Fear is not the motivator you’re looking for: 5 security awareness training tips from Dr. Jessica Barker
I recently had the opportunity to hear Dr. Jessica Barker speak on “Conquering Fear and Loathing in Cybersecurity” at Infosec’s annual security awareness conference, Infosec Inspire19. If you haven’t had the opportunity to hear her speak, you’re missing out: she’s an international rock star in the world of security training and awareness.
Here are five pieces of advice Jessica left with us and my take on each.
See Infosec IQ in action
1. Engage with positivity
This sounds easy, but since we’re dealing with scary stuff, we tend to use fear to motivate people to change instead of being positive. It’s hard for us security practitioners not to use fear because we tend to be pessimists. (I would argue we’re realists, but that’s a whole other article.) If the glass is always half empty, or if you’re always waiting for the other shoe to drop with your employees, it’s hard to communicate with positivity. Here’s my tip: in every bad security behavior look for an opportunity to inspire change, an opportunity for you to have an impact and an opportunity for you to be great at your job.
2. Spread empowerment
Education is empowering. After years of training security professionals and training more CISSPs than anyone else, this is in our DNA at Infosec. We’ve seen former students go on to do great things. Knowledge really is power, so give your employees the knowledge they need so they feel like they can be a part of the solution — not part of the problem. Once you’ve gotten people’s attention with a positive message, arm them with education.
3. Embrace social proof
Humans are social beings and we frequently look to each other for clues on how we should behave. This is particularly true when we don’t know what to do in a situation. Online reviews are the perfect example of social proof — we put our faith in people who have made the same purchase decision that we are facing. As Dr. Barker said at Inspire, “If it’s good enough for everyone else, it’s good enough for me.” The key here is working the psychological phenomenon of social proof into our security training and awareness programs. Dr. Barker’s example: instead of reporting how many people click on mock phishing emails, celebrate those who don’t and invite everyone else to join them in protecting the organization.
4. Explore humor with caution
Humor can backfire if it’s overused and people don’t take the topic seriously, so make sure you’re educating people while keeping them entertained with humor. I think humor is great for getting people’s attention, but the message also has to deliver guidance on good security behaviors. I’ve successfully used humor to help a topic “go viral” at the office and get people buzzing about a topic that, let’s face it, can be perceived as dry and boring.
5. Speak the language of the audience
To speak the language of your audience, you have to first know who they are and understand them, so do your homework first. Choose topics that are relevant to their roles and day-to-day activities, use scenarios people can relate to and words that resonate. It’s not just language but also context that should be adjusted depending on who you’re talking to.
Bottom line: your people are not the weakest link in your security program. In her keynote, Dr. Barker quoted a great phrase from the NCSC: “If security doesn’t work for people, it doesn’t work.” That’s why, as security practitioners, it’s up to us to build up our colleagues and show them that, with the right knowledge, they can stay more than a step ahead of cybercriminals.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Want to learn more about how you can engage and empower your employees with security awareness and training? Listen to this Fireside Chat between Dr. Barker and me as we unpack the human nature of cybersecurity including cognitive bias, fear, behavioral change and security champions.
In this Series
- Fear is not the motivator you’re looking for: 5 security awareness training tips from Dr. Jessica Barker
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness