Security awareness and training is an important control in the security practitioner’s toolbox that helps enterprises to respond better to security threats, that prevents behavior that enables security incidents and, in many cases, is required for regulatory compliance.
Despite the importance of information security awareness and training, many enterprises do not employ it very well or systematically. For example, few enterprises track and measure the effectiveness of their information security awareness campaigns beyond a few simple metrics, e.g., phishing simulation clicks. This lack of sophistication undermines the potential benefits of higher-quality awareness campaigns that are managed with the same level of effort as other security controls such as planning, implementation, and reporting of measurement and metrics.
With just a few adjustments to how your enterprise plans, creates and manages awareness activities, it can build awareness campaigns that are more engaging and perform better. By adapting the techniques that marketing teams use to gauge their brand awareness and interactions with potential customers, your enterprise can get better engagement from end users and more reliably achieve the results intended from security awareness campaigns.
Start your Awareness right now
Measuring the performance of security awareness activities can be difficult, in part, because the underlying goals of a security training and awareness program influence the metrics that are gathered. For example, a hospital required to comply with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) might define success as all employees watching a webinar, but a different hospital with the goal to reduce the risk of unattended and unlocked nursing workstations might not view an awareness campaign to be successful until the user behavior has actually changed.
This means that there isn’t a standard “one size fits all” set of metrics to evaluate how awareness efforts perform across industry. Even without a common standard to use as a benchmark, research suggests that most security awareness and training programs aren’t working very well.
Faced with Challenges, use these tips
Security awareness campaigns can under perform for many reasons including:
Lack of effective messaging—Lackluster content that fails to achieve the desired outcome
Lack of engagement—Failure to appropriately engage the user or failure to communicate the importance of good cyberhygieneand its impact on the enterprise
Campaign design—Inapplicable or mistargeted campaigns, or content that is too densely packed into a communication channel, causing the audience to stop listening
These specific challenges have been extensively studied in the marketing field. Marketing professionals spend tremendous effort and time measuring how their efforts to optimize content, to increase engagement, and to target campaigns to the intended audience perform. Adopting and leveraging methods used by marketing professionals can be a successful strategy for security managers and executives who want to overcome challenges in security awareness and training efforts. Methods used by marketing professionals to create a campaign include:
Effective messaging—Create content that is targeted to a specific outcome. Many security awareness campaigns are launched without a clear objective. Effective marketing, instead,seeks to create collateral that is designed with the outcome of moving a customer along a journey from noncustomer to customer. Each advertising or marketing element is designed to move the potential customer along that process
Engaging structure—Present information in a format that is engaging to the consumer. An engaging structure can employ white space strategically to enhance the message, contain text that is accessible (free of security jargon) and that is delivered in a manner that is familiar to the customer.
Consumable units of information—Ensure that information is modular, so the user is not overloaded with too much information at once. Rather than a single piece of collateral that attempts to communicate everything at once (for example an awareness-oriented poster that includes information on safe web browsing, good password habits, screen lock habits and numerous other things) a campaign can be structured so that individual elements reinforce each other and are targeted at different phases in the customer purchasing journey.
Trackable and measurable—Create collateral for which engagement can be measured. Marketing teams might collect information about how many people view a given piece of collateral, how many of those people take a next step(e.g., click a link) and how many people share the information with others, etc.
Building the Right Program for your Organisation
The marketing principles and tools described here can be applied as useful security awareness strategies, but they represent a portion of the effort. The overall approach to managing the security awareness program is the other (arguably more important) part of the effort. Whether the enterprise is setting up a program for the first time or refining/updating an existing program, several elements need to be considered. One way to approach the program is to segment the program into the following phases.
Campaign planning—development of campaigns that are designed to educate users about a specific message or to reinforce a message
Collateral creation (or adaptation)—creating or adapting training or other material into campaigns
Campaign execution—conducting training and disseminating materials
Campaign management and tracking—tracking attendance or measuring performance of the program
During campaign planning, the enterprise plans what it will deliver based on areas of need. Before or during the planning process, the enterprise identifies personas to determine the specific topics and messages that are most important based on enterprise need, the type of user, users’ communication preferences and the jobs that they perform. Combining persona information with data that gauge how users are likely to respond to security relevant situations forms a baseline that can be used to evaluate the effectiveness of the enterprise awareness program and to identify the user areas that have the most need. An enterprise may need to have multiple campaigns depending on the diversity of its user population and their areas of need (and persona type).
Next, during collateral creation and campaign execution, the enterprise plans the materials, messaging and engagement strategy for each campaign. This collateral should align with the goals of the campaigns and be driven by user personas (e.g., the manner in which users prefer to consume the information). Incorporate the sales funnel into the planning by thinking through the messaging that is required to move users from one phase of the journey to the next phase. For example, the enterprise may produce collateral that is designed to generate cognizance of security, other materials to solicit user interest and more in-depth materials for the user to gain additional detail to complete the training with sound comprehension.