Creating a Security Content Plan: Caution Bumps Ahead

Feb 27 2013 Megan Uncategorized No Comments

This month’s blog theme has been “Creating a Security Content Plan” and we have effectively talked about how to pair a problem with a solution as well as how to time those solutions and get the most effective change in behavior.


While each step may seem simple, and easy to implement, there are a few things to keep in mind. Potential…bumps in the road…as it where.

Lets go over the top ones.

1- Not all problems are created equal

2-Not all organization are created equal

3-Don’t focus on just one solution

4-Not all timing is created equal
Challenge #1: Not all problems are created equal.
If you go onsite and find out that an organization is having issues with using unapproved USB drives because it’s difficult, what does that mean? Is it difficult because there are none in the office? Is it difficult because in order to get them they have to go up 5 flights of stairs and check one out? Each example is ‘difficult’ but both for very different reasons. One can be resolved merely by making them available in the office while the other requires a decrease in physical difficulty.

You have to know why the reason is occurrinf before you can resolve it.

-Note- this also applies to motivation and forgetting.


Challenge #2: Not all organizations are created equal.

While it is very easy to think that an organizations’ architecture can be a ‘one size fits all’ situation that is not the case. Just like we talked about in previous blogs on culture, problem behaviors, and their reasons, are unique to the organization. For example, lets say that Morgan Stanley and Google both have issues with users not calling the help desk. A cultural assessment reveals that those at Morgan Stanley just don’t remember to call while the tech savvy employees at Google prefer to try and fix it themselves. Both companies have the same problem in their users, but the reason- and therefore the solution- is drastically different for both. In this example, Morgan Stanley needs to put up material to remind their users that the help desk is there and how to contact them. Even when they found significant increases in users calling the help desk they could not share their solution with Google because they are having a drastically different issue. Google needs to motivate their users not remind them.

Just as problems differ between organizations, the same can occur within. Lets say that one year a large influx of new employees was hired and suddenly there was a big problem with users not shredding PII. A cultural assessment shows that employees are having difficulty identifying PII when they see it. Over the next year a solution is applied, the problem behavior decreases, but suddenly it starts to creep back up again. Another evaluation reveals that users aren’t shredding PII now because they aren’t motivated to do so. They can properly identify it but they don’t see why it presents such a threat. Suddenly the problem has changed within the organization

This leads to our next challenge.


Challenge #3: Don’t focus on just one solution.

Lets say users are falling prey to phishing attacks because they have a hard time identifying it. Your organization spends a good amount of time, buys an embedded training tool and constantly sends users phishing emails as training on how to identify them.



Note- This is not how embedded training is recommended to be used but several organizations think that more is better and in this case that can have a nasty side effect.


Suddenly the users can identify any phishing email but they think that ALL of them are from their organization. What happens when users think phishing emails are from their organization rather than a hacker trying to gain access to their bank account?

They are no longer ‘scary.’ The threat of danger has been highly diluted and the users motivation to avoid phishing emails decreases rapidly. This is what can potentially happen when all your effort is put on one ‘solution’….you risk creating another problem for yourself. A well though out content plan, rather than a poorly used tool, will not only address your current problem with an appropriate solution but will do so in a manner to make sure other problems don’t arise as well.


Challenge #4: Not all timing is created equal. 

Just like with problems, organization, and ultimately culture, the timing of solutions is not always the same. In last weeks blog on timing both problems had to address all three reasons why the behavior was occurring: (1) difficulty, (2) motivation, and (3) forgetting. Even though one example was about deterring kids from approaching poison ivy, and the other about users falling for phishing attacks, the order of the solutions was ultimately the same.

It is very important to point out that this is NOT always the case.

The reason both examples were timed the same was because the problems were the same. More specifically, children were having difficulty identifying poison ivy while users found it difficult to identify phishing emails. Because these similarities existed across all three problems they could be ordered the same for both problems. If even one of those problems were different (i.e., difficulty for one was physical instead of issues with identification) the timing gets changed.

Long story short, not all timing is created equal.

There you have it. The top 4 challenges to look out for when creating an effective content plan. They may seem small but trust me, treat any of them lightly and suddenly your well-planned security architecture starts to look like a confusing web of random user behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>