As we have established the fact that humans are the most vulnerable component in an organization’s information security ecosystem, I thought I should share some useful tips on how to (and not to) run security awareness campaigns that are both engaging and can lead towards change in behaviour. Listed below are 8 useful tips that I have put together that I believe can serve as high-level guidance for security personnel before you run an awareness program.
Don’t Just Tick a Checkbox – Many organizations conduct awareness programs just to satisfy some standard’s requirements rather than focusing on the actual needs of having a security awareness program in place. Security experts must accept that humans are the most vulnerable component in their security ecosystem and start putting effective awareness programs in place.
One-Bite Appetizer – Plants naturally can only absorb that much of water at any given time, hence the usage of drip-irrigation. Pouring more water than what is needed will result in wastage of water and may even kill the plant. Similarly, humans learn better when they are served with smaller pieces of information rather than trying to teach them some 15 security topics all in one day. Trying to feed them with more than what they can digest will result in total waste of time and effort, and may even result in bad security behaviour.
Reinforcement of Lessons – Pick a security topic and run it for at least 90 days by varying the context of the message. 90 days of repeating messages of the same topic is thought to be the best practice to reinforce learning and knowledge retention.
Take Advantage of Teachable Moment – Teachable moment is created when someone makes a security mistake and realizes it. This teachable moment can be created during events like a simulated phishing attack and users who fall victim can be taught and given tips on how to stay safe of such attacks and it is less likely that they will fall victim again.
Visualization of Risks – Most of the security awareness or training programs are dry and boring, filled with uninteresting facts and jargons – mind you that users are not security experts. When you want to tell your users to beware of phishing attacks, help them to visualize it for them; i.e. show them how a phishing attack will look like, how can one fall victim, how to differentiate between a legit email and a phishing email and etc.
Engage Users – Actively engage your users in your information security awareness programs. Don’t just make it one-way with the old school instructional method. Engage in dialogues with them and provide platform for them to share their thoughts. A better security awareness program will include hands-on learning such as identifying phishing emails and creating stronger passwords.
Use Narration – When a security message is delivered in a narrative or storyline manner, it creates some knowledge retention ability. Humans tend to better remember a storyline which they can connect rather than just some summaries of security policies and facts.
Measure Results – What you cannot measure, you cannot improve. Security awareness program should be a continuous effort and should be kept current to keep up with the latest security landscape. For it to be effective and impactful, it should be measured and improvised.
Those are 8 tips or aspects to consider when developing or revitalizing a security awareness program.
You can view the above tips in a more graphical manner here.