Author: Daniel Norman
18 Dec 2020

Many workforces would attest that security awareness, training and education (SETA) is either mundane, takes too long and lacks relevancy to job roles. 65% of surveyed ISF Members said that their employees’ receptiveness to STEA ranged from medium to very low, highlighting that current approaches are seriously lacking in impact.

ISF research found that there are four key steps that organisations must take to influence, motivate and empower employees to behave more securely:

  1. Targeted and tailored content

Employees that are forced to complete the same organisation-wide, mandatory e-learning will typically find the task to be challenging and lack relevancy to their specific job. For example, each role within the company will likely experience a range of different security threats or be exposed to different risks. Therefore, SETA should be designed to take this into account. SETA should equip each specific role with the knowledge, skills and tools to manage the specific risks and threats they will experience in the future – this will also heighten levels of engagement and improve the desire to report potential incidents.

  1. Emotional engagement

“Bland”, “boring”, “disinteresting” – these are all words that have been historically associated with SETA. This fundamentally needs to change. We now know that for messages to be engrained in long-term memory they need to be delivered in an emotionally stimulating fashion. Making security content and experiences fun and entertaining will have a far more of a positive impact on the workforce’s perception of the security function, as well as their overall regard for the importance of security.

  1. Frequent delivery

Many organisations run security awareness once every 6 months or as part of the onboarding process, providing security with limited access to employees. Psychologically we know that for patterns of behaviour to form individuals must frequently rehearse and retrain; this is especially effective when delivered in short bursts, as the human mind is only capable of holding roughly seven pieces of information at one time. Security messages, education and training should therefore be delivered in micro-doses, as frequently as possible.

  1. Strong branding and messaging

In the eyes of the rest of the business, the perception of security, and the security function as a whole, is typically negative. They are seen as disablers, blockers or watching for you to slip up. If security is treated as a brand, then this perception can be improved by using marketing techniques that have been well established over the years. The security team can use visual and audio content such as jingles, slogans, phrases and music to make SETA more impactful and engaging. Using the mechanism of stories, analogies and metaphors, key security messages can become better known and resonate with the rest of the business.