaging would continue to fall on uninterested ears.
For anyone about to start building a new program, or needs to refresh their existing, we can all benefit from understanding the core branding techniques that is likely missing from our programs. Obviously, I've put these techniques to work for my own personal brand on LinkedIn and while developing the Habitu8 brand. This book is like a cheatsheet for all the marketing secrets out there.
3. If I Understood You Would I Have This Look On My Face? - Alan Alda
If I Understood You, Would I Have This Look on My Face? is the warm, witty, and informative chronicle of how Alda found inspiration in everything from cutting-edge science to classic acting methods.
His search began when he was host of PBS's Scientific American Frontiers, where he interviewed thousands of scientists and developed a knack for helping them communicate complex ideas in ways a wide audience could understand--and Alda wondered if those techniques held a clue to better communication for the rest of us.
Drawing on improvisation training, theater, and storytelling techniques from a life of acting, and with insights from recent scientific studies, Alda describes ways we can build empathy, nurture our innate mind-reading abilities, and improve the way we relate and talk with others. (Goodreads)
I think we're starting to see a pattern here. Obviously I highly value communication skills. It is the fundamental core reason why our messages often fail to engage our coworkers. What I liked about this book was that I had no idea that the M*A*S*H* actor was so involved in helping scientists communicate their findings so that they could acquire larger amounts of funding to continue their research. It is fascinating.
He includes a laundry list of behavioral science research, studies, and authors and discusses them in a way that is viscerally human. It's another book that you can read quickly and come away with a greater sense of applicable knowledge and how you can improve your security awareness program communication.
4. Switch: How to Change Things When Change Is Hard - Chip & Dan Heath
Why is change so difficult and frightening? How do you create change when you have few resources and no title or authority to back you up? Chip and Dan Heath, the best-selling authors of Made to Stick, are back with a ground-breaking book that addresses one of the greatest challenges of our personal and professional lives — how to change things when change is hard.
In their follow-up book to the critically acclaimed international bestseller Made to Stick, Chip and Dan Heath talk about how difficult change is in our companies, our careers, and our lives, why change is so hard, and how we can overcome our resistance and make change happen. (Goodreads)
I read this book after I read Kahneman's Thinking Fast and Slow and it helped me to really grasp the concept of the emotional and rational halves of our brains. I really needed the metaphors they used in here and it helped me to rethink and understand how to motivate change, mass scale change, in corporate cultures that I didn't quite have a grasp on.
One of my favorite concepts from the book is Motivate the Elephant...that's the task we have with security awareness & education. Really, all of the Heath brothers books are must reads, but I really enjoyed this one and I believe the security awareness industry is a prime example for use of their research and suggestions. They also write in a way that is really simple and clear. This was a book I was recommending to others before I even finished it.
5. Drunk Tank Pink - Adam Alter
Most of us go through life believing that we are in control of the choices we make, that we think and behave almost independently from the world around us, but as Drunk Tank Pink illustrates, the truth is our environment shapes our thoughts and actions in myriad ways without our permission or even our knowledge.
Armed with surprising data and endlessly fascinating examples, Adam Alter addresses the subtle but substantial ways in which outside forces influence us--such as color’s influence on mood, our bias in favor of names with which we identify, and how sunny days can induce optimism as well as aggression. Drunk Tank Pink proves that the truth behind our feelings and actions goes much deeper than the choices we take for granted every day. (Goodreads)
This book may get the label "Most Fun Read". Lots of really interesting studies about real-life examples of how our environment has been used to subconsciously change behavior. Again, for practitioners who are attempting to change behavior of those around them, this book has a ton of really fascinating examples and research references to studies.
Lots of support for color selection and priming someone before making a decision needs to be made. Add it to your queue!
6. Predictably Irrational: The Hidden Forces That Shape Our Decisions - Dan Ariely
Why do we splurge on a lavish meal but cut coupons to save twenty-five cents on a can of soup?
When it comes to making decisions in our lives, we think we're in control. We think we're making smart, rational choices. But are we?
In a series of illuminating, often surprising experiments, MIT behavioral economist Dan Ariely refutes the common assumption that we behave in fundamentally rational ways. Blending everyday experience with groundbreaking research, Ariely explains how expectations, emotions, social norms, and other invisible, seemingly illogical forces skew our reasoning abilities.
Not only do we make astonishingly simple mistakes every day, but we make the same "types" of mistakes, Ariely discovers. We consistently overpay, underestimate, and procrastinate. We fail to understand the profound effects of our emotions on what we want, and we overvalue what we already own. Yet these misguided behaviors are neither random nor senseless. They're systematic and predictable--making us "predictably" irrational.
From drinking coffee to losing weight, from buying a car to choosing a romantic partner, Ariely explains how to break through these systematic patterns of thought to make better decisions. "Predictably Irrational" will change the way we interact with the world--one small decision at a time. (Goodreads)
I love all of Dan Ariely's stuff. In fact, I was super excited when I saw that Bruce Hallas had interviewed him for his Re-thinking the Human Factor podcast and featured him in his book of the same title.
What I really loved about this book was the candidness and ease which Dan writes about complex studies he conducted in MIT in a way that allows immediate engagement with the book. My key takeaway from this book was the chapter discussing anchor points and how it is such a powerful subconscious tool you can use in life. I used the concept when I was priming my executive leadership to allow me to reduce the required annual training length from 75 minutes down to just 25 minutes, but first stating "I'm not asking to do a 5 minute training..."
7. Pre-Suasion: A Revolutionary Way To Influence and Persuade - Robert Cialdini
The author of the legendary bestseller Influence, social psychologist Robert Cialdini shines a light on effective persuasion and reveals that the secret doesn’t lie in the message itself, but in the key moment before that message is delivered.
What separates effective communicators from truly successful persuaders? Robert Cialdini explains how to capitalize on the essential window of time before you deliver an important message. This “privileged moment for change” prepares people to be receptive to a message before they experience it. Optimal persuasion is achieved only through optimal pre-suasion. In other words, to change “minds” a pre-suader must also change “states of mind.”
From studies on advertising imagery to treating opiate addiction, from the annual letters of Berkshire Hathaway to the annals of history, Cialdini draws on an array of studies and narratives to outline the specific techniques you can use on online marketing campaigns and even effective wartime propaganda. He illustrates how the artful diversion of attention leads to successful pre-suasion and gets your targeted audience primed and ready to say, “Yes.” (Goodreads)
Cialdini is a legend. His original book - Influence - is a classic that stands on its and is also highly recommended. However Pre-Suasion, for me, was everything I needed. The book gets a lot of mixed reviews for various reasons, but what I really loved about this was when he shared what he learning while working with a large pharmaceutical company's corporate communications team while building his presentation deck for an internal conference he was keynoting.
Not everything is a gem, as with most of these books - but there is plenty to consider for use in security awareness programs. Every little bit we can do to make our messages more engaging, even priming our coworkers to "hear" the message, will help us create stronger programs.
8. Re-thinking the Human Factor (Podcast & Book) - Bruce Hallas
In ‘Rethinking the Human Factor’, information security expert, Bruce Hallas sets out a new philosophical approach. Rather than creating a separate security culture, Hallas’ focus is on how to make risk mitigation an unconscious ‘habit’ that’s embedded within the organisation.
His ground-breaking philosophy draws on insights from neuroscience, behavioural science and economics, marketing, psychology and culture, and shows it is possible to redesign information security initiatives by making ‘the right behaviour become the easy behaviour’. (Goodreads)
This is my new favorite podcast. Bruce landed Dan Ariely and Stella Collins for separate interviews on this podcast, which is huge. To hear these behavioral scientists discussing information security directly makes my brain purr. What is so great about the podcast is how intentional the selected interviews are and how the discussion transgresses all relevant and important topics for security awareness professionals. Everything is specific to the security awareness industry - and I love it.
The book is a gem and should be considered the field guide for all CISOs and security awareness professionals.
8. Hooked: How to Build Habit-Forming Products (Podcast & Book) - Nir Eyal
Why do some products capture widespread attention while others flop? What makes us engage with certain products out of sheer habit? Is there a pattern underlying how technologies hook us?
Hooked is based on Eyal’s years of research, consulting, and practical experience. He wrote the book he wished had been available to him as a start-up founder—not abstract theory, but a how-to guide for building better products. Hooked is written for product managers, designers, marketers, start-up founders, and anyone who seeks to understand how products influence our behavior. (Goodreads)
This was my favorite new podcast until I discovered Bruce's. The book and the theory of the book is great for us security awareness nerds. We need all the research and guidance we can get when it comes to understanding behaviors and helping users form new habits. The podcast does a great job of including ideas from the book, but he also often interviews other researchers and scientists and the best part is each episode is like 10 minutes long. It's great micro-learning!
9. Captivology: The Science of Capturing People's Attention - Ben Parr
Whether you’re an artist or a salesperson, a teacher or an engineer, a marketer or a parent—putting the spotlight on your ideas, insights, projects and products requires a deep understanding of the science of attention. In Captivology, award-winning journalist and entrepreneur Ben Parr explains how and why the mind pays attention to some events or people—and not others—and presents seven captivation triggers—techniques guaranteed to help you capture and retain the attention of friends, colleagues, customers, fans, and even strangers.
Parr combines the latest research on attention with interviews with more than fifty scientists and visionaries—Facebook’s Sheryl Sandberg, film director Steven Soderbergh, LinkedIn CEO Jeff Weiner, magician Jon Armstrong, New York Times bestselling author Susan Cain, Nintendo’s Shigeru Miyamoto, founder of Reddit Alexis Ohanian, and more—who have successfully brought their ideas, projects, companies, and products to the forefront of cultural consciousness. The result is an insightful and practical book that will change how you assign jobs to your kids or staff, craft a multi-million dollar ad campaign, deliver your next presentation, attract users to your product, or convince the world to support your cause. (Goodreads)
I loved this book. It is super short, super fun, and packs so much useful information for security awareness peeps. My favorite favorite favorite takeaway from this book is the idea of "violate people's expectations". I use it over and over and bring it up whenever I can, it has become a core staple to my way of thinking. No brainer, just read it.
10. Brainfluence (podcast) - Roger Dooley
This podcast is almost priceless in its value to us in the security awareness industry. Roger Dooley interviews everyone. EVERYONE. I think almost every author on my list is featured at some point on his podcast. They're around 30-40 minutes which means they're super digestible and each episode is like a cheatsheet to the book the author wrote. I listened to almost all the episodes which then led me to each of the books I recommend. I put it last on my list so that you have a single, lazy, one-off solution if you don't like reading or listening to audiobooks. This is your secret weapon.
This list is by no means exhaustive, it was really hard to limit this to ten.
Also, it is upsetting to me that the books I have the most admiration for are also male authors. I would like to take a moment to state that this is not intentional but I do find it a bit disturbing and would welcome recommendations from female authors as well.
Here a few others worth researching:
- Neuroscience for Learning & Development - Stella Collins
- Actionable Gamification - Yu-kai Chou
- Nudge - Richard Thaler & Cass Sunstein
- Grit - Angela Duckworth
- Talk Like TED - Carmine Gallo
- Invisible Influence - Jonah Berger
- Sway - The Irresistible Pull of Irrational Behavior
- The Power of Habit - Charles Duhigg
- The Human Factor - Jenny Radcliffe (podcast)
I hope this list provides guidance and helps you navigate this wonderful world of security awareness and human behavior, as they are attached at the hip. Please share this with others and let's get a conversation going!