5 Basic Rules to Build an Effective Security Awareness Program
The Battle of Thermopylae, also known as “The Hot Gates,” fought in 480 B.C. is often put in the context that 300 Spartans held off a huge Persian army. In reality, the 300 Spartans were not alone during the battle. Alongside of them fought Athenians, Thebes, Thespians, and a variety of other united Greek forces. All told, until the last day or so, the Greeks had a force of between 7,000 and 10,000 soldiers at Thermopylae. The key difference is that the Spartan warriors were bred as warriors – they were professional soldiers. The Athenians, Thebes and Thespians were soldiers, but most of them had other, full-time jobs, and fought in the army when they were called upon.
Your users are not Spartan warriors. They are developers, engineers, designers, craftsmen, lawyers, nurses and so on. They are not professional security geeks. They don’t think like hackers. Elevated security measures do not come naturally to most of these people. They all have real jobs to do which are NOT focused on information and cybersecurity.
Security awareness is important, and we cannot give it lip service. We cannot throw a bunch of generic security stuff in a set of slides and say, “Our users are trained.” The real world does not work that way. We cannot make everyone Spartan warriors.
So what do we do? We figure out an awareness program that works in our environment.
- Create a security awareness program that is based in the organization’s environment. Use the words and language from your environment. If you call something “Confidential,” don’t call it “Proprietary” in your training. If you call your most valuable data your “sexy secrets,” don’t call it your “cool data” in the training. Better yet, if your cool data is actually your patient data, or your recordings of your creative conversations with Rock and Roll Buck Zumhoff, just say THAT. Talk about your own applications, data and systems with which your users are familiar.
- Use examples. New ideas can be communicated very effectively by examples – kind of like a “show me.” But, use real-world examples. And by real-world examples, I mean examples from your own organization, in enough details that employees can recognize it is your organization. If you work at ACME Corp, don’t describe how something happened at Joe’s Hat, Boot and Shoe Factory, talk about something that happened at ACME Corp. Use real examples put in the context of your company. You want to make any examples as practical as you can. Avoid making things abstract to the extent possible.
- Use real language. Your organization is not full of security geeks, so don’t say “failed authentication process.” Say “couldn’t log in” instead. Eliminate, or at least minimize, the technical and security jargon. Use the type of language your people use in their everyday lives.
- Take it in small chunks. There have been plenty of studies done on how to effectively communicate new material. Many of them boil down to the same thing – human beings have limited attention spans, especially for new or unfamiliar material. What this really means is that five sessions of five minutes each is probably better than one 30 minute session and definitely better than one hour long session. Break your awareness/training program into manageable chunks – pieces that a user can easily go through in one sitting and think, “Well, that was painless.”
- Understand that your awareness program is not a thing, it is a process. You need to reinforce messages through policy, email, internal videos, in staff meetings and any other media that works in your environment. Say the message. Repeat the message. Create a process which employees can, are welcome to, and are encouraged to revisit as much as they want. Set the expectation that the elements of the awareness program will be updated, and repeated on a regular basis.
One of the key elements to remember is that an awareness program really is not about “awareness.” An awareness program is about training and changing employee behavior enough that it increases your staff’s ability to consciously make more secure decisions. That is much more easily said than done.
Remember, you are not making security experts. That is why you have security geeks. You need employees to be good enough that they can help protect what is important to the organization. When you focus on their jobs, and what they do in their day to day activities, you are much better off – even more so if you can keep the security messages simple, and the security “geekiness” low.