Security awareness – design with the goal in mind

In the information security sector, one of our main aims is to change, create or reinforce some specific behaviour. How well we do this depends largely on whether or not the ‘product’ we design meets the needs of our ‘consumers’.

Ineffective design results in friction. This slows things down, creates unnecessary barriers and, in the worst circumstances, means that what we want to happen never happens at all. Such friction occurs when others:

  • Don’t recognise how what’s on offer relates to them. If no one sees ‘what’s in it for them’, you are much less likely to get buy-in.
  • Have to work too hard to understand what you mean. This is a failure of communication. As Tesla CEO Elon Musk says, “Any product that needs a manual to work is broken.” From a security awareness perspective, that requires matching message and delivery mechanism to the audience, rather than engaging in one-size fits all communication, something we have covered in other blogs.
  • Aren’t emotionally engaged. Trying to convey ideas and new thinking in lifeless corporate language is virtually guaranteed to generate disengagement, the exact opposite of what was intended. Our podcast with John Pollack, one-time speechwriter to US President Bill Clinton, talks in more detail about the importance of storytelling even in corporate communications.
  • Feel their needs are being ignored or misunderstood. Lack of empathy puts up a barrier that is hard to break down once created. Speaking recently at Blackhat USA 2017, Facebook’s Chief Security Officer Alex Stamos acknowledged this as a significant issue in the information security sector.

Your product roadmap

If you want to avoid such issues, start thinking like the designer of a new security awareness product that’s soon to go on the market.

[Note: As a matter of routine, we ask our clients to see security as a product or service they need to design for a specific audience or group. This puts ‘hard edges’ to the project and helps create focus].

Product designers start with a ‘product roadmap’. This sets out a strategy and tactical plan for creating and implementing their design. This isn’t a roadmap set in stone, but a living document that’s sufficiently agile to accommodate changing priorities and market feedback.

Essentially, having a well-thought-out product roadmap in place will enable  you to create an environment in which others ‘buy from you’ rather than you having to ‘sell to them’. That requires security professionals to act as ‘choice architects’, and to establish ‘conditions of influence’ that help others make appropriate decisions.

Creating a product roadmap that can do this requires you first to be clear about what you want to happen. If you are looking to change the security culture in an organisation, you need to have specific goals and objectives in mind for doing so successfully.

Closing the gap

Then determine how far away your ideal scenario is from the reality of your target market. This is the gap you have to close and the wider it is, the harder you will have to work. So, where are the points of friction where you are likely to get resistance? Where are the easy-to-open doors where you will get traction sooner and easier buy-in?

To close the gap you have two options.

  • You can re-frame how you present your current security awareness product in an attempt to sell it in to your audience. This is what many companies try to do, but this ‘sales approach’ necessitates overcoming consumers’ innate objections. This is often difficult and, when not successfully done, is the reason that many infosec initiatives fail. A square peg, no matter how well polished, won’t fit into a round hole.
  • You can redesign your product entirely so it creates less friction in the first place. This is the ideal, though constraints of time, resource and corporate politics may prevent you from doing so.

Selling in your product

If you use a ‘human resource’ to sell in your product, consider who is best placed to communicate the message. The harder the sell, the more important it becomes to use those with sufficient personal brand equity to carry the argument and bridge the gap. This isn’t necessarily the most senior person. Our blogs on personal branding and having the right  information security brand go into more detail on this subject.

Of course, much of the time, communication about any new product isn’t ‘close up and personal’. Instead it’s delivered online and through digital media, because often this offers the optimum combination of reach, personalisation and cost-effectiveness.

It’s easy to dismiss this type of communication as ‘impersonal’ and to treat it accordingly as something of a tick box exercise – a document is a document is a document. It’s true that digital comms lack the micro-emotions – the small visual cues we get from a person’s facial expressions and body language, but that doesn’t mean that, when effectively created, they can’t trigger the specific and beneficial behaviours and responses we are looking for. Far from it.

[Note: Behavioural ‘triggers’ will be one of topics we will be covering in future blogs.]

Let’s take three of the key components of an information product that we might use to remodel an organisation’s security culture: typography, colour and layout.

According to Kevin Larson, a Microsoft psychologist, the font you use to communicate affects the reader’s mood. In other words, just through its characteristic lines and curves it can make them feel good or agitated.

For instance, when people read about an exercise programme in a less legible font, they rate it harder than when the same material is read in clearer type.

Similarly with colour.

Gregory Ciotti’s detailed account of colour psychology reveals its importance in supporting the tone you are trying to create. Colour affects us deeply. So, if you want to turn someone ‘on’ rather than ‘off’ it should be factored in when creating a security awareness product.

Finally layout. How you compose even static elements on a paper or web page can have an emotional impact by creating an ‘eye path’ that leads readers and visitors where you want them to go. If you understand how people view your website for instance, you can direct them in way that generates subtle but positive responses.

Use the design principles of Gestalt psychology and you also have a tool for associating images with emotions that trigger specific behaviours.

One of the most effective ways to create emotional communication is, of course, through moving images. For over 125 years, filmmakers have used motion and sound to create an emotional response. Video gives you the opportunity to do that on a smaller scale and now is technically easy to do online.

But does an attempt to create emotion work in a commercial environment? Very much so. In a six-year long study, customer experience firm Beyond Philosophy found that those in B2B sectors tended to rely on their opinions and emotions more than ordinary ‘customers’.

If you are looking to change the security culture of your organisation, Marmalade Box has developed a range of tools to help you do that more effectively. From defining the message through to creating your communication products, we can help ensure that your product is perfectly designed.

Don’t miss another blog. Sign up in the box at the top of this page and we’ll send you email updates.

 

Share