Alex Bond Burnett

4 months ago

|

4 min read

006: What Cyber Hackers Can Teach You About The Art of Compliance

POSTSLINKSRECOMMENDATIONS

How to make boring ol' compliance training sexy AF.

OR... "How to make doing boring stuff easier"

There is no contest between the company that buys the grudging compliance of its workforce and the company that enjoys the enterprising participation of its employees”
- Ricardo Semler

Hello my dear Bold Behaviourists. 👋🏽

I think Mary Poppins had it right- "In every job that must be done, there is an element of fun. You find the fun and - SNAP - the job's a game!

Well, that's easier said than done when it comes to compliance aka "getting people to do the really important but boring stuff".

So I thought I'd share a Cyber Security study that might give you a few innovative ideas to get people snapped in.

The dangerous game of non-compliance

Imagine your business as a noisy, busy, bustling city.

Fast drivers eager to get there, slow drivers wanting to take their time and play it safe.

Compliance rules are the sexy traffic lights, guiding everyone safely through the streets without a prang in sight.

But what if no one paid attention to these signals?

Chaos!

Bangs, crashes, near misses. Elevated heart rates and harsh words.. and of course log jams. I think Crowdstrike experienced this just last week.

Now, I am a big fan of tearing up the rule book when it comes to innovating.

At heart, I like to be disruptive and challenging.

Or at least that's what my mother says.

TBH I really like disruption. Only when it is useful.

To be successful with something dull, sometimes we need to look at who is being disruptive and breaking the rules successfully, even if we don't agree with them.

People like hackers.

Hackers are best in show for disruptive, innovative behaviour and fabulous at getting people to comply.

Horrible. But good.

Whether it's tax, cyber security, or VAT rules on jaffa cakes, there is a clever behavioural lesson to be learned from what my 7 yr old now calls "online pirates".

How hackers get people to comply

I found a recent study by a Professor of information systems and a Master’s student in data science that was rather BOLD.

Using the precision of data science with the nuances of good old behavioural science, this study showed us some cool insights that explain how hackers can better communicate and enforce compliance.

Study Insights:

Cybercriminals are behaviourally clever folk, often exploiting human psychology to bypass security measures.

You recognise the tactics.

Emails that appear urgent or authoritative, tricking our fearful brains into revealing sensitive information.

This urgency activates our natural response to authority and scarcity.

And this is the important bit...

No matter how smart you are, these responses can take over.

They are very clever about manipulating our brains in this way, and removing our free will.

We can learn a lot from these hackers.

The difference is that when we do it we will give people back their free will.

(Psychologically this is called a Nudge)

What Cyber Criminals can teach us about getting people to take action

The study utilised Robert Cialdini’s principles of social influenceauthority, scarcity, and social proof to decode these manipulative tactics.

By analysing a dataset of known scams, the researchers identified regular patterns in how these psychological triggers were used.

For example, they tagged emails with “urgency” when they contained sweat inducing language like, “Your account will be locked in 24 hours if you do not respond!”

You know that already.

But here is where it gets interesting.

Combining Influence Principles Gets Higher Engagement

The most effective scams didn't rely on one principle, but combined principles of influence. They saw that scams that used a hearty cocktail of both urgency + authority had significantly higher engagement and compliance rates compared to those using a single principle.

In short - using more than one principle is how to get your message across.

Pattern Recognition:

By tagging emails with specific influence tactics (e.g. urgency phrases like “your account will be locked in 24 hours”), they could see which combinations were most effective in prompting a response and then create algorithms to filter them out.

Enhanced Detection and Prevention:

Understanding these patterns enabled cybersecurity teams to develop more sophisticated detection algorithms, and had a significant reduction in cyber incidents.

The same goes for you. Looking at at both behaviour and data will give you a huge increase in engagement.

Cunning.

Maybe we can use this invaluable bit of info to craft compliance messages that are both engaging and effective?

Why This Matters for Compliance

As a leader in tech, accounting, or financial services, applying these behavioural insights could transform your compliance strategy. After all, as my fave Rory Sutherland says

"How you portray a fact determines how people respond"

And that's what hackers are really good at.

So by understanding the psychological triggers that influence behaviour, you can also design communications that inform and motivate your team to take action to compliance measures.

Your BOLD challenge for the week 👩‍🔬

Are you ready to boost compliance engagement in your organisation this week?

Review your recent compliance communications—whether emails, policy updates, or training materials. See if you can identify potential biases or psychological triggers.

Look for elements of urgency, authority, or social proof.

How could they influence your team’s behaviour?

Are they motivating compliance or causing undue stress?

(Of course, consider if they are being used effectively and ethically.)

Finally, refine your messaging.

Aim for messages that are clear, motivating, and respectful of your team’s psychological responses.

Go. Be Bold. Change minds.

Alex

P.S. The result on going negative in your messaging...

Yet again an interesting result.

You may remember the last newsletter was about the impact of going negative in a political campaign. Short-term wins, but longer-term apathy...

What was REALLY interesting was the rate of opens VS long term opens...

Here are the titles tested:

A: 005: The Delightful Benefits of Negative Campaign Tactics That You Can Leverage At Work

or...

B: 005 Exposed: The Ugly Truth Behind Political Mud-Slinging That Will Change the Way You Give Advice

What to guess what happened??

Title A was the winner - for speed of opens.

But it didn't get the most opens.

The negative title did long term.

54.5% opened title A, a delightful positive title. More of you opened it within 24 hours.

Overall, since that email came out a whopping 72.7% opened title B, the negative option.

I did a bit of a double-take when I saw the difference. I will ask ConvertKit (who hosts the newsletter) to explain more about their process out of interest.

So, it turns out the negative didn't get opened straight away, but it did get more open overall.

What do you make of that?

Sunnybank House, Mayfield, East Sussex TN20
Unsubscribe · Preferences

Bold Behaviour Lab

I've spent 15 years experimenting with behaviour, talent development and innovation in some super cool innovative business with bright brainiacs. I'm writing about what I've learnt. Each week I share a juicy and effective behavioural science experiment that you can use to shift behaviour for stronger talent, tech and transformations.

Read next ...