Security awareness is a term that often makes IT security pros cringe. It brings to mind images of mind-numbing training or of ineffectual posters and stress balls urging employees to change their passwords frequently.
Based on years of experience working with enterprises and other large organizations, we are launching a new blog series, “7 Principles Critical to Security Awareness Programs”, that will offer some insight in concepts we have incorporated in our solution to demonstrably improve security awareness for our customers.
The first topic we will address is marketing.
Changing behavior is one of the greatest challenges security officers face when implementing security awareness programs. Convincing people to change is hard in any arena, but when it comes to security – an area which most users neither know nor care much about – it’s especially difficult. We can learn a lot about changing behavior from a source security pros are often wary of: marketers.
Marketers are experts at exposing people to new information and getting them to act on it – which is basically the same thing we are trying to accomplish with security awareness. We are essentially selling the idea of security to a skeptical user base. Marketers face this kind of problem every day. It’s their job to convert people who are unaware or not interested about a product to learn about it and ultimately buy that product. This often requires creative and persistent tactics – but one thing marketers always keep in mind is that they have to make people want to learn more and act – people aren’t going to behave a certain way because we want them to, there has to be something in it for them.
At a high-level, businesses develop marketing strategy by prioritizing between lead generation and branding. For emerging products and brands, lead generation is the key objective. This requires more proactive outreach to grab and keep potential customers’ attention. For a nascent product or company, a marketing plan needs to inform and change how people think; simply running some print ads will not convince people to make a change. For PhishMe, lead generation has meant actively meeting with our potential customers and showing them our product first-hand.
Security awareness, which often receives short shrift if it gets any attention at all, requires an approach similar to lead generation. I can tell you from years of talking to security professionals frustrated over the ineffectiveness of their security awareness programs that a passive approach doesn’t work. Posters telling users to change their passwords – the security equivalent of a print advertisement – aren’t going to convince people to change. These may be a nice supplementary element of your program, but if this is all you’re doing, you’re setting yourself up for failure.
Security awareness training that is quick, interactive, minimally interrupts the user, and is above all interesting is the best way to grab and keep a person’s attention and make security awareness memorable.
Furthermore, when trying to get a person to do something that doesn’t come naturally, it needs to be fun. If people enjoy security awareness, and talk about it with their peers, not only will they be more likely to participate, the experience will be more memorable. I always point to the example of a company that wanted to promote health and wellness in its workforce. The company decided to do so by shutting down escalators during lunch hours, between 11 am and 1 pm. Did people start taking the stairs at lunch? No, they simply started eating lunch before 11 am or after 1 pm. However, when the company installed piano-key mats on the stairs that played musical notes when stepped on, everyone started taking the stairs. Turns out that when an uncomfortable task such as taking the stairs is fun rather than a nuisance, people are more likely to do it. Shocking, right?
Marketers are also data hounds. They don’t wonder whether a marketing initiative was effective, they track data for everything they do, and analyze the metrics afterward. With this blog post, for example, our marketing department will track engagement through social media using a bit.ly link, and will analyze a number of data points about the viewership of this post using analytics. This wealth of data gives marketing departments a concrete picture of what works and what doesn’t, and allows them to adapt techniques accordingly.
Your security awareness program should apply this same approach to data. Using tools that track user response and interaction (hint: PhishMe provides these metrics) will help you measure the success of your initiatives. Posters on the wall are nice, but if you’re not tracking the effectiveness of your security awareness program with concrete data and metrics, you’re going about it the wrong way.
Marketers constantly look for fun and engaging ways to attract potential customers and motivate them to learn about their product(s). Applying the marketing mentality to security awareness, thinking about your company’s employees as your customers, is a critical guiding principal to ensure your program is a success.
This is the first post in a series titled “The 7 Principles Critical to Security Awareness Programs.” View the archive of the series here.