Editor's Note: Today's guest blog post is from Jon Homer, who ran the awareness program at Idaho National Labs, one of the most targeted organizations in the world. Below he shares his lessons learned in knowing your target audience.
I’ve attended many classes, participated in (and taught) many trainings, listened to seminars, and read books on building effective awareness campaigns. There is some really great information available. However, most of the resources present ‘theories,’ often at such a high level I find myself leaving the room ‘enthused and confused.’ I’m excited to get started but not sure where is step one. I was recently in a discussion about awareness programs where it was asked “what makes the best of the best?” It caused me to take some time to attempt to take the subconscious and turn it into discrete actions.
Security awareness is about getting people to change (or sometimes reinforce) their behavior. Capturing the attention of our audience and motivating their action is a talent parallel with the greatest sales teams. Most ‘users’ want to do the right thing, but are annoyed at the slightest inconvenience or discomfort. Security appears to be at odds with productivity, and our job is to drive behavior that may impede their measured performance. With today’s limited budgets and over-saturated messaging, where do we focus our resources? What are the steps to building a successful awareness program?
Step 1 - Satisfy your regulatory requirements. (You have to do them, get them out of the way.)
Step 2 - Define your audience. 'Peanut-Butter-Thin' never causes much lasting impact. Instead, define and refine your audience - and do so by aligning to the problem you are trying to solve. At this point, you very likely have to do some HR-unallowed analysis, so be careful what you put in writing! For example - if you are trying to deal with phishing, you may conclude that young, new hires, don't click very often, but 50+ year-old men who have advanced degrees psychologically have to open and investigate every email they receive. In another example, if you are trying to deploy a social media policy, most almost-retired employees don't have accounts, whereas the new batch of flower-power graphics designers that were hired down on the 3rd floor keep posting all your IP to Instagram. You get the idea. The more clearly defined the audience, the more effective you will be - guaranteed.
Step 3 – Make assumptions. Write down what you think you know about your defined audience. What do they read, listen to, log on to, associate with, are too good for, and so on. Be granular and specify. Also cite examples of what works in reaching your audience – especially the things that surprise you. (Think about the advertisements that you can’t believe were ever developed, but product sales are shooting through the roof. i.e. Old Spice’s “Man on a horse”, Doritos’ audience developed superbowl ads, Volkswagon’s “May the power be with you,” etc. Need ideas - check out what is ‘trending’ on Facebook, Twitter, MSNBC, and other social medias – follow the momentum of the masses.)
Step 4 - Shadow your audience. This is where you validate what you presumed in step 3. Watch and see what your defined audience does naturally. As they walk down the hall do they read the posters, text on their phone, never leave their offices, or telecommute only? Are they active on the inter-company blogs? Do they have facebook accounts? Do they fit the profile of youtube viewers? video gamers? etc. Discrete observation will be more effective than surveys at this stage. Merge what you learn with step 3, and protect this information.
Step 5 - Match the tools to the audience's natural behaviors. If you are trying the reaching an audience who goes home and plays video games, don't put up posters. If you are trying to reach an audience who doesn't have a facebook account, don't use social media (whether or not the company makes them have an internal Yammer account.) If you are trying to reach someone who reads technical documents for fun, don't make cute videos. Test your approaches with sample audiences.
Step 6 - Deploy multiple tools for multiple audiences. Don't try to make a tool so broad it reaches all your audiences. It will fail to cause any impact. Yes, smaller quantities are more expensive. But (using marketing terms) I would rather spend $10 on a single impression that results in a sale, than $1 each for 100 impressions, of which no one buys anything. (Hint: Pick which tools to fund based on the risk analysis prioritization, not based on the # of users impacted.)
Step 7 - Measure your success based on impact, not distribution. Cyber awareness is an environment where the only thing that matters is if you change behavior. It does not matter if you pass the quiz at the end of the online training. It only matters if you click on that malicious email, allow that stranger in the back door, or store the sensitive IP on an unapproved server. Awareness groups don’t exist simply to make noise – they exist to cause change. Measurement is difficult, but essential: if you are changing behaviors, you are succeeding. If your status reports are more casual in nature, tell stories rather than collect statistics. (i.e. ‘Bob from accounting told us that he saw an email that he normally would have clicked on, but instead he stopped and forwarded it into the cyber team. Turns out it was malicious, his actions prevented the whole network from being taken down.” Instead of “The phishing awareness campaign was read by 16% of the population, and overall infection rates were reduced by 1.2%.”)
Closing thoughts: It's better to have 50% of the work force really well behaved, rather than 100% of the work force annoyed by security awareness propaganda. It's easier to gain converted advocates than it is raise the overall awareness level of the entire organization. Focus on the individual, target the groups where you know you can have impact, and you will build an effective program. Good luck and stay focused!
About the Author: Jon Homer, CISSP™, was the lead for the Cyber Security awareness program from 2007 to 2015 at Idaho National Laboratory, a U.S. Department of Energy research facility. He has a background in organizational change management, disparate data reconciliation, project management, and continuity planning. Jon is certified as an advanced practitioner for the ProSci© change management methodology. During his spare time, Jon spends time in the air – flying both private aircraft and remote controlled models.
