While we still have some way to go, thanks to initiatives such as Cyber Security Awareness Month and the relentless effort of many Chief Security Officers and other security professionals, security awareness programs are becoming a well-established practice in many organizations. Yet, after all that effort, people still remain a key vulnerability and we can only conclude that security awareness programs are not always as effective as we hope for.
Even more troublesome is that I have seen unsuccessful results in what I would consider ‘best practice’ awareness programs. I.e., programs that took all the traditional security awareness critical success factors into account, such as:
- Obtaining executive management support
- Inclusion of internal communication team
- Making it “interesting”
- Using leading marketing and learning techniques
- Branding through a clear and distinct identity
- Implementing behavioral accountability
These success factors were also identified in a book on Security Awareness that I wrote 13 years ago. Clearly if awareness programs are failing, there is a need to revisit these, and where needed amend them or add some more nuance.
To do that we need to first have a look at the root causes of why awareness programs are failing or less successful, even when going by the book (mine or another). Below, I summarize the most important ones that I have seen or personally experienced over the last years.
1. Massive competition from other communication campaigns
Security awareness is just one of many corporate communication campaigns. The awareness messages often get lost between the many other communications. In companies that strongly govern communication campaigns, there may even be long periods where there are hardly any slots available for sending more than one security awareness communication per year.
2. Learning fatigue
Not only are there many other communication topics, there are also many other awareness and learning topics. Corporate values, corporate strategy, corporate social responsibility, privacy, code of conduct, quality, diverse compliance topics, etc. to name just a few.
Your target audience has become numb for the many awareness messages and training programs, and just pass by them or sit through them without truly absorbing them.
3. General disinterest of the target audience in the topic
Many people still do not understand that security is a topic of relevance for them. As such, the messages are being ignored and mentally filtered out as noise. Security has an abstract meaning to them. It is hard for people to understand how to connect their personal behavior to eventual outcomes. They also don’t believe it is their direct responsibility. While awareness tries to overcome that, it is hard to break through that first major barrier of making clear that it is of interest. Because only then will people start to pay attention to the message.
4. Digital learning platforms are only partially effective
Web based learning and other digital learning platforms are good ways to reach many people and to track and trace participation. They have therefore become the core of many awareness programs. But, even when all forms of interactivity and innovation are being added, they remain ineffective for audiences with lower motivation and interest. And as established above, we are dealing with such an audience.
5. Security resources are not necessarily good communicators
Much of the content needed for awareness is intended for non-specialized, non-technical and often non-interested audiences. Writing such content in a way that is understandable and appealing to such target audience requires a specific set of skills and expertise. Security professionals may have excellent analytical, security incident response and/or managerial skills, but may not have time nor the skills to create content that is readily consumable for awareness purposes.
Compensating with external resources or off-the-shelf awareness materials helps, but often makes the content bland and not specific enough to the organizational context.
6. We rely too much on people being able to do the right thing
The technologies and threats change constantly, it is hard for end-users to keep track of what secure behavior means in an ever-changing environment. We cannot expect them to become experts. Additionally, even if we can change the behavior of most, we must consider that computer security is in often only as strong as the weakest link.
Don’t get me wrong, I am still a firm believer in the need for security awareness initiatives. However, we do need to take these inherent challenges into account, and do things differently.