According to psychologists, the best way to change bad habits, or to permanently create good ones, is motivation. You have to have a motivation to start and continue the habit-changing process.

So what’s the best motivation? Again according to psychologists, it might be as simple as an emotional connection to the habit.

BJ Fogg, a renowned behavioral scientist and director of Stanford University’s Behavior Design Lab often talks about the information-action fallacy. The highly common mistake of assuming that simply giving people information, even repeatedly, will somehow result in a change of behavior or habit. A desired action.

Fogg also happens to be an expert on habits, and author of the New York Times Bestselling book Tiny Habits.

He suggests that in order for habits to take and stick – like thinking before you click on a phishing email – there has to be an effective motivation. And the best kind of motivation is an emotional connection to the habit.

“It’s not a function of repetition,” said Fogg, “it’s a function of emotion.”

What’s an effective motivation or emotion in cyber security at work? Well how about instead of talking about phishing emails, talk about the very evil people who are usually behind the emails.

That they might be the very same people behind the romance and tech support scams that are robbing seniors, maybe your grandparents, of their life savings.

The same people behind the pig butchering scams that enslave thousands of poor immigrants and force them into sending out all those cruel crypto investment scams.

Ot the same people who are engaged in the horrors of human and sex trafficking.

We know that most cyber attacks are orchestrated by criminal gangs and these criminal gangs either directly or through connected gangs are also involved in some of the most evil crimes imaginable.

Could fighting that evil be the motivation, the emotional connection, the reason to care? Would you be more likely to pause before clicking on a suspicious email if you knew that by doing so you could be protecting your aging grandparents, and even depriving criminals of someone else’s hard earned money?

That by being smart about passwords, more careful with data, protecting your devices might be all that it takes to get back at or get even with this evil criminal empire.

Instead of focusing on the rules and polices to prevent the crimes, perhaps a better motivation is to focus on the people behind the crimes. After all, they’re the only reason that cybersecurity, and cybersecurity awareness rules and policies exist at all.

The message doesn’t have to be positive to be motivational.

Too often with security awareness messaging we feel compelled to keep it positive, that talking about negative subjects or in a negative way will not engage employees. But what if we’re just wrong?

Those same psychologists remind us that humans are much more likely to gravitate towards negative news stories and react accordingly. After all, that’s been the key to the success of social media.

I’ve always found that the best way to get people more motivated to engage is to introduce them to the real human harm these crimes cause, and the often very evil people behind the crimes.

Not a pleasant topic, but little in security really is. But still, it might just work. Even just a little . And that might be just enough.