By Daniel Norman, Senior Solutions Analyst at the Information Security Forum.
Frequently delivering micro-content, using apps, email reminders and posters can all help deliver messages in smaller, digestible doses, rather than overwhelming the employee
Many organizations struggle to develop education, training and awareness initiatives that are impactful, engaging and resonate with the audience. Typically, a lack of funding forces organizations to run plain, dull, repetitive awareness campaigns, or they just do enough to meet regulatory requirements. This approach to changing security behavior is fundamentally flawed — however, there are several cost-effective approaches that organizations can use to change, promote and sustain good security behavior.
Firstly, the idea of ‘blanket awareness’ is dead — all content needs to be tailored and contextualized to specific role requirements. For example, a senior executive will not experience the same threats as a marketing manager, so why should they both have to complete the same training course? Each employee should be equipped with the necessary knowledge and skills to identify and respond appropriately to role-specific threats. Security mentor schemes are particularly helpful in upskilling movers and joiners, and a robust threat intelligence and incident management capability can help inform awareness campaigns of emerging and common threats that each role is likely to experience.
Education, training and awareness needs to be delivered in an emotionally stimulating manner that is personally relatable to ensure that messages are engrained in memory. At a physiological level, entertaining stimuli floods the brain with dopamine, which enables messages to be embedded in long-term memory. Some successful organizations run gamification days, escape rooms, security competitions, roadshows, and workshops, all with an added emphasis on engagement and entertainment.
From a psychological perspective, for habits to form and become patterns of behavior, new information needs to transfer from short-term memory to long-term memory, meaning that individuals must frequently rehearse and retrain for messages to be embedded. The average human mind forgets approximately 50 percent of new information within an hour of learning it and 70 percent after 24 hours; with many organizations typically running one long e-Learning campaign every year or six months, it is no wonder why security messages are forgotten so quickly. Frequently delivering micro-content, using apps, email reminders and posters can all help deliver messages in smaller, digestible doses, rather than overwhelming the employee.
Finally, information security should be treated as a brand — improving employee perception of this brand is incredibly important. Organizations should use similar techniques that successful brands have used over the years, such as creating memorable visual and audio content, including jingles, slogans, phrases, and music, or communicating by using the mechanism of stories, analogies and metaphors. Creating narratives about positive security behaviors with consistent use of style and language will resonate far more clearly with audiences.
The goal of education, training or awareness campaigns should be to impart knowledge, skills and competencies that help employees manage a range of cyber-related risks. However, the archaic expectation that messages will just stick if forced upon the workforce will never work. With a better understanding of psychology and what needs to be done to change behavior, organizations can create content that is far more memorable and impactful.