Security Awareness Blog

The "WHY" in Effective Awareness Programs

STH-BinaryPeople-High

Last week we kicked of a blog series on the 4 W's in building an effective awareness program. In the first post we explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. Today we focus on the first of those four questions, the WHY part.

So why do organizations have security awareness programs? Well, thats pretty simple; to meet compliance requirements and to manage human risk. Unfortunately, there are probably a total of five people in your entire organization who care about those reasons and I'm guessing you are one of them. What we really need to answer is "Why should I care about cyber security?" Answer that question and you will engage people. The problem is, this is something most awareness programs fail to do.

To answer the WHY question you have to reach people at an emotional level, you cannot rationalize people into caring with facts, figures or numbers (to learn more communicating at an emotional level I highly recommend the book Made to Stick by the Heath brothers). So why should people care, how can we reach them emotionally? There are two approaches I like to take, the organizational level and the individual level.

For your organization, what is your culture, where do employees get their pride? For example, organizations such as utilities, manufacturing, transportation or orgs heavy into Industrial Control Systems (ICS) have a very strong safety culture. Cyber security helps ensure a safe environment, cyber security is safety. In healthcare people take pride in helping patients, empathy is part of the culture. Cyber security helps protect patient data and provide the best service possible. People often talk about creating a cyber secure culture. Instead of changing or creating a new culture why not communicate how cyber security enables your existing culture.

At the individual level, why should people care, what is in it for them? Instead of focusing on how secure behaviors are good for your organization, focus on how people personally benefit from your awareness training. Think about it. People use the same technology at both home and at work. People face the same online risks both at home and at work. So emphasize how your training benefits people at home. Communicate how your program improves their personal lives, how the lessons learned even extend to their family members or friends.

By first communicating the WHY in your awareness program, people will care at both an organizational and individual level. You will have engaged them. Once engaged, you can then focus on the actual behaviors you want to change. And to do that we have to answer the next key question, WHO. Stay tuned until next week, same bat time, same bat channel.

2 Comments

Posted October 1, 2015 at 4:08 PM | Permalink | Reply

HJohn

At the individual level, why should people care, what is in it for them?"
I also think it is important to think about counterproductive, yet rational, answers to the corrollary: why do they disgard it?
Most people don't email sensitive information to themselves, use their own devices, give their secretaries/colleagues their passwords, or cut corners in other ways, in order to hurt the company. They do it to be more productive, get more done, or to meet burdensome demands.
in other words, management needs to also look at their rewards system. Before you dole out promotions and bonuses to people solely on throughput, perhaps it should be asked how they are getting more done. Is their poorly configured home computer loaded with sensitive information they emailed to themselves or put on yet another USB (because they lost the last one on the tran home)? Are we inadvertantly punishing the people who exercise due care by measuring them against productivity alone? Who's files are properly secured, and whose are stacked on a desk in open view so he can get his information more quickly?
Ever hear a boss say "I don't care how you do it, just get it done and fast!" ?
The Why they should care is very, very important. The Why they don't care is also important, and the entity may very well be inadvertantly fueling it.

Posted October 1, 2015 at 9:40 PM | Permalink | Reply

lspitzner

Jay, I could not agree more. Quite often security controls are ignored or bypassed because we have made them too difficult. The easier we make security for people, the more likely they will exhibit secure behaviors. One of my favorite resources on this is the Behavior Model by Dr. BJ Fogg ''" http://www.behaviormodel.org.