After reading a recent Wall Street Journal article titled Why Companies Should Stop Scaring Employees About Cybersecurity, we realized that many companies struggle to communicate the seriousness of cybersecurity with employees while also encouraging a healthy security awareness culture.
Over the years at Hook Security, we have championed and promoted the need for people to be treated differently than traditional InfoSec approaches. This approach is known as Psychological Security or PsySec. At its core, PsySec is the marriage of the latest in Psychological Research and Security Awareness Training.
From this perspective and body of research, here are five things to keep in mind while communicating with management and employees in an organization about the role and importance of security awareness training.
1. Focus the Message: Say One Thing - 3X
We understand. Most cybersecurity professionals are not copywriters and editors. However, a little bit of audience empathy goes a long way in writing an effective message to an organization. This empathy helps us realize one universal truth; people don’t want to read your sh*t. (Here’s a great article about just this.)
That said, in a healthy company culture, people do read the organization notices. And when they read your notice, we believe that a company should be clear and repeat exactly what they mean two or three times over.
Does that make sense? Repeat the main point at least two or three times. It’s easy once you get the hang of it. All you have to do is pick a main idea, and repeat it at least two or three times. By doing so, an organization will communicate clearly, stay focused, and empathize with its internal audience.
2. Set a Vision: Describe the Benefits of Security in All Areas
This is probably the most neglected area when an organization sends out a notice. Your organization wants to know the real reason behind the security awareness training. And no, being “more secure” does not satisfy most employees. Frankly, most folks don’t care if they click on a link or not. It’s not their job to keep an organization safe - that is the job of someone in IT.
So how do we overcome this? Paint a picture of increased productivity, profitability, potential sales, or personal career growth.
What ultimately happens when a company achieves their security training goals? Will they have more budget and resources to grow? Will you achieve more sales by increasing opportunities due to your security posture? Will each employee be able to add their security training to their current and future resumes? Whatever the vision is, be sure to share it with your organization early and often.
3. Stay Encouraging: Avoid Punitive, Negative, and Emotionally Charged Language
Everyone is different and people are complicated. In that, everyone responds differently to organizational notices. And so, and this may be obvious, it is critically important to frame the security training notices with positive and encouraging language.
It may feel cathartic to tell your organization “We did awful, and you all are idiots.” but that creates a fear state in your employees minds. They may begin asking themselves “Will I get fired?” or “Is she talking to me?” Ultimately, this means that employees will read the notice as an attack aimed at them, or conversely if they never fail, that training is a waste of time for them personally. Neither response is helpful or leads to a positive, secure, and aware culture.
So we encourage organizations to lay out the shortcoming in terms of a challenge. “We have an opportunity to become the most secure company in our industry/geography/the world.” And saying things like “We respect your skills and believe we can improve in this area together.” is an encouraging message that invites people into the company’s security vision (as discuss in #2).
4. Be Candid: Clearly State the Risk and Threats
And now, the tricky part. While being encouraging, research shows (here’s an academic article) that people ultimately desire acceptance and respect from their peers. A key tool to achieving this ‘acceptance and respect’ dynamic is found in the willingness for an organization to be candid with its people.
What does candidness look like? It looks like using an active voice. In other words, use active voice.
In the book Radical Candor, organizations are encouraged to be candid through clear, concise, and contextual feedback. (At Hook Security, we love this book.) Without going into the book, Radical Candor sits at the intersection of Personal Care and Challenging Directly. When crafting feedback for your organization, aim to demonstrate that you care about each person and challenge them specifically. For example, rather than say “We all need to be more vigilant.” try saying, “Each of us should triple check every email attachment this month. Your device can be compromised if you automatically download attachments.”
Further, it is ok to point out the truth to your organization. Let them know that our competitors and customers will believe we are stupid and vulnerable if we are breached. Be candid and specific about the risks your organization faces if you fail to achieve your organization's security vision.
5. Repeat the Message: Plan to Send Multiple Communications
The research on this is clear: Humans are ‘pattern-recognizing’ creatures. We see patterns everywhere. People see patterns in the stars (Constellations), test each other to recognize patterns (IQ Tests), and emotionally react to the world based on perceived patterns (“When it rains; it pours.”).
So let’s leverage this to our advantage. Not only should your Security Awareness Training (SAT) focus on pattern recognition through testing regularly, but organizations should also continue to communicate the results and progress of their security awareness training.
Under PsySec’s approach, Hook Security recommends that organizations send out their security notices at least 3 times within a 30 day window. It’s ok to remind people and give people a pattern. However, we recommend avoiding the copy/paste trap. Every message should be varied and empathize with the company’s overall levels of stress.
If your organization believes security is important, then it should be repeated regularly and over time.
Overall, an organization's security notice is a critical part of its overall Security Awareness training program. We hope you find these items helpful, and we would love to hear your feedback!
-Zach(ary)