Last week we kicked of a blog series on the 4 W's in building an effective awareness program. In the first post we explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. Today we focus on the first of those four questions, the WHY part.
So why do organizations have security awareness programs? Well, thats pretty simple; to meet compliance requirements and to manage human risk. Unfortunately, there are probably a total of five people in your entire organization who care about those reasons and I'm guessing you are one of them. What we really need to answer is "Why should I care about cyber security?" Answer that question and you will engage people. The problem is, this is something most awareness programs fail to do.
To answer the WHY question you have to reach people at an emotional level, you cannot rationalize people into caring with facts, figures or numbers (to learn more communicating at an emotional level I highly recommend the book Made to Stick by the Heath brothers). So why should people care, how can we reach them emotionally? There are two approaches I like to take, the organizational level and the individual level.
For your organization, what is your culture, where do employees get their pride? For example, organizations such as utilities, manufacturing, transportation or orgs heavy into Industrial Control Systems (ICS) have a very strong safety culture. Cyber security helps ensure a safe environment, cyber security is safety. In healthcare people take pride in helping patients, empathy is part of the culture. Cyber security helps protect patient data and provide the best service possible. People often talk about creating a cyber secure culture. Instead of changing or creating a new culture why not communicate how cyber security enables your existing culture.
At the individual level, why should people care, what is in it for them? Instead of focusing on how secure behaviors are good for your organization, focus on how people personally benefit from your awareness training. Think about it. People use the same technology at both home and at work. People face the same online risks both at home and at work. So emphasize how your training benefits people at home. Communicate how your program improves their personal lives, how the lessons learned even extend to their family members or friends.
By first communicating the WHY in your awareness program, people will care at both an organizational and individual level. You will have engaged them. Once engaged, you can then focus on the actual behaviors you want to change. And to do that we have to answer the next key question, WHO. Stay tuned until next week, same bat time, same bat channel.