Many organizations struggle to develop education, training and awareness initiatives that are impactful, engaging and resonate with the audience. Typically, a lack of funding forces organizations to run plain, dull, repetitive awareness campaigns, or they just do enough to meet regulatory requirements. This approach to changing security behavior is fundamentally flawed — however, there are several cost-effective approaches that organizations can use to change, promote and sustain good security behavior.
Firstly, the idea of ‘blanket awareness’ is dead — all content needs to be tailored and contextualized to specific role requirements. For example, a senior executive will not experience the same threats as a marketing manager, so why should they both have to complete the same training course? Each employee should be equipped with the necessary knowledge and skills to identify and respond appropriately to role-specific threats. Security mentor schemes are particularly helpful in upskilling movers and joiners, and a robust threat intelligence and incident management capability can help inform awareness campaigns of emerging and common threats that each role is likely to experience.
Education, training and awareness needs to be delivered in an emotionally stimulating manner that is personally relatable to ensure that messages are engrained in memory. At a physiological level, entertaining stimuli floods the brain with dopamine, which enables messages to be embedded in long-term memory. Some successful organizations run gamification days, escape rooms, security competitions, roadshows, and workshops, all with an added emphasis on engagement and entertainment.
Finally, information security should be treated as a brand — improving employee perception of this brand is incredibly important. Organizations should use similar techniques that successful brands have used over the years, such as creating memorable visual and audio content, including jingles, slogans, phrases, and music, or communicating by using the mechanism of stories, analogies and metaphors. Creating narratives about positive security behaviors with consistent use of style and language will resonate far more clearly with audiences.
The goal of education, training or awareness campaigns should be to impart knowledge, skills and competencies that help employees manage a range of cyber-related risks. However, the archaic expectation that messages will just stick if forced upon the workforce will never work. With a better understanding of psychology and what needs to be done to change behavior, organizations can create content that is far more memorable and impactful. Read More
iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.