ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > ‘Didn’t You Read My Email??’ and Other Security Awareness Fallacies

‘Didn’t You Read My Email??’ and Other Security Awareness Fallacies

Lisa Plaggemier
| Posted at 9:10 AM by ISACA News | Category: Security | Permalink | Email this Post | Comments (1)

Lisa PlaggemierI live in Austin, Texas, USA, where the bumper sticker quotient is fairly high, although diminishing with every vehicle that comes here from places like Dallas (no offense, Dallas — I don’t have any bumper stickers on my car either). One of my favorites is, “If you’re not appalled, you’re not paying attention.”

I’m sure it was written with politics in mind, but it’s absolutely relevant for cybersecurity, too. Most security professionals — me included — remember a time when we were appalled, closely followed by a desire to be part of the solution.

I see stacks of security awareness materials. To be effective, the producers of those materials rely on an appalled and aghast audience. Fear, uncertainty and doubt often provide an “easy out” for those looking for shortcuts.

"If you only understood how important this is, and all the bad things that really bad people are doing in the world, you’d stop reading this poster/email/training module and change your password/use a password vault/enable MFA right now.”

The problem is, people are only temporarily appalled, and after the shocking breach headline fades, they are no longer paying attention.

When considering the world of consumer messaging and advertising, we’re led to believe that humor, optimism and a sense of purpose are better levers than fear to motivate action. Let’s look at three common security awareness fallacies and how we can improve the ways we communicate to get people’s attention and create positive, engaging awareness campaigns, instead of shock and awe.

Awareness fallacies and corrective controls

Didn’t you read my email/policy/standard? People are bombarded all day by messages from all kinds of media — email, TV, billboards, Facebook and Twitter. They cannot escape it. I’ve worked at companies where people routinely receive 200 emails a day. With that much noise, people cannot read and intelligently process every email they receive. They read or skim what they think is important. Their focus is on their priorities and no one else’s. Corrective control: Use more than one channel to say the same thing over and over again. Not everyone is reading everything, so use email, posters, social media, videos, graphics, events and more to get your message across in every media channel available to you.

Up to and including termination. You cannot threaten your employees into a culture of security. Creating a culture is a lot like creating a brand – you can influence it, but you never completely control it. A brand lives in the hearts and minds of everyone who chooses to participate in it. People have to want to be a part of it – you can’t force them. Compliance is critical, and there’s a time for language like “up to and including termination” when you’re assigning mandatory training or writing policy. But if you use this type of threatening language with your security awareness materials, you should realize that it’s contrary to creating a culture people will embrace. Corrective control: I know a lot of training and awareness managers (I was one) who run a small part of their program for compliance, but the rest is optional. That requires you to be good at engaging people to take part and be new culture adopters. Identify those in the organization who are early and eager adopters and enlist them to help spread the message.

Human firewall, weakest link, end user. Way too many security communications refer to people in really unappealing terms – how can we blame them for not paying attention? I looked for an example of a successful consumer messaging campaign that instructed people to be more like technology, instead of illustrating how technology serves humanity. I did not find one, and that’s probably a good thing. Corrective control: Use language that empowers. Impart information that make people better people — not the human element, firewalls, links or users.

Think about your company’s culture and your current approach to these common fallacies. Take a razor blade to all those appalling bumper stickers you might have on your security awareness training vehicles. Replace them with upbeat and engaging messages that educate and empower.

Editor’s note: For more insights on this topic, download a joint white paper from ISACA and Infosec.


Re. Security Awareness Fallacies

Hi Lisa.

I agree with your view that the tone and attitude behind security awareness messages needs to be right. All too often security awareness is viewed as a compliance information provision 'tick box' activity when, in many cases, the true purpose of the communication should be to engage interest and active commitment, as well as inform.

It makes me wonder whether these types of awareness materials undergo user testing before release - probably not!!
Anna409 at 3/28/2019 10:50 AM
You must be logged in and a member to post a comment to this blog.