Applying persuasion to information security

Social Psychology Professor Scott Plous mentioned a very enlightening almost 12-minute video on the "Science of Persuasion" by Robert Cialdini and Steve Martin.

Every security professional should be able to persuade their customers and users in an ethical and successful manner. I recommend to watch this video. For those who can't or who won't, here you are some learning points:

6 decision-making shortcuts or principles that govern human being's reactions and influence:

1. Reciprocity
In general, we feel obliged to answer back with kindness when we are the receivers of a nice act.

Cool tip from the video: If you describe your action while being kind, you are the first to give and it is personalised, then the reciprocal answer is even better. The statement "For you, nice people, here's an extra mint!" in the video corroborates.



2. Scarcity

Simply put, human beings like to have more from what becomes scarce. If it is not scarce, then we do not have such a big interest. So, if you would like to sell your security services, tell your customers about your unique value proposition! 



3. Authority
People follow the view of experts. Transposing the example showed in the video to the security world, if you display your security certifications, or even tell someone (even if they personally also benefit from it) to market your great professional value, your customers will follow your advice a little more seriously.

This principle has also a curious application: people get more persuaded by people wearing uniforms. Take this into account in your next social engineering engagement.


4. Consistency
People like to be consistent with previous decisions they took. This is the reason why some of the big requests are preceded in time by small enticing related requests that are far easier to be accepted.

Voluntary, active, public and, if possible, written commitments do wonders. I think this is really underused in our information security arena.



5. Liking
"Human beings prefer to say yes to those they like". Important point: Who do we like? According to Robert Cialdini and Steve Martin we like people who are:

- Similar to us.
- Complimenting us.
- Cooperating with us.

Simple but powerful facts. The most important tip then: If you are bound to negotiate security measures with a customer, talk to them first in an informal manner to identify similarities, to compliment them and to cooperate with them.


6. Consensus
In general, we do not like to be the exception. Mention what other similar customers are doing. A way to apply this to our field could be showing reputable statistics on the adoption of specific security measures.




Channelling attention to persuade ethically

Happy ethical (and costless?) persuasion!