Security Awareness: Don't Forget the Fun Factor

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/security-awareness-dont-forget-fun-factor-p-1984

Too many security awareness and education programs fail because they're
boring, says Lance Spitzner, the research and community director for the
SANS Institute's "Securing the Human" program.

"Most awareness programs fail not because of what we're teaching people,
but how we're communicating to them," he said at the recent Irish Cyber
Crime Conference in Dublin (seeIrish Cybercrime Conference Targets Top
Threats). "We're focusing on motivation, when it should really be on
ability." By that, he means that too often, awareness programs attempt to
motivate people to get interested in a topic, instead of more directly just
making them better at it.

The success of any enterprise security program relies in large part on
employees being security-savvy enough to do the right thing at the right
time. That means not opening the wrong email attachments or falling victim
to social engineers pretending to be the CEO, instructing them to
immediately wire money to a Cayman Islands bank account (see FBI Alert:
Business Email Scam Losses Exceed $1.2 Billion).

A Fresh Approach

All awareness and training programs face challenges when it comes to trying
to relay sometimes dry material in a fresh way. But the Centers for Disease
Control and Prevention, a U.S. public health institute, devised a clever
way to liven up its otherwise rote-sounding messages educating Americans
about how to better deal with disasters.

The agency published one of its standard disaster-preparation blogs with a
zombie makeover, making the point that surviving a "real emergency" -
involving the undead rising up to eat the flesh of the living, or not -
requires the same approach. "All they did is change the title," Spitzner
says of the zombified blog post, which also included a few key references,
for example to George Romero's 1968 classic "Night of the Living Dead,"
which centers on an infectious agent - classic CDC territory - turning
ordinary people into eldritch horrors.

Readers immediately bought in. "Three hours after the blog went live, the
entire CDC network collapsed" because so many people were attempting to
read the blog post Spitzner says, adding that later, the agency even had to
issue a statement confirming that in fact there is no such thing as zombies.

The awareness campaign got people talking. And for an agency that's
responsible for teaching Americans how to survive a disaster, it was an
unmitigated success.

Customize the Message

Spitzner says that successful awareness campaigns don't attempt to change
corporate culture, but instead play to it. "Adapt security to the existing
culture. If in your organization, you have a strong safety culture, [then]
cyber is all about creating a better, more safe environment: cybersafety."

Likewise, he says that many organizations attempt to communicate the
dangers of social-engineering scams by holding lunchtime clinics for
employees - allowing them to bring in their home laptops - and detailing
how they might be targeted as consumers, for example by fake Microsoft
technical support calls, or via phishing attacks that target their bank
accounts. By offering employees "consumer security awareness" training,
they're also making them smarter at spotting similar threats they will face
in the enterprise.

Such programs aren't just about disseminating information, but also about
connecting with end users, which is an ability that not all IT
professionals necessarily possess, Spitzner says. "If you are in change of
an awareness program and - like me - have a technical background, develop
some soft skills."

The Fun Factor

The CDC "zombie" campaign was successful, in part, because it tapped into
part of the pop culture zeitgeist - and because it was fun. The campaign
demonstrates how variety can help awareness campaigns reach a wider
audience. Here are a number of related techniques that Spitzner suggests
organization should consider:

Use a Variety of Communication Methods: Spread the word via emails,
newsletters, blogs or ecards.
Find Soft-Skills Experts: Get your organization's marketing and
communications staff involved to help craft more engaging awareness
campaigns.
Use Branding: Use mascots, logos or taglines to make the awareness program
more accessible.
Employ Humor: Consider tapping into some popular Internet memes - Grumpy
Cat, photo-bombing squirrel, Chuck Norris and others.
Create Ambassadors: Send forth security-aware employees to spread the
message.
Play with Gamification: Take an entire program and "gamify" the desired
behaviors to better engage users, for example by awarding points for
completing challenges and keeping a leaderboard, backed by monthly prizes
for top performers.

Where the CDC campaign also excels, Spitzner says, is in having a simple
message. To have maximum impact, organizations should attempt to
communicate as few topics or behaviors as possible, he stresses. "Every
behavior you add has a cost to your organization. Every behavior you add
brings you one step closer to 'cognitive overload,'" Spitzner says in a
related blog post.

Less is more. "One of the biggest challenges in building a successful
awareness program ... [isn't] determining what to teach people, it's
determining what not to teach people so you can remain focused," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!