Many times, organisations will roll out a security awareness campaign with the best of intentions, but it doesn’t have the desired effect.
Despite repeatedly informing users of the dangers of reusing passwords, plugging in unknown USB devices, or blindly clicking links, their behaviour is at odds with the information you’re giving them. So, why are they still making poor security choices despite all the information you’re giving them? Are they stupid? Is training worthless? There are many factors at play, but it’s easy to boil it down to one simple phrase: “Your users aren’t stupid, they’re human”.
As BJ Fogg, founder of the Stanford University Behaviour Design Lab described when it comes to getting humans to perform specific behaviours he said, “3 truths about human nature: We’re lazy, social, and creatures of habit. Design products for this reality.” What this means is that if you design something that goes against human nature, it will most likely fail.
So, how can we get people to make better security decisions?
The good news is that you can and you should design your information security campaign and related policies around the realities of human nature. For your security awareness campaign to be effective, there are three things your organisation needs to address in how the information is delivered and measured:
Do you care more about what your users know, or do?
The first point is one of reflection. Too often we are concerned with the information that a user is provided as opposed to the behaviour we want to change. Think of it like this, driving down the road, I may be aware that the speed limit is 30mph, but if that doesn’t translate into me driving at 30mph, the information is pretty pointless.
Plan like a marketer, think like an attacker
Attackers will continually attack your users and try every trick in the book. You need to plan your campaign around this reality and be consistent in testing users, and delivering learning across all mediums, whether that be executive messages, learning modules, posters, screensavers, newsletters, etc. Each aspect, like a good marketing campaign, should reinforce the other.
Changing behaviour takes time
The final point is that even the best of security awareness campaigns will take some time before results are seen. The key is to be consistent and have patience. A bit like embarking on a fitness regime, it won’t happen overnight, but eventually the results will show.
New School Security Awareness
Talk to SBL about new school security awareness. Working with specialist partner KnowBe4 we can offer security awareness which is measurable and proven to be effective in changing user behaviour.