The task of establishing and maintaining an effective information security (InfoSec) awareness program that provides personnel with all the security and privacy information they need for their jobs is complex, frustrating, and thankless, but also unavoidable.
There is a growing number of data protection and security laws, regulations, and guidelines that explicitly require employees undergo specific, formal, and ongoing InfoSec or privacy awareness training. Now more than ever, personnel who have not been sufficiently educated are exposing their employers to an increased risk of being deemed noncompliant.
Typical trainees have no qualms with reporting exactly how they feel about issues, problems, or their general distaste for mandatory training activities, while seldom (if ever) sharing any sense of relief, satisfaction, or piece of mind that comes when they’re finished. Nonetheless, if personnel do not know or fully understand how to recognize and properly handle confidential, sensitive, or private information, employers are risking that their most valuable asset - information - could be mishandled, obtained by unauthorized persons, or otherwise misused.
Any security incident found to be a result of employee incompetence could also be seen as employer dereliction or negligence. After an incident is over, fines and penalties accumulate quickly, and the persistent effects of a damaged reputation linger far beyond retraining, restitution, or recovery efforts after the fact.
If the risk is so great and potential consequences are so severe, why doesn’t every organization just make awareness training their top priority? In a single word … Money. The up-front costs of developing and implementing a formal, standards-driven InfoSec awareness program tend to deter early adoption more than any other factor. On top of the initial costs, ongoing management, maintenance, and monitoring also require investment and effort to keep program content accurate, relevant, and up-to-date.
Once the costs are taken care of, another InfoSec awareness challenge comes from keeping audiences interested and motivated enough that they complete their assignments without being chased, reminded, or forced. People tend to doubt the objectivity of overstated, heavy-handed training content, bemoaning excessive volume and a lack of real-world applicability … but most InfoSec awareness content is based around fear-mongering and preparation for imagined worst-case scenarios. Trainees who do not feel properly and personally engaged will naturally procrastinate and foster a sense of complacency or contempt over a misperceived redundancy in each training iteration. After a while, trainees can even start resenting their assignments, trainers, and InfoSec awareness itself.
Any InfoSec awareness program of merit will simultaneously hold the interest and attention of trainees while helping to ensure and encourage their understanding of applicable requirements, legislation, and expectations. Trainees are human beings, and while InfoSec awareness is a critical, ‘necessary evil’ in today’s threat landscape … it’s a pretty boring subject for even the most eager and willing employees.
So how, then, should administrators design their InfoSec awareness materials to have the most impact and effect? How should they educate their trainees without discouraging or even sabotaging their progress? Simple … stop just telling trainees why they should care about InfoSec, and start selling the idea of InfoSec as something they can not live without
Take cues from the advertising industry, who’s ubiquitous influence can successfully persuade consumers into buying goods that they don’t actually need. Precisely like a modern advertising strategy, effective and well-designed InfoSec awareness programs should appeal to individual trainee attitude and behaviour through a message and content that can actually benefit them directly.
Keeping passwords safe and secure, for example, will resonate best from a trainees perspective, when they understand how a single stolen password can personally cost them time, money, or frustration. A keen understanding leads to formation of good InfoSec habits, which would then have a much better chance of naturally carrying-over into their working habits.