Over the last two years, we’ve been delivering a lot of presentations, workshops and webinars on awareness, behaviour and culture in information security.
There are some questions that security education and awareness managers ask time and time again, so I thought we’d address some of them in this blog post.
How can we make security education and awareness engaging and interesting?
This is the million-dollar question and unfortunately, there is no simple answer. What is engaging and interesting is different for different audiences. This is a fairly obvious point; we can all relate to TV shows that some people love and others can’t stand.
But the other factor here is that what we find engaging and interesting will change depending on how we’re feeling and what else is competing for our attention and energy.
If we’re stressed, we won’t take in information in the same way as when we’re feeling fresh and motivated. When we’re tired or hungry, we will have a limited attention span.
The delivery method is also crucial.
If you had an important message for one of your colleagues, you could…
- Pick up the phone and have a conversation with them
- Email them
- Scribble it on a bit of paper and put it in one of those brown internal envelopes and wait for it to get to their postal tray
- Scribble it on some paper and put it in a bright red envelope with a bag of sweets and drop it onto their keyboard
- Hire someone to dress up in a fancy-dress outfit and sing it to them
From all of the above, which do you think would be the most effective at
- Getting the message across?
- Being remembered?
It’s one thing to get a message across and another to say it such a way that makes it interesting and memorable.
The key thing to understand here is that there are many factors that will influence whether something is engaging and interesting. It’s important that security education and awareness managers understand this if they are to improve the effectiveness of their education and awareness initiatives.
If someone tells you what is interesting and engaging for your audience, without understanding the audience and the environment within which you operate, then they are failing to understand what marketers have known and practised for decades.
How do we best manage a mixed and diverse group of stakeholders?
An organization by its very nature is diverse, although depending on the industry this will vary. To start from this position of diversity makes sense. After all, as individuals, we are the result of our varied life experiences combined with our personal characteristics and competencies.
However, we are all born with some common denominators. In the vast majority of cases, on a deeply physiological and psychological level, we are the same.
We process information in the same way, whether we are the CEO or the customer services agent, whether we are born in India or France and whether we are generation X or Y.
Understanding the common grounds between us, and developing a security awareness and education programme that leverages these is one way of tackling the diverse nature of our stakeholders.
How can we ensure that our messages stay front of mind?
With so many things competing for our attention, this is something that is only going to get more challenging as time goes on.
Maintaining a consistent level of awareness is essential, albeit not always easy. Many people attend awareness training only to forget what they thought they had learned within a short time frame. Retention rates following training can vary wildly. And over a period of time retention rates drop quite significantly.
Different means of engaging with employees all have limited “shelf lives” in terms of retention, but this does not mean they should be pushed aside.
The question that security education and awareness managers need to consider is this;
Are your choices in line with your strategy?
For example, online courses have a 10% to 20% higher failed retention rate than traditional classroom environments (Herbert, 2006)1. But if your budget doesn’t stretch to live in-person training, then this will be better than no training at all.
Frequent engagement, in shorter bursts, is one way of maintaining a higher level of awareness.
Understanding the science behind memory retention and retrieval, and incorporating this into the development of awareness campaigns can help to ensure that you design a security awareness and training program that takes all this into account.
What can security education and awareness professionals do to improve their communication?
Great question! But in order to answer the question of how to “improve overall communication” you first need to be clear how you’re measuring it.
Without measurement how will you know that an improvement has taken place? How is your performance being measured? Knowing this will enable you to focus your efforts on what counts. Then you can look at ways to improve these communications as your priority.
Think of security as a product
I often ask people to think of information security as a product. I then ask them to think about how they would market and sell this product to the audience. The similarities are clear.
Marketers aim to raise awareness of their product with the objective being to influence people’s behaviour to choose it. When the product’s brand gains enough momentum in terms of market penetration it can evolve into the cultural landscape of an industry, audience demographics, country or range of countries.
Breaking down the communication into stages or steps like this enable you to put some measurements in place and then understand where the gaps are – or where the communication is falling down.
Only then can you begin to address the improvements required in communication.
How do we reach audiences with different cultures?
A first point to clarify here is what you mean by culture. Many people assume that we might be talking about different countries and languages, but are we? Culture can also vary by industry, by company department or by race.
The term culture is often considered in the context of content within security education and awareness programmes. However, culture needs to also be considered in terms of designing processes to engage effectively with audiences.
The cultural context is important in designing your communication plan. Audiences are all influenced by their own cultural biases. These can both lead to assumptions about what communication content might be acceptable and how best to communicate this but also may lead to misinterpretation by audiences.
Understanding these cultural biases will help you to avoid any cultural clashes when delivering awareness campaigns.
The use of English as the primary language for awareness and internal communication campaigns is often the corporate standard. However, in international businesses for many of the workforce, their English will be limited. Clearly a key consideration for those responsible for security education and awareness.
This causes problems on several issues including attention span, misinterpretation, and the ability to absorb and retain information. Also, just the sheer energy required to translate what is already to many a hard subject to get their heads around.
Language is also one of the cornerstones of any culture. Using the local language is a great way to engage more effectively and also a recognition of the audiences own culture and its associated values.
1. Retention in Online Courses: Exploring Issues and Solutions—A Literature Review
7 Security Awareness Questions ... answered!
Discover the answers to the TOP 7 questions we get asked by Information Security Education & Awareness Managers.