What’s Love Got to Do with Security Awareness?
With Valentine’s Day coming up, you might be wondering what a holiday like this could possibly have to do with the way you run your security awareness program.
Here at the world headquarters for building people-centric security and privacy content (that’s MediaPRO, by the way), our wheels got spinning.
Some of us fell head over heels for romance scams—and churned out some articles that showcase how this social engineering scam plays off the emotions of people looking for love.
Others went for the laughs, creating some Valentine-themed memes to share with employees, because hooking people with a laugh is a great way to get them thinking about cybersecurity.
But me? I’m a Valentine’s Day scrooge, a Hallmark holiday humbug. I don’t like holiday-based consumer frenzies, and this one seems to be all about greeting cards with stupid sayings, heart-shaped boxes of candy, and pink flowers. So I wanted to go a little deeper, a little nerdier.
Like my old friend Tina Turner, I wanted to ask, when it comes to awareness, “What’s Love Got to Do with It?” (Go watch this campy 1984 video; you’ll be glad you did.)
It turns out, there are several ways that applying a little love can help make your awareness program a big success.
You Can’t Scare Someone into Love
We in the cybersecurity profession are a little prone to paranoia, and with good reason.
After all, everybody (well, at least every cybercriminal) is out to get us … well, us, and the employee and customer data and IP that exists at our company. But when we try to use what we know about the real risks to scare employees, it tends to backfire on us (read here and here to go deeper on this one).
What we want is employees who care enough about cybersecurity to change their daily practices. We want, for example, for them to love secure passwords enough that they’ll adopt a password manager.
But fear doesn’t inspire love and devotion to best practices. It creates a fight-or-flight reaction, a retreat, and an innate distrust of the person doing the scaring. If you want employees to love your security awareness program, then, quit scaring them. After all, look at how it worked out for Glenn Close in Fatal Attraction.
Why Companies Should Stop Scaring Employees About Cybersecurity
Get this specially licensed Wall Street Journal article to learn about research that offers a better approach to employee security awareness.Download Article
You Can’t Require Love
Let me ask you this: Can you think of anything that you’re required to do on an annual basis that you have real affection for?
Let’s see, there’s dentist appointments, filing taxes … hell, even celebrating things like Valentine’s Day become an odious chore when it starts to feel required.
But our profession is deeply committed to required annual training, isn’t it? We take the mandate to train every employee to mean we have to create a long, boring course that is such a pain to make that we don’t bother updating it. Then we require our employees to sit through this thing once a year.
The first thing you can do is to quit boring people with your training. This isn’t even that hard, given the variety of content providers out there and the fact that cybersecurity is inherently interesting if you treat it right. If you’re boring people these days, it’s your fault.
The second, more radical thing you can do is make all your training voluntary. To put it in the language of love, “If you love something, set it free.”
Set your employees free to consume content that interests them—and then you’ll be compelled to make your content more engaging and interesting. If it’s boring, people will ignore it. If it’s worthwhile, they’ll take it. It’s really that simple.
Security Awareness Training As A Key Element in Changing the Security Culture
Explore the state of corporate cybersecurity culture from the perspective of both IT managers and decision makers and the everyday employee in this piece of original of research from Osterman Research, co-sponsored by MediaPRO.Download Report
When it comes to who you want to love your security training and awareness program, there’s one group that usually rises to the top: executives. It’s not because executive love is the sweetest love, I’m afraid. It’s because executives have the money and the influence that can make your program sink or swim.
In a boldly unscientific poll I conducted among my contacts on LinkedIn (hey, with 1000 views, it’s not that unscientific!), I learned that 38% of executives love their awareness program.
I followed up with respondents to find out how they knew the execs loved the program. Sadly, I got no heart-warming stories about the time the CEO saw the awareness training across a crowded dance floor and knew that awareness was the one.
Instead, I heard again and again that adequate funding for awareness was proof enough that they recognized its importance to the business. One colleague told me that her company created her position expressly because they thought awareness was so important to their business. Apparently when it comes to executives, their love language is funding.
Those execs who just tolerate awareness had some interesting insights as well. One executive told me that “without accurate measurement and proven ROI, execs and boards just tolerate awareness.” Here’s a clear call for those who want to get some love for their work: show your executive sponsors your work brings a return on investment and suddenly you’re a lot more lovable!
A colleague at one of the best-run and best-supported programs I know told me that they provided regular results reports to executives, who are “very interested and engaged and share lots of great ideas about how we can improve and mature the program.” Luckily, most executives understand that security awareness reduces risk and commit to awareness if they know it’s working.
Spread the Love
Since the path to executive support seems to hinge on metrics that demonstrate program effectiveness, then it makes sense that you’ll want to inspire your employees to love cybersecurity enough to consistently do the right thing.
The best way to do this is to provide your employees with high-quality, concise training that is enjoyable to take, matched up with ongoing, fun reinforcement to remind people how easy it is to do the right thing, and a phishing simulation program that provides great opportunities for people to practice their phish-spotting skills.
When you commit to building a training and awareness program that puts people first, you’ll find it easy to spread the love.
And now you know what love’s got to do with it!