[MUSIC] When you think about habituation, what comes to your mind? Or what about habits in general? Most would agree that our habits impact us throughout our lives. For example, how in shape or out of shape we are depends on our habits. Our level of success is dependent on our habits as well. What about how happy or unhappy you are? You guessed it, a result of habits once again. What you repeatedly do will ultimately form the person you are, the things you believe, and the personality you'll portray. It just so happens our habits impact us in ways you may not even think about, In the book entitled Habit, The 95% of Behavior Marketers Ignore, Dr. Neil Martin found that 95% of the time an individual's behavior is dictated by their habits, which are unconscious in nature. So what is unconscious behavior? The term unconscious refers to a part of the behavioral spectrum in which all behavior is a result of habits. For example, did you know that when you go to a grocery store most of your purchases are based on your previous habits? You may always get the same type of milk or the same type of bread, or even the same cereal. At that point, the unconscious part of your brain is being engaged. But what if something changes and takes you away from that unconsciousness? At that point, the conscious part of your mind kicks in. In the case of the grocery store, it may happen if the store is out of the milk or the bread that you've always been buying. Here is another example of habit formation. Sometimes, when we enter a room, we may feel distracted by a noisy sound produced by an old air conditioning unit. But when we spend more time inside that room, we tend to ignore that annoying sound all together even though it is still there. Habituation, simply put, means that a person tends to ignore the stimulus to which he or she has been exposed to many times. For instance, after you wear pants, you will ignore the clothing stimulus as you continue on with doing other things. This is because the pants stimulus has already disappeared, perhaps due to neural adaptation in the sensory nerves. If you're habituated to wearing pants when you go outside but suddenly, you wear a skirt that day, your degree of response to the changing clothing stimulus is increased. This may explain the reason why you feel a bit shy, or not yourself, when in certain situations wearing the skirt when you otherwise would have wore pants. But after several hours, you feel as though you've, quote, gotten used to it and you no longer pay it any attention. What is it all has to do with cybersecurity? Many security breaches occur when users are not consciously aware of what they're doing. Also, contrary to recent headlines, not all threats in the cyber realm are malicious in nature. According to a Ponemon study, 70% of U.S. survey respondents, and 64% of German respondents stated that more security incidents were caused by unintentional mistakes rather than malicious acts. We contend that most of these unintentional mistakes are due to habitual behavior that promotes an unconscious response. An example in this context is if an employee is clicking on a suspicious web link that ends up being a part of a phishing scam. Even though the employee's organization has put in massive amounts of money in training everyone about cyber threats, he or she still clicks on that link. The reason for this has little to do with the training received but everything to do with the fact that over the years, that employee has routinely clicked on links. Can bad behavior be changed? Absolutely, the key is repetition. Behavior goes through the same process as habit formation. Novel situations create new behaviors that are often guided by conscious intention, but with repetitions over time, the behavior comes under the control of unconscious systems, which makes it habitual. This process is accelerated by reinforcing feedback and retarded by punishing feedback. The core of most security training is based on the assumption that education will lead to correct behavior. But as research in habituation illustrates, the dynamic process of behaviors repeated over time leads to a mental efficiency, via transferring all those behaviors to the unconscious control. Ultimately, the goal of all security training programs should be to switch all good actions to the unconscious mind. That would mean, if done correctly, that everyone would automatically do the right thing and keep an organization safe. Remember, 35% of our behavior is reliant on unconscious behavior. So it's important to focus on that as opposed to what a standard training program does which is focus on the 5%. [MUSIC]
