I've decided to republish an article I wrote in 2009 about security awareness.
There are a lot of opinions about security awareness programs, what they should look like, what they should cover, whether they work at all, etc. In addition, there has been a lot of research and pontificating about why security awareness messages seem to consistently fail in their desired mission and what changes can be made. This research typically focuses on the psychology of the end user and how to craft the message for specific audiences to make it more effective. With all due respect to all the awareness “experts” out there, I think they miss the point.
The point of security awareness programs is not to see how cool, hip, or clever the message and the delivery method can be but to change the way people think and act about information, both their own and others when applicable. The point is to get people to want to protect that information from prying eyes or accidental disclosure. What I recommend is that instead of looking deeper into the psychology of the user, or trying to find the next viral communications technique, security awareness program developers should look at methods and messages from other areas where communication to a vast number of different people has been necessary and where those messages have been effective over time.
For example, how many of the following messages or sayings do you remember and act on, whether you know it or not:
- Click it or ticket
- Bucle up for safety
- Don't mess with Texas
- Only you can prevent wildfires
- Don't talk to strangers
- Look both ways before crossing the street
- Friends don't let friends drink and drive
- Loose lips sink ships
- Do not leave your bags unattended
You get the idea. So, what do all of these messages have in common?
They're all S.M.A.R.T messages. What does S.M.A.R.T mean?
Simple, bordering on the simplistic: The message should not be long, or difficult to understand. It should be crafted in such a way that the mind can register and retain it with very little effort.
Meaningful: Similar to Actionable below, messages without context are ineffective at best. A meaningful message is one that communicates information that is both useful for the security posture of the company AND for the target audience. Take Only you can prevent wildfires for instance; the point of this message isn't only to protect the forests and parks but also to protect the individuals and families in those forests and parks.
Actionable: The message should have some element of what to do or not, something that the audience can latch on to and start performing immediately; Do lock your computer when you are away from your desk; Don't let other people enter behind you without a badge.
Repetitive: No matter how well crafted your message, or how much time and effort you might have put into it, sharing it once a year is not going to be enough.
Targeted: I said in a previous paragraph that modifying a message to take the psychology of your intended audience into account misses the point. However, targeting the audience based on delivery method is something that works. Some people pay attention to posters, others to emails, and others to phone calls. Targeting specific users with specific messages doesn't make sense, it's costly and redundant, but targeting specific users with the WAY the message is communicated makes sense and is relatively straightforward to accomplish.
S.M.A.R.T messages are crafted in such a way that they can be delivered over and over again using different venues and methods (e.g. posters, email signatures, phone messages, etc.) without overwhelming the audience. Not only does this make sure that the message is transmitted multiple times, but it covers the range of how people learn since they will be seeing it (posters), reading it (emails) and hearing it (telephone, loudspeaker, audio email, etc.).
So there you have it. Keeping your security awareness messages S.M.A.R.T should make your training and awareness group more effective and more efficient.