According to the Verizon Data Breach Investigations Report, 84% of data leaks in 2022 were caused by the human factor. The information security industry has become so professional that it is now much easier to hack people than IT systems. So we don’t just need experts who can secure systems. We also need experts who are trained in how to raise awareness, to impart knowledge, and to change peoples’ attitudes and ideally their behaviour.
Security Awareness requires interdisciplinary skills, founded in psychology, pedagogy, communications and marketing. However, 72% of those responsible for IT security awareness have a purely technical background, with only limited knowledge from these specialist areas (SANS Security Awareness Report 2022). As part of the remaining 28%, I have compiled four practical principles that have been tried and tested in my 15 years of communications experience.
1. The fish has to want the bait
Who do I want to reach? There are lots of terms with slightly different meanings in marketing and communications: target groups, stakeholders, interest groups, etc. Put simply: who am I talking to? I’m usually talking to more than one group, often with very different backgrounds.
Before I plan a measure, I think about who exactly I want to inform, to motivate to take certain actions or to even change their behaviour in the long term. I usually address each group differently to communicate the messages I want to convey in a way that is understood and accepted.
In other words, the fish has to want the bait. If I go fishing and take a bad substitute instead of a fat worm, I’m not going to catch any fish. They just won’t bite. Of course, the easiest thing is to blame the fish because they’re stupid and don’t care. But ultimately, I want something from the fish. So figuring out what it likes to eat will help me.
There are a number of complex, professional processes for finding out which fish like which bait. A simple recipe: imagine a person whose background, whose day-to-day routine is familiar to you. The more specific the better.
2. Always start with the ‘why’
A new policy is not enough motivation for changing behaviour. After all, the policy is not implemented for the sake of it, but because it serves the actual goal of protecting the organisation, the core business.
Why is your core business important? How are employees changing the world on a small scale? What problems are they solving as an organisation? In a positive organisational culture, employees are proud of the small contribution they are making to the bigger picture and see their work as something meaningful. If you communicate a new security policy based on this ‘why’, you can categorise it as part of this work, as part of the bigger picture, which means there’s a greater chance it’ll be implemented.
Simon Sinek, author of the marketing classic ‘Start With Why’, describes this concept called the golden circle in his Ted Talk ‘How great leaders inspire action’. He starts at the core and communicates outwardly: why, how, what. It’s a simple recipe that you can use as a guide.
3. What language are we actually speaking?
I don’t mean English, German or French here, but language as a basis of communication, culture and identity. Teenagers at a party, experts in research groups, politicians in parliament – they might all speak English, but it sounds different, comes with different gestures and involves different terms. We define ourselves as part of a group, a culture, through language. How we speak to whom is often something that happens on a subconscious level and comes from a basic need for belonging.
Each and every organisation has its own language, its own culture, its own ‘we’. Are you formal in speaking to your employees? How many terms do you use in your company that might mean nothing to outsiders? Do you use humour or is the messaging more serious, factual? Is there a strong hierarchical structure in place or is it okay to go directly to superiors? How we package messages into language so that they are received and heard is important.
If your company is particularly conservative and you’re writing an intranet message about a change in password rules, you probably won’t start off with a joke or an attention-grabbing meme. You’re much more likely to write something factual, without much humour.
4. Changing behaviour is a marathon
‘Why haven’t they changed? We’ve already sent two emails – there’s an e-learning module and tests!’ Well, behavioural research has one or two explanations for this. It’s an exciting interdisciplinary field, but not one I specialise in. Nonetheless, let me try and approach it from a communications perspective.
If you set up and manage campaigns on a professional basis, you’ll know that behavioural change is a marathon, absorbing an unbelievable amount of resources and even more time. Take one common example: the introduction of the seat belt. It took years of well-funded campaigns and then a law to instil safer behaviour in drivers. And remember, their very lives were at stake. There are a few stops on the long road to behavioural change. To put it simply:
- Raise awareness: make people aware of the issue – there’s a problem and it affects you too.
- Inform: impart knowledge – what’s the problem and how does it affect you?
- Change attitudes: be convincing – these are the benefits of following our advice and changing your behaviour.
- Change behaviour: make the desired behaviour easy, repeat, embed in day-to-day life – we will provide you with the ways and tools to make the desired behaviour easy; and it will support your day-to-day life.
And last but not least: even if we know better, sometimes we can be lazy and inconsistent. To put it another way, how often do you have that soft drink or second beer even though you’re trying to be healthy that week? There’s only one thing that helps here: understanding – or making the bait even tastier.
