I’ve been delivering cyber security awareness-raising training for over ten years. People often ask for my advice so in this blogpost I'm sharing three key lessons I’ve learned over the last decade.
1. Framing + context = engagement
One client recently spoke to me about their challenges engaging colleagues in cyber security when they don’t work with computers on a daily basis.
Another described a complacent culture where everyone thinks “it won’t happen to us”.
And then there was the client with a deeply creative culture, where people thought cyber security would simply stand in their way.
My initial diagnosis of all these complaints was essentially the same, but how we then treated the problem varied quite a bit.
In cyber security awareness, we often speak of the need to explain the ‘why’. That is the first half of tackling the three problems above (and so many others) when it comes to raising cyber security awareness.
That helps us frame cyber security in a way that is more impactful for our audience.
But that is only half of what I like to call the cyber security engagement equation.
The second half of the equation is to tackle ‘why me?’. This provides the context, helping people understand not just why cyber security is relevant, but why it is relevant to them.
Address this equation first if you want people to engage in awareness-raising, which itself is the first step in behavioural change.
If you haven’t read Sinek’s 'Start With Why', it’s a great book to get into the mindset of addressing ‘why’ and ‘why me’. Sinek's TED Talk is a good place to start.
2. A problem without a solution is not their problem
Hold the front page: I have a big issue with fear-mongering cyber security awareness. Anyone familiar with my work knows that we can’t scare people into security is a hill I will die on. I first gave a keynote about this in 2014 (at Bsides Manchester) and you can check out my RSA 2020 keynote on cyber security and the psychology of fear.
Here’s a little clip of what I had to say:
I have an even bigger problem with cyber security awareness-raising that scares people AND offers no solution.
Let’s say you’re raising awareness of passwords. You want everyone in your organisation to use complex, unique passwords for all of their accounts. If you don’t have single sign-on or a password manager, what are you asking people to do? Remember them?
Add in enforced password changes and this just went from unreasonable to impossible.
We don’t inspire positive behavioural change by scaring people. We inspire positive behavioural change by proportionately communicating the threat and then focusing on the actions people can take to protect themselves. And if we’re asking people to change their behaviour, we’d better have a realistic way for them to do that.
Awareness-raising cannot fix a problem for which you are not offering a solution. We need to provide the tools for people to practice secure behaviours.
Metrics matter
Perhaps you were drawn to read this blogpost partly by the reference to 50,000 people in the title.
Some of you were probably sceptical of the number. And you were right to be.
It’s not 50,000 people; it’s way more than that. The figure of 50,000 people comes from just the last few years, when I started keeping track. And it's only the participants from live awareness sessions, not including those who watch our awareness raising videos, for example.
A big mistake I made was not keeping track of the numbers earlier in my career. The number is probably around 100,000 but I don’t really know, because I didn’t keep track.
Don’t make the mistake that I made. Identify metrics as soon as possible in your awareness-raising and track them. Sometimes, people worry about identifying the right metrics for human cyber. Don’t. Metrics take practice; start tracking and then worry about refining them. But if you don’t start tracking, you won’t identify what works and what doesn’t.
Some awareness, behaviour and culture metrics to consider:
report rate of incidents, near-misses and simulated phishes (don’t worry so much about the click rate, which I talk more about here)
engagement with your content, from blog posts to emails to external speaking sessions
number of questions and requests coming in to your security team
how people in your organisation feel about security, and how this impacts their behaviours (our culture assessment can help with this)
In this blogpost I’ve talked about the need to focus on framing ("why?") plus context ("why me?") if we want to build engagement. I’ve shared the golden rule of focusing on solutions over fear. And I’ve covered the importance of metrics, with a few ideas on some awareness, behaviour and culture metrics that you could track (if you aren’t already).
If you want to know how Cygenta can support cyber security awareness, behaviour and culture in your organisation, please get in touch.
And don’t miss some news exciting news coming from us soon. Lots of our clients want to scale up their awareness, behaviour and culture programmes and we'e going to make it easier to do just that. Sign up to our mailing list to stay in the loop!