Too many security awareness and education programs fail because they're boring, says Lance Spitzner, the research and community director for the SANS Institute's "Securing the Human" program.
"Most awareness programs fail not because of what we're teaching people, but how we're communicating to them," he said at the recent Irish Cyber Crime Conference in Dublin (see Irish Cybercrime Conference Targets Top Threats). "We're focusing on motivation, when it should really be on ability." By that, he means that too often, awareness programs attempt to motivate people to get interested in a topic, instead of more directly just making them better at it.
The success of any enterprise security program relies in large part on employees being security-savvy enough to do the right thing at the right time. That means not opening the wrong email attachments or falling victim to social engineers pretending to be the CEO, instructing them to immediately wire money to a Cayman Islands bank account (see FBI Alert: Business Email Scam Losses Exceed $1.2 Billion).
A Fresh Approach
All awareness and training programs face challenges when it comes to trying to relay sometimes dry material in a fresh way. But the Centers for Disease Control and Prevention, a U.S. public health institute, devised a clever way to liven up its otherwise rote-sounding messages educating Americans about how to better deal with disasters.
The agency published one of its standard disaster-preparation blogs with a zombie makeover, making the point that surviving a "real emergency" - involving the undead rising up to eat the flesh of the living, or not - requires the same approach. "All they did is change the title," Spitzner says of the zombified blog post, which also included a few key references, for example to George Romero's 1968 classic "Night of the Living Dead," which centers on an infectious agent - classic CDC territory - turning ordinary people into eldritch horrors.
Readers immediately bought in. "Three hours after the blog went live, the entire CDC network collapsed" because so many people were attempting to read the blog post Spitzner says, adding that later, the agency even had to issue a statement confirming that in fact there is no such thing as zombies.
The awareness campaign got people talking. And for an agency that's responsible for teaching Americans how to survive a disaster, it was an unmitigated success.
Customize the Message
Spitzner says that successful awareness campaigns don't attempt to change corporate culture, but instead play to it. "Adapt security to the existing culture. If in your organization, you have a strong safety culture, [then] cyber is all about creating a better, more safe environment: cybersafety."
Likewise, he says that many organizations attempt to communicate the dangers of social-engineering scams by holding lunchtime clinics for employees - allowing them to bring in their home laptops - and detailing how they might be targeted as consumers, for example by fake Microsoft technical support calls, or via phishing attacks that target their bank accounts. By offering employees "consumer security awareness" training, they're also making them smarter at spotting similar threats they will face in the enterprise.
Such programs aren't just about disseminating information, but also about connecting with end users, which is an ability that not all IT professionals necessarily possess, Spitzner says. "If you are in change of an awareness program and - like me - have a technical background, develop some soft skills."
The Fun Factor
The CDC "zombie" campaign was successful, in part, because it tapped into part of the pop culture zeitgeist - and because it was fun. The campaign demonstrates how variety can help awareness campaigns reach a wider audience. Here are a number of related techniques that Spitzner suggests organization should consider:
- Use a Variety of Communication Methods: Spread the word via emails, newsletters, blogs or ecards.
- Find Soft-Skills Experts: Get your organization's marketing and communications staff involved to help craft more engaging awareness campaigns.
- Use Branding: Use mascots, logos or taglines to make the awareness program more accessible.
- Employ Humor: Consider tapping into some popular Internet memes - Grumpy Cat, photo-bombing squirrel, Chuck Norris and others.
- Create Ambassadors: Send forth security-aware employees to spread the message.
- Play with Gamification: Take an entire program and "gamify" the desired behaviors to better engage users, for example by awarding points for completing challenges and keeping a leaderboard, backed by monthly prizes for top performers.
Where the CDC campaign also excels, Spitzner says, is in having a simple message. To have maximum impact, organizations should attempt to communicate as few topics or behaviors as possible, he stresses. "Every behavior you add has a cost to your organization. Every behavior you add brings you one step closer to 'cognitive overload,'" Spitzner says in a related blog post.
Less is more. "One of the biggest challenges in building a successful awareness program ... [isn't] determining what to teach people, it's determining what not to teach people so you can remain focused," he says.