Content Effectiveness: The Importance of Choosing the Right Team
In a recent chat with a friend the topic of branding and marketing came up in relation to making an effective security awareness program. More specifically, we were discussing what happens to the effectiveness of your content messaging, as well as ability to consistently influence behavior, if the employees creating and implementing the content (a.k.a. your team) don't act in accordance with the message. Long story short, this can be very damaging and ultimately result in decreased effectiveness of your entire content strategy as well as a decreased ability to change user behavior. Regardless of this, the importance of having the right team (and right branding) is not something that is given much attention when building a security awareness architecture. To address this I wanted to post an example that I have actually seen with some clients. :)
An organization has bought brand new content -with a new message- to send to their users to get them to change behavior (e.g., be more secure and/or stop by passing the security controls set in place). After 6+ months their are very minor improvements in some spots but not as much as expected and most behaviors haven't changed at all. Rather than just accepting defeat, the team decides that they are going to reevaluate the situation and customize the off-the-shelf content that they bought. In order to do this they need to research the users, identify the appropriate message, and implement a content strategy that gets better results than they are currently seeing.
To better understand the users, and ultimately create the right content messaging, the team decides to evaluate their security culture by:
1) Identifying the top security priorities within the organization
2) Understanding what message the current content plan is sending out and
3) Finding out why that message is not resonating with the users.
After some interviews they find out that:
1) Their top priorities are: (1) reporting phishing attacks, (2) unapproved BYOD, and (3) delayed reports of lost or stolen items.
2) The new content focuses on a 'motivation' message that tells users the dangers of each so that they are motivated to act in a more secure manner. When appropriate the message will also include how the information pertains to securing the users' family as well.
3) Speaking with the users a completely different story comes out. Users know the dangers of each topic -and use the information at home when applicable- they just don't want to call the IT help desk. It turns out that 5+ years ago it was run by a different program within the organization. Almost every user interviewed states that when they called it took over 30 minutes of their time and always resulted in a rude/irritated tone from the person on the other end. Because of this, users now avoid calling the help desk except in cases of dire emergency. Similarly they tend to ignore any messages sent out or posted to the Help Desk website.
The Appropriate Message:
After talking to users the security team realizes that before they can customize their content they have to address the image -or brand- of their IT Help Desk team. In the past the team in place acted in complete opposition to the desired content message. They were rude, unapproachable and implemented slow processes. Even though the staff has been completely changed, the IT Help Desk 'brand' need to be changed to one of 'approachable, 'helpful,' and 'improved.' Users need to feel like the IT Help Desk is not the same as it was in the past. The staff are approachable for any security questions -not just dire emergencies- and will go above and beyond to help the users understand. Basically, now that the staff is acting in accordance with the desired message, the organizations users need to see that things have changed.
The Content Strategy:
Change the IT Help Desk Website: The IT Help Desk is large enough that the team has a website where they post their number, pertinent security information and different announcements. In order to indicate "improved" this page needs to change in look at feel. This gives the users a visual indicator that things have changed and that the previous experience may no longer apply.
Lunch and Learns: Set up a series of lunch and learns- about information the users would find interesting/important- and have them run by the help desk team. While this does help get information out there, it also gives each the teams running the lunch and learn a more approachable and knowledgeable image. It's a small intimate setting where questions are safely asked and answered.
The content strategy implemented was successful in changing the image of the IT Help Desk. Not only are users calling to report phishing attacks and lost/stolen iteams but they are also calling for clarification/information on other new threats. Furthermore, users are digesting the information on the website giving the security awareness team a helpful medium to disseminate new and important information to users.