Security awareness is not so different from parenting. Our aim is to change behaviour for the better. As dad to three children, I’m used to communicating with the different personality types of each of my kids. In an office environment, it’s just bigger kids in a bigger playground.
Whether it’s a team, a department, or an entire company, the target audience have different needs, moods, opinions and motivations. As a parent, I’ve learned that the same message won’t resonate in the same way with each child. For them to do as I ask, I need to tailor my message either in what I say or how I say it. In each case, there’s an element of psychology involved. It’s about taking the time to understand people’s motivations and using that knowledge to create a message that will stick.
A certain percentage of people will readily listen and lap up what you have to say. They’ll want to do the right thing simply because it’s the right thing to do. Others may need a different form of persuasion. They may ask ‘what’s in this for me’? So, you have think a little deeper about what it will take to get them onside. Here are four steps that I’ve found useful as a parent and a security professional.
1 Carrot versus stick approach
“Motivation is the art of getting people to do what you want them to do because they want to do it.” – Dwight D. Eisenhower
Rewards are a useful way to reach the reluctant majority. As parents, we can threaten punishment if the task is not done, or we can promise incentives such as pocket money to complete a task or change behaviour. Too many threats and the child is less likely to want to cooperate. Too much too often of the latter will quickly deplete your spare cash, and your kids expect payment for each and every task.
- As security professionals, we can’t realistically offer financial incentives for colleagues who follow security policy, so we have to advise of the consequences of bad behaviour, both to the organisation and to the individual. (For example, misbehaviour will be reported to a line manager, or maybe worse).
- Seek other ways to encourage good behaviour. The beauty about security awareness is that it doesn’t have to be expensive. Some colleagues might just appreciate some recognition – we all like to hear that we’re doing a great job. It’s surprising how something as simple as praise – especially in an email copying in the boss – a certificate at the end of training, or even something as simple as a piece of chocolate, goes a long way to winning hearts and minds. Who doesn’t like chocolate?
- Small tokens can be especially popular if they are not freely available and not everyone gets one. I’ve seen employees being fiercely competitive over the silliest gimmicks and gadgets if they aren’t freely handed out.
2 Apply the 80:20 rule
“Someone always wants you to sing a song that isn’t necessarily on your set list.” – Gladys Knight
Not every message – including threats or tokens – will appeal to everyone. While some may really appreciate an email thanking their good behaviour, others may be more cynical and dismiss it. Don’t try and please everyone, and don’t be put off by begrudgery. I’d encourage seeking genuine feedback from your audience (kids or employees) on what parts worked and what parts didn’t as we’re constantly learning and trying to improve.
- My kids certainly like to feel they have a say in their development. Even discussing appropriate rewards and punishments can be a fun exercise, as it makes them really think about the challenges.
- If you’ve presented a campaign or delivered a message to a group at work, seek out the regular dissenter and ask them face to face for their views. Quite often, the most vocal people behave very differently when they aren’t anonymous, and you may actually begin to win them over by listening if they have anything constructive to say.
3 Be imaginative
“Creativity is intelligence having fun.” – Albert Einstein
Once we’ve understood what motivates people, we need to think about learning styles. There’s always an element of education to parenting or to security awareness, so you need a variety of teaching tools. Some people love the concept of the ‘paperless office’ and prefer reading a message on a screen; others will absorb a lesson from reading a paper document. Some people respond best in a classroom environment. Don’t just pick one option for your security awareness training.
4 Allow yourself to make mistakes
“Have no fear of perfection, you’ll never reach it.” – Salvador Dali
Doing nothing is not an option. Stay positive and happy, work hard and don’t give up hope. Be open to criticism and keep learning. Okay, now where did I leave that parenting manual?