Fear is not the motivator you’re looking for: 5 security awareness training tips from Dr. Jessica Barker
I recently had the opportunity to hear Dr. Jessica Barker speak on “Conquering Fear and Loathing in Cybersecurity” at Infosec’s annual security awareness conference, Infosec Inspire19. If you haven’t had the opportunity to hear her speak, you’re missing out: she’s an international rock star in the world of security training and awareness.
Here are five pieces of advice Jessica left with us and my take on each.
1. Engage with positivity
This sounds easy, but since we’re dealing with scary stuff, we tend to use fear to motivate people to change instead of being positive. It’s hard for us security practitioners not to use fear because we tend to be pessimists. (I would argue we’re realists, but that’s a whole other article.) If the glass is always half empty, or if you’re always waiting for the other shoe to drop with your employees, it’s hard to communicate with positivity. Here’s my tip: in every bad security behavior look for an opportunity to inspire change, an opportunity for you to have an impact and an opportunity for you to be great at your job.
2. Spread empowerment
Education is empowering. After years of training security professionals and training more CISSPs than anyone else, this is in our DNA at Infosec. We’ve seen former students go on to do great things. Knowledge really is power, so give your employees the knowledge they need so they feel like they can be a part of the solution — not part of the problem. Once you’ve gotten people’s attention with a positive message, arm them with education.
3. Embrace social proof
Humans are social beings and we frequently look to each other for clues on how we should behave. This is particularly true when we don’t know what to do in a situation. Online reviews are the perfect example of social proof — we put our faith in people who have made the same purchase decision that we are facing. As Dr. Barker said at Inspire, “If it’s good enough for everyone else, it’s good enough for me.” The key here is working the psychological phenomenon of social proof into our security training and awareness programs. Dr. Barker’s example: instead of reporting how many people click on mock phishing emails, celebrate those who don’t and invite everyone else to join them in protecting the organization.
4. Explore humor with caution
Humor can backfire if it’s overused and people don’t take the topic seriously, so make sure you’re educating people while keeping them entertained with humor. I think humor is great for getting people’s attention, but the message also has to deliver guidance on good security behaviors. I’ve successfully used humor to help a topic “go viral” at the office and get people buzzing about a topic that, let’s face it, can be perceived as dry and boring.
5. Speak the language of the audience
To speak the language of your audience, you have to first know who they are and understand them, so do your homework first. Choose topics that are relevant to their roles and day-to-day activities, use scenarios people can relate to and words that resonate. It’s not just language but also context that should be adjusted depending on who you’re talking to.
Bottom line: your people are not the weakest link in your security program. In her keynote, Dr. Barker quoted a great phrase from the NCSC: “If security doesn’t work for people, it doesn’t work.” That’s why, as security practitioners, it’s up to us to build up our colleagues and show them that, with the right knowledge, they can stay more than a step ahead of cybercriminals.
Want to learn more about how you can engage and empower your employees with security awareness and training? Listen to this Fireside Chat between Dr. Barker and me as we unpack the human nature of cybersecurity including cognitive bias, fear, behavioral change and security champions.