One of the biggest challenges I see security awareness programs face is poor communication. Most organizations know what their top human risks are and they know what behaviors are needed to address those risks. Where they fail is how they communicate these issues to their employees and staff. The book Made to Stick by brothers Chris and Dan Heath is designed to help solve that. If you are involved in establishing an awareness program and cannot get your message to stick, I highly recommend this book. I know it has helped me tremendously.
In the book the Heath brothers analyze why certain ideas stick in cultures and why other ideas are quickly forgotten. They then break down sticky ideas into six categories called SUCCESS. The more of these categories your ideas fit, the more likely it will stick. SUCCESS is broken down as follows.
- Simple: This is where you define the core of your message. The goal is to keep your message as short and simple as possible. Too often security messages are long winded and confusing. We need to keep things simple and focused (what the Heath brothers call the Commander's Intent or John Kotter calls the Vision).
- Unexpected: Get peoples' attention through surprise. Too often security messages say the same boring statement in the same boring way (often death by statistics).
- Concrete: Help people understand and remember. You cannot be vague in what you are communicating. The ideas and behaviors have to be specific, we cannot leave any ambiguity or doubt on what you want people to do.
- Credible: Help people believe. The information has to come from a trusted source. However, it does not have to be just an authority, but can come from an antiauthority. An example of an antiauthority would be someone who is non-secure, sharing their story of how they got hacked.
- Emotional: Facts and figures do not work, you cannot rationalize people into action. You have to hit people on an emotional level, make them care. For security we are finding people become engaged when told that what they learn will secure them at home and in their day-to-day lives. Make security personal.
- Stories: People love stories, they engage and explain. Stories can also inspire people and get them to act. For awareness tell a story of how a business unit or department could not do something important, but then how security enabled them to be able to do it.
What I loved about the book was the authors' approach that you do not have to be a communications expert. By simply understanding and applying these concepts you can dramatically improve your communications. In addition, one of they key take aways I found truly valuable was the concept "Curse of Knowledge". The idea is the more of an expert you are in an area, the harder it is for you to communicate it. The assumptions you make about how fast people can learn your field of expertise is clouded by the expert knowledge you already have. Long story short, the more you know about information security, the more likely you will have a hard time communicating it to ordinary computer users. This helps explain why some awareness programs are failing.