Four Key Themes on Security Awareness, Behaviour and Culture from ISC2 Secure Summit, London

Back in December I shared the stage with Dr. Ciaran McMahon and Dr. Jessica Barker as we completed our 2017 grand tour of Europe delivering the Security ABC Workshop at ISC2 London.
The workshop’s were really very well attended, with in excess of 100 CISSP’s and non ISC2 members, packing the room at Bishopsgate in London. It was also a great opportunity to welcome Sian Aherne, a new member of the team at Marmalade Box, and start her induction into our SABC Framework, for security awareness, behaviour and culture.

As with all our workshops this year with ISC2 we invited attendees to submit questions. These were some of the main themes which emerged.

1. Moving from raising awareness to changing behaviours

For me this can be interpreted in a number of ways. First, does the industry need to re-think the language we use? If we continue to call the overall subject “education and awareness” are we framing it all wrong?

Secondly, it could be interpreted as “we’ve raised awareness but how do we actually drive changes in behaviour?” My response is that you’ve got to understand how behaviours are both formed and influenced. I spoke about psychology, behavioural economics and choice architecture as possible routes for attendees to explore.

2. How to reach audiences with different cultures

The cultural context is important in designing your communication plan. Audiences are all influenced by their own cultural biases. These can both lead to assumptions about what communication content might be acceptable but also may lead to misinterpretation by audiences. You’ve got to understand these cultural biases, if you want to avoid any cultural clashes when delivering awareness campaigns.

3. Negative image of security

Many years ago I stood on the stage at InfoSec Europe and shared a real experience of a discussion with a CFO about their Information Security Manager being known as “Dr. No”. He asked me what we needed to do and I responded that we needed a branding exercise to change how he was perceived as Dr. No to the Man from Del Monte.

A negative brand can have a significant impact on levels of engagement and, importantly, the likelihood that people will choose to comply with security policy. This extends to not just the security functions brand or reputation but also the individual brand of those involved in engagement in between the security function and all personnel.

4. Making content engaging / relevant

It’s often hard enough to get people to take part in some form of education and awareness training or activity, especially where it’s not mandatory, so when you do, you have to capitalise on their attention.

It is well understood that audiences are often frustrated by the lack of innovation in terms of the nature and type of content, as well as its relevance to them and their role. This can be for many reasons but, in a conversation with a group of 4  CISSP’s, the following came out as a great example:

The use of English as the primary language for awareness and internal communication campaigns is often the corporate standard. However for many of the workforce their English will be limited. This causes problems on several issues including attention span, mis-interpretation, ability to absorb and retain information and also just the sheer energy required to have to translate what is already, to many, a hard subject to get their heads around. Language is also one of the cornerstones of any culture. Using the local language is a great way to engage more effectively and also a recognition of the audiences own culture and its associated values.

What do these Workshops Collectively Teach us?

This final workshop of 2017 with ISC2 continues to underscore what previous sessions around Europe have also taught us. We, as a security profession, need to make a step change in the way that we approach communicating with and training our organisations. We need to look outside our industry and draw on the collective knowledge of others that understand what it means to effectively influence behaviour and embed this modified behaviour such that it becomes a cultural norm. It’s something I’ve been researching now for over six years and is the essence in the SABC framework that we at Marmalade Box have developed.

If you would like to find out more about our research and how SABC could help you make a meaningful change in your business, please do get in touch to schedule some time to chat.

Share