An unseen and evolving threat that can be mitigated, at least partly, by changes in everyday behaviours. Sound familiar?
It's long been noted that there are similarities between public health and cyber security. 2020 brought these parallels to the fore, and so when I was asked to keynote the SANS Security Awareness Summit in December of 2020, I spoke about what we can learn from COVID-19 communications to improve cyber security awareness campaigns.
You can watch the full keynote below, with thanks to SANS. Or scroll down to read some of the key takeaways.
And, don't miss the SANS Security Awareness Summit this year - it's virtual, global, free and is not to be missed if you care about managing human risk. I'm not saying those things because I'm on the advisory board, I'm on the advisory board because all of those things are true :)
Some of the key messages we can learn from COVID-19 for better cyber security communications include:
“There is absolutely no point in trying to enforce strategies if people are not readily able to adopt them”*
There's no point telling people to use better passwords, if you don't provide them with a way to manage this (like a password manager).
“Positive messaging should enable more people to do things safely”
Telling people how to report a phish is more effective than telling people not to click on malicious links.
“Messages which hold examples of bad practice and say ‘don’t do this’ can easily backfire because they can convey that many people in our group are behaving like this anyway, even if they know they shouldn’t”*
I've spoken about the power of social proof and cyber security many times, for example in my RSA 2020 keynote. When we in cyber security think we're shocking people by highlighting how many people, for example, use bad passwords, what we're actually doing is reassuring those people who use bad passwords that they're not alone.
“Unless one already has an understanding of what each component of the three-word instruction “Hands face space” means, its meaning is unclear”*
If we tell people to “use a secure password” / “use MFA” / “use a VPN”, we have to explain what that actually means.
“Every time you add detail, you make it harder for people to extract what’s relevant for them”**
We need to reduce the noise in security messaging, so that people can focus on the signal.
“Current communication messages in the COVID-19 pandemic tend to focus more on individual risks than community risks resulting from existing inequalities. Culture is central to an effective community-engaged public health communication to reduce collective risks”***
Replace references to COVID-19 in the above quote with cyber security.
And the last point I want to highlight is a reminder from me: blaming people for security incidents doesn’t reduce the likelihood of further incidents, it just reduces the likelihood of you knowing about them.
I included a snippet of our cyber parody video in the keynote. It ended up being our most-watched YouTube video of 2020 so don't miss out on the full experience below!
References
* The Independent SAGE Report 22 (November 13, 2020) UK government messaging and its association with public understanding and adherence to COVID-19 mitigations: Five principles and recommendations for a COVID communication reset pdf
** Kate Wilhelm, Content Design, Canadian Digital Service (November 18, 2020) Just enough detail: how we designed content for the COVID Alert app blogpost
*** Airhihenbuwa C, Iwelunmor J, Munodawafa D, Ford C, Oni T, Agyemang C, et al. Culture Matters in Communicating the Global Response to COVID-19. Preventing Chronic Disease 2020;17:200245, journal article
I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…
I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…