Most people working for organisations have been exposed at some point in their careers to security awareness programs. Some of these programs are well-executed and delivered, while others consist of a disinterested security person talking through slides for 45 minutes.
I’ve seen many good security awareness programs over the years, and at the same time, seen more than my fair share of security ignorance programs. These are what effectively are anti-security awareness programs and probably do more harm than good.
I’ve collated twelve of the most common qualities found within a security ignorance program. Avoid these mistakes at all costs.
- It must be boring. Don’t even think about injecting any personality into the campaign. Deliver facts in as dry a manner as possible.
- Tell, don’t show. Forget visuals, they only get in the way of your words. Don’t ever use a picture or video to illustrate your point.
- Never use humour. The last thing you want to do is make someone laugh or amuse them.
- The security policy reigns supreme. All you really need to teach people is where to find the security policy and how to apply the 732 controls it mentions.
- Never make it personal. Don’t acknowledge people have families or personal lives or that they will ever need to apply security knowledge outside of the organisation.
- More dryness! Hire an English major student so they can analyse communication until it’s as complicated and dry as possible. All signs of humanity and informal language need to be stamped out.
- Insult your users. They’re idiots - don’t be afraid of saying it out loud. All security problems are their fault anyway.
- Let the CISO into the production process. Obviously they’re the expert because they once took a creative writing class. Let them set the tone and have the final say in graphics and editing.
- Design by committee. The more experts the better.
- Awareness is a once a year event. Once is always enough, especially for security. Pay no attention to the likes of Coke who waste something like 3bn a year on advertising.
- Never change your approach. If it’s not working, just yell louder.
- You’ve ticked the audit box, well done. Go home and try not to sprain your arm patting yourself on your back.
If you want a security awareness program that works, then check out new-school security awareness training by KnowBe4.