Security awareness doesn't have to be from fear - in fact, research shows that most forms of using fear as motivation only work on a very specific subset of individuals and then only for a limited time. Using a positive approach actually has a stronger and longer impact. So how do we go about that? Lisa Plaggemier, Executive Director at the National Cyber Security Alliance (NCSA) to shares her insights with us. The NCSA is non-profit that was established in conjunction with the Department of Homeland Security and the co-founders of Cybersecurity Awareness Month and is a grantee of the Cybersecurity Infrastructure Security Agency (CISA).
The Hoodies Mindset
Lisa set the stage for what the 'hoodie mindset' is, "There's a lot of scary stuff happening in the world that if you're paying attention to what's happening in cybersecurity, it's pretty frightening. We have the propensity to talk about it in terms that are scary, that express that the state of affairs is not good.
The situation frequently comes across in the way we talk about it to others. So whether you're a CISO giving a board presentation or you're training an awareness person working on messaging for your company, it's really easy for us [security professionals] to channel that fear through to our audiences.
We've relied on that for too long, I think, as a motivator, thinking that if we just use shock and awe, if we just scare people, we'll get their attention, we'll get more resources, and we'll get them to stop doing the things that they shouldn't do that cause a lot of the problems.
The problem is that fear is not a great sustainable motivator. I like to say that if fear worked as a
motivator, you'd see advertisers using it all the time. Every commercial we see on TV, every Super Bowl ad, would use fear as motivation because there are billions of dollars at stake there.
And if that worked, then every ad agency would be running as fast as they could to hear us and buy products. It's not the best for lasting behavior change.
And that's where the images of the hacker and the hoodie -the very spooky, ominous images come from - from that desire to use fear as a motivator."
The main goal of any communicator is for their message to be received in a way that inspires action or changes a mindset. To achieve this, one must consider how the message will be perceived and what action or new mindset you want the audience to walk away with. Any message, no matter how important, has to be relatable for it to be heard.
Images of criminal hackers in hoodies, binary code floating across the screen, or a close-up of a digitized motherboard with fingers flying over a keyboard don't scream 'relatable' to the average viewer.A picture is worth a thousand words only if there's the right context.
One might argue that the above-described imagery actually inspires the opposite effect of disconnecting from the situation because it is so foreign and has little context to their everyday lives. According to a report Oh Behave! - annual cybersecurity attitudes and behaviors report by the NCSA and CybSafe - one main sentiment of end users is that they are frustrated and intimidated by cybersecurity. In short, the current tactics of fear and uncertainty are working but against our intended goal - to make people more aware and adopt safer online behaviors.
Lisa's stance is that it's time to change our approach as an industry.
How do we change the "hoodie messaging" or FUD?
One quick fix is to start by getting rid of the ominous images that instill fear and uncertainty in training slides, PDFs, flyers, etc. Instead, use images of regular humans engaging with technology - a kid with their phone or a parent with a laptop, someone in an office in various demographics, and in a variety of settings. Use everyday images your listener can see themselves in to establish a connection to the context for them.
With the visuals more realistic we can now work on improving the text within our messaging. One good way to approach it is by looking at other messaging used in tech. This messaging focuses on the benefits technology brings to our lives - our ability to connect, communicate, and be more efficient in getting work done on a global scale. That's framing from a really positive perspective, and whether for business or home, cybersecurity's aim is to protect and enhance the benefits of technology.
"When we walk in as cybersecurity professionals and tell them [regular users] that they need to be very afraid, that is a counter to the way they look at technology. And so rather than setting ourselves up to try to counteract what they know as all these positives, I think we have to lean into that same optimism, lean into that same positivity. Rather than trying to counteract it, rather than trying to fight against it, we need to use that to our advantage."
One way to use it to our advantage is to let the end-users know they are not helpless in the face of cyber attacks. There are new tools and habits they can utilize - without having much tech savvy - to strengthen their online security for work and home.
"You use technology to do all these good things. There's just these few little things more that you need to do that will keep you safe while you use it."
One audience member, Gabriel Friedlander, stated that we need to communicate to the employees that "Security awareness is a benefit, not a chore." For instance, implementing MFA should not be viewed as an inconvenient security hurdle but rather gives greater security for users to continue using apps with less risk in their day-to-day. MFA is to everyday digital interactions what stop signs and seat belts are to road safety, our challenge is to help shift the mindset to using these new habits.
Other ways to cultivate a more positive mindset towards security involves creating more positive association with it in general, such as the gamification of awareness trainings and programs.
Lisa shared an example from her own family - her daughter who is a recent college grad works at an organization with a really mature awareness program. Their phishing exercises and simulations are gamified using a points system. These points can be redeemed to purchase items in the company store, including camping gear, accessories, and much more. What impressed Lisa is how motivated her daughter is because of it which has also caused the effect of security being a constant conversation topic.
While anecdotal, it is one of many real-world examples from successful awareness programs of how positive rewards and reinforcement contribute to a stronger security culture overall. It's important to note that not all positive rewards have to be monetary or prize rewards. A simple thank you and acknowledgment in the right channels or in front of leadership within the org has a strong impact as well. While it doesn't seem like much, saying thank you can be enough to encourage continued positive security habits.
Lisa's parting advice:
1 - Be empowering and positive in messaging.
2 - Get more creative using imagery that communicates better than the default "hackers in hoodies" mentality. Use photos that your users can relate to for stronger connection.
3 - This October, be a part of the solution in some way. Do something to give back to your community, your school, your place of worship, or whatever organization where you can carry the message of awareness to the masses.
Resources Recommended by Lisa:
Looking for awareness training that is short, relevant, and engaging? Check out Wizer’s free security awareness video library.