Security Awareness Blog

Engaging People Within Real World Limitations

A common challenge I'm seeing organizations have, both small and large, is how to engage people in their security awareness program. Some common limitations I'm seeing include ...

  1. Security awareness training is not required. To be honest I was surprised by this. Even large organizations that have a low risk tolerance often did not have required training. Or if the training is required, only the bare minimum.
  2. Corporate limits how often you can communicate with employees. For example, corporate may not allow your security awareness team to email employees, as they are attempting to reduce the amount of internal email people have to read.
  3. Limited budget.

One of the keys was to bypass these challenges and engage people is focus on content that people want to take. Think about it, I'll bet over 70% of your awareness program applies to peoples' personal lives as it does work. People use email at both work and home, same for mobile devices, browsing, social networking, and secure password use. Usually the only parts of an awareness program that do not apply to personal lives are specific policies, such as acceptable use or data protection and handling.

Communicate your awareness program so you focus on on how people benefit personally, how these lessons will help secure them at home. Go so far as to offer specific training on how to protect their kids online, how to protect their home computers, or how to setup a secure home Wi-Fi network. Not only does this type of content engage and draw people in, but you now have them practicing secure behaviors both at work and at home. Security becomes part of their DNA. By creating content that people will want to take, word will spread and people will be coming to you to take the training. You know your program is ultimately a success when people start asking how their family can take the training also.

 

4 Comments

Posted May 1, 2012 at 2:41 PM | Permalink | Reply

Phillip Thrash

After attending one of your classes, I made our mandatory awareness training about safe ''home computer use'. I covered all the auditor required topics, but with a home spin, and instead of complaints and jokes about wasted time, I've gotten numerous requests to provide video training so employees can show their families.
It's obvious from follow up questions that people paid attention and are retaining the information, which never would have happened if this had been about their ''work computer use'.

Posted May 1, 2012 at 5:43 PM | Permalink | Reply

lspitzner

Congrats Phillip, thrilled to hear it worked out so well for you, keep up the great work!

Posted May 1, 2012 at 9:00 PM | Permalink | Reply

JRoberts

I love that we're starting to talk about communications and employee engagement. I came from a journalism/communications background to build our awareness program. Employee engagement is so many things in different cultures, but basically think about the audience. The first rule in communicating to employees is WIIFM ''" What's In It For Me? What do they want, what will they listen to, what will engage them to partner with you to keep the company secure, what do they get out of helping you? Our Enterprise Security brand is Pride of Place, Peace of Mind and my brand for our security awareness program is "we partner with you to keep our company safe and secure."
We've got
''" 13 tip sheets written in plain language and geared to the employees personal computer, smartphone, router, etc.
''" a grassroots, in person training program called PIE ''" Personal Protection, Identity Theft, Electronic Data ''" and we serve pie (apple, cherry

Posted May 1, 2012 at 9:15 PM | Permalink | Reply

lspitzner

Great feedback! If you have any documents or specific examples you can share please do, this is something we are all struggling with.