Nearly all professionals are familiar with the idea of cybersecurity awareness campaigns: presentations and discussions about cyber risks and practices to mitigate said risks. Likewise, many familiar with these campaigns may also know how ineffective they can be in convincing the average user to enhance their security habits. Recent research has attempted to isolate certain aspects of cybersecurity campaigns which lead to their ineffectiveness and overall downfall. In this post, we will explore the research and dive into suggested ways to help improve the odds of an awareness campaign being successful.
Cybersecurity campaign goals
The overall goal of a cybersecurity awareness campaign is to “render people amenable to change(s)” which will ultimately raise their security posture. To accomplish this goal, two conditions must be met:
1. People must be able to understand and apply cybersecurity advice
2. Users must have their attitudes and intentions changed in favor of being more security-conscious
A successful campaign will need to be structured around these conditions to alter attitudes and actions towards cybersecurity. According to NIST Special Publication 800-50, it is important to note that cybersecurity awareness is not the same as cybersecurity training. Cybersecurity awareness should ultimately alter a person’s cybersecurity perspective, rendering them more motivated and receptive to formal cybersecurity training.
Factors of an unsuccessful cybersecurity campaign
While the goal is to run successful cybersecurity campaigns, it is vital to understand that factors that can derail the effort, factors such as:
Although this idea may seem obvious, it proves to be a point of failure for campaigns. Not only must a campaign have an idea as to what general cybersecurity looks like, they must also know what cybersecurity means to the audience they’re communicating with. Not all experiences with cybersecurity are created equally, so realizing your audience’s current understanding of cybersecurity is crucial in order to effectively relate to them. Relating to your audience in how they already think about cybersecurity feels more personal and will be easier to convey knowledge that will impact their actions.
Compliance with a cybersecurity education program does not equal proper behavioral changes. It is more important to emphasize appropriate behavior and actions than compliance with a cybersecurity course or program.
Uniqueness of awareness
Heightened awareness of cybersecurity will be an entirely new action or practice for many individuals, so it should be taught with that same approach. Cybersecurity awareness is a unique skill, so constant reinforcement of proper behaviors and actions is a necessity, as well as reassurance when individuals falter or have misunderstandings.
Lack of engaging material
Information disseminated by cybersecurity campaigns must be easily digestible and engaging. This could prove rather difficult for large-scale campaigns, as cybersecurity notions will certainly differ from one audience to another. A wide range of information covered via several media (e.g., posters, brochures, presentations, demonstrations, etc.) could increase adaptability to multiple distinct audiences.
Relate to an audience at the individual level
Studies have shown that one of the most effective media for engaging with audiences from the general population is the poster.
Absence of data collection
Regularly collecting metrics from audiences allows for those working on the campaign to learn which methods are working and which are not. Data collection will enable campaigns to improve based on direct feedback from audience members.
Organizers of cybersecurity campaigns must recognize that they are attempting to teach an entirely new skill and that failure is inevitable. Individuals will falter when learning any new practice, and cybersecurity is no exception: organizers must leave room for failure and turn failures into learning opportunities.
There is an ever-increasing variety of cyberattacks, so awareness campaigns must be prepared to test their audiences in a variety of different ways (quizzes, false phishing, risky behavior analysis, etc.). Like the last point, it is important not to shame or discourage an individual if they fail a testing exercise, rather, it is important to turn the failures into learning moments and provide continued encouragement.
Factors of a successful cybersecurity campaign
Finding success with a broad audience requires information through several media. As mentioned before, posters have been reported to be the most effective.
Computers are an omnipresent component of modern cybersecurity, so it’s crucial to expose audiences to them as much as feasibly possible. Computer demonstrations and exercises may be useful for smaller-scale audiences.
Events help bring security awareness efforts to life. Events are places where information can be distributed, demonstrations can be performed, and questions can be asked. Events can also allow campaign organizers to gauge an audiences’ understanding and feelings of cybersecurity.
An online campaign must provide general information on cyber attacks and cybersecurity in general in an online format. The portal should include a knowledge base and a section where general users can ask questions in an online forum to promote discussion.
Behavioral testing & teachable moments
Campaign organizers need to be prepared to allow failures in understandings, practices, and testing. As stated previously, these failures should be met with a positive attitude and reinforcement of proper cybersecurity behaviors and actions.
Teaching new skills effectively
Cybersecurity is an extraordinarily complex field, so when teaching proper skills & behavior to a general audience, complex goals should be broken down into short-term, achievable steps. Any & all assistance should be offered to all participants of a campaign at any time, whether it be answering a specific question or reintroducing basic concepts.
Cybersecurity awareness is an enormous concept and campaigns will take some trial & error in order to see some marginal success. It is important to consider the factors outlined in this study, as they seem to make valid points about the human experience with cybersecurity. One of the most important aspects, it seems, is that no one person is an expert in all of cybersecurity, and when teaching practices of good cybersecurity posture, one should treat it as the almost entirely new skill that it is. It is also important to remember that cybersecurity is an ever-changing field, and advances in cybersecurity awareness & overall posture must remain ever-changing as well.