It’s Not a Pyramid Scheme: How Maslow’s Hierarchy of Needs Boosts Security Awareness

Often, organizations approach security awareness with the limited goal of only meeting established standards or regulatory requirements. However, taking such a tapered approach fails to account for the reality that humans create the greatest security risk to the organization. An organization’s defenses can only be as strong as its weakest link. In this article, I want to discuss why the organization’s security strategy should emphasize an innovative security awareness program. The key? Non-traditional techniques to building a human-focused security awareness culture.

Use a Defense-in-Depth Approach to Design a Tailored Program

Effective security awareness requires a defense-in-depth approach, layering multiple techniques and methods to drive cultural change and ultimately, transformation. Gone are the days of gauging the effectiveness of a security awareness program by the results of phishing tests! Instead, security awareness programs should be tailored to the organization and its people. It’s critical to bridge the gap between what is important to the organization and what is important to the human. Humans play a large role in an organization’s security risks. The inability to innovate and grow the security awareness program creates unnecessary risks to the organization.

Leverage Maslow’s Hierarchy of Needs

Maslow’s hierarchy of needs theorizes that there are five levels or drivers of motivation: physiological, safety, belonging, esteem, and self-actualization. Physiological needs (food, water, and shelter) and safety needs (health and employment) are the strongest needs and proponents of motivation. Belonging, esteem, and self-actualization are needs that can fluctuate in importance throughout a person’s life and are not prioritized in the same order from one individual to another. 

Nonetheless, Maslow’s hierarchy provides keen insight into how an individual can be motivated or inspired to change or learn new habits. When that insight is applied to formulating security awareness strategies, objectives begin to target changes to human behavior that contribute to a security-aware human lifestyle rather than tasks that people only do while working.

Make Security Awareness Fun

A prime example of applying the hierarchy of needs is gamification. Gamification involves using game-playing elements, like point scoring and competition, to encourage participation and engagement. After all, humans love all forms of gaming! Point scoring and competition can speak directly to the human need for esteem and address the need for belonging or community. 

Prizes and victory announcements are also gameplay elements and heavily rely on fulfilling the need for esteem. Applying gamification to security awareness can encourage engagement in strong security practices and change the perception that information security is boring or that information security practices aren’t applicable or useful for everyone. 

Gamification techniques can include accolades for successful actions, such as continuously passing a phishing test, rather than just failing actions, as is typically done with phishing testing. As with the design of any security awareness program, techniques should always align with the organization’s culture and risk appetite. 

If it aligns with your organization’s culture, introduce the learning concept of fun facts where small, interesting facts that correlate with current events, social trends, or social media are offered and connect to concepts that people connect outside of work. Correlating those fun facts to a popular TV or gameshow can help pique human interest in retaining and leveraging that information in the future for a potential win.

Make Security Awareness Personal

Leaning into the human need for safety can also be an effective method for driving cultural change. However, be careful not to cross into a territory of fearmongering and instead, focus on empowerment. Design the program with a theme of “knowledge is power.” Establish an understanding that applying security awareness techniques in our personal lives can help support our individual and loved one’s safety. Rather than train employees on the potential indicators of a malicious email, showcase how oversharing personal information on social media can create risks to their safety or how using an insecure password for their personal email puts their bank account at risk.

Make Security Awareness a Shared Experience

Maslow’s hierarchy of needs calls out the need for belonging and esteem. Creating opportunities and avenues for people to share their experiences can help build a sense of community and belonging. It emphasizes a lessons-learned environment that’s resolution-focused and creates a culture of empowerment through knowledge. Be sure to provide those opportunities in a safe or even anonymous environment! That helps ensure unsuccessful experiences are viewed as opportunities to improve rather than failures.

Continuous Evolution

Maslow’s hierarchy of needs can be applied to security awareness in ways that can be tailored to the organization and its culture. Its application must not be limited to just one technique. but rather layered to create depth in strategy and allow for greater impact across the organization. Additionally, care should be taken to look for new opportunities and techniques to evolve the security awareness program. Other psychological and sociological concepts and methodologies can also be used alongside Maslow’s hierarchy to develop new techniques that foster cultural change. 

Security awareness strategies will always differ for every organization, but an effective strategy will require the organization to look beyond the legacy approach of canned training and generic testing and get creative. 

The focus must not be on fulfilling a regulatory obligation or checking an auditor’s box. Instead, focus on connecting to the human to develop a security awareness mentality in the individual and the organization. Security awareness is a human-risk control that can only be truly effective when the strategy and vision are focused on cultural change and development of the human.