An unseen and evolving threat that can be mitigated, at least partly, by changes in everyday behaviours. Sound familiar?
It's long been noted that there are similarities between public health and cyber security. 2020 brought these parallels to the fore, and so when I was asked to keynote the SANS Security Awareness Summit in December of 2020, I spoke about what we can learn from COVID-19 communications to improve cyber security awareness campaigns.
You can watch the full keynote below, with thanks to SANS. Or scroll down to read some of the key takeaways.
And, don't miss the SANS Security Awareness Summit this year - it's virtual, global, free and is not to be missed if you care about managing human risk. I'm not saying those things because I'm on the advisory board, I'm on the advisory board because all of those things are true :)
Some of the key messages we can learn from COVID-19 for better cyber security communications include:
“There is absolutely no point in trying to enforce strategies if people are not readily able to adopt them”*
There's no point telling people to use better passwords, if you don't provide them with a way to manage this (like a password manager).
“Positive messaging should enable more people to do things safely”
Telling people how to report a phish is more effective than telling people not to click on malicious links.
“Messages which hold examples of bad practice and say ‘don’t do this’ can easily backfire because they can convey that many people in our group are behaving like this anyway, even if they know they shouldn’t”*
I've spoken about the power of social proof and cyber security many times, for example in my RSA 2020 keynote. When we in cyber security think we're shocking people by highlighting how many people, for example, use bad passwords, what we're actually doing is reassuring those people who use bad passwords that they're not alone.
“Unless one already has an understanding of what each component of the three-word instruction “Hands face space” means, its meaning is unclear”*
If we tell people to “use a secure password” / “use MFA” / “use a VPN”, we have to explain what that actually means.
“Every time you add detail, you make it harder for people to extract what’s relevant for them”**
We need to reduce the noise in security messaging, so that people can focus on the signal.
“Current communication messages in the COVID-19 pandemic tend to focus more on individual risks than community risks resulting from existing inequalities. Culture is central to an effective community-engaged public health communication to reduce collective risks”***
Replace references to COVID-19 in the above quote with cyber security.
And the last point I want to highlight is a reminder from me: blaming people for security incidents doesn’t reduce the likelihood of further incidents, it just reduces the likelihood of you knowing about them.
I included a snippet of our cyber parody video in the keynote. It ended up being our most-watched YouTube video of 2020 so don't miss out on the full experience below!
References
* The Independent SAGE Report 22 (November 13, 2020) UK government messaging and its association with public understanding and adherence to COVID-19 mitigations: Five principles and recommendations for a COVID communication reset pdf
** Kate Wilhelm, Content Design, Canadian Digital Service (November 18, 2020) Just enough detail: how we designed content for the COVID Alert app blogpost
*** Airhihenbuwa C, Iwelunmor J, Munodawafa D, Ford C, Oni T, Agyemang C, et al. Culture Matters in Communicating the Global Response to COVID-19. Preventing Chronic Disease 2020;17:200245, journal article