1)   Do you need a password?

1. Yes
2. No

2)   Should you give your password to a stranger?

1. Yes
2. No

3)   True or False: All passwords should be displayed in the open

1. True
2. False

What if 100 people were asked the following question on the local news, how many do you think would honestly say yes?

Have you ever had racist, sexist or ageist thoughts?

Maybe 1%? What about if another 100 were asked under complete and utter anonymity?

Think the number would jump up?

Each of these examples demonstrates a valuable point, ASKING QUESTIONS IS HARD. It’s not as easy as just slapping a question mark at the end of a sentence and calling it a day. There are millions –and I’m not exaggerating- of factors to keep in mind when making a test, making a survey, conducting an interview, taking a poll, or anything similar. Since some form of content retention is needed after training, lets focus on quizzes in this blog.

Challenges of Making a Quiz

What’s got 2 thumbs and took an ENTIRE graduate level course/and part of a graduate degree to just learn how to write a good series of questions?

Thanks right, this girl. But rather than put you through that, or more importantly rather than put me through that, I am going to focus on the top challenges of making an effective quiz.

(If you want to know more about any of the other forms of questions/surveys/polls/etc. feel free to ask)

1-    Being too easy-The goal of a quiz is to evaluate an individual’s comprehension, or even mastery of the topic at hand. Sometimes we even use this in annual training as a criterion for taking the next lesson. Because of this, making the quiz questions too easy is not only useless but also damages the overall training efforts. The previous phishing ‘quiz’ is a perfect example of questions that are too easy. Each question is a no brainer, ‘no duh’ question that does not require any learning. Therefore, users can just skip to the quizzes and be finished with your 25 video annual training in 10 minutes.

Yeah, lots of learning there.

Not only does this not evaluate their comprehension of the topic, but also renders the rest of your training efforts, and the information in it, completely useless. You have just made the one time a year that they have to pay a little attention into a wash. The quiz sucks, and now you need to find another way to get them new information so that your enterprise is not made vulnerable with attacks like the Nigerian Phishing Scam.

2-    Being too hard- Just like making a quiz too easy is counter productive, the same is true when the quiz is too hard. When aquiz is impossible to pass users will first spend loads of time trying to complete your training –not great when you are paying them to do so. Once learned helplessness settles in users will start to give up rendering your training message useless.

3-    Getting actionable results- Even though quizzes are made to evaluate a users performance, they also tell the trainers/teachers/managers something as well. If evaluated correctly you can see where there is large levels of misunderstanding, or needed improvement. For example, if you notice that 75% of the users got a 20% or less on their first attempt at a quiz on cloud computing, that tells you that supplemental efforts need to be made to close that gap. Make a newsletter. Start that security awareness campaign sooner rather than later. Regardless, structure your quiz so that you, and your enterprise, can evaluate the user knowledge and adapt accordingly.

While there are many more concepts to consider when making a quiz, if you can get these 3 under control, you have done half the battle.

Welcome to Fantasyland where the budget is limitless and the users pay attention to everything you say!

In Fantasyland you have amazing annual training that lays a solid foundation of information for your users. You have created testing that accurately and effectively measures user understanding of the training without being too hard or too easy. You have created additional content (e.g., posters, viral videos, newsletters, lunch and learns) that calls back to the concepts taught in training and changes user behavior. You have done it all.

So how do you implement this amazing content?

All-at-Once?

Imagine that every year your user comes to a room that is plastered with your amazing posters. They sit down at a computer and watch training videos on topics like ‘secure cloud computing.’ This is followed by a quiz, followed again by a wonderfully crafted newsletter you created on how to ensure that all data in the cloud is safe. It all ends with showing them a funny viral video involving cats, Megan Fox, or David Hasselhoff. Since we know they fully attended to all that information –remember this is Fantasyland- how long do you think their behavior will be affected by the training?

1 week? 1 month? 1 year?

Considering that most annual awareness training programs contain at least 20 topics -all needing a video, quiz, poster, and additional content- I’d give it 2 weeks. Maybe 6 weeks for the topics that really resonated with them (e.g., Protecting your family on Facebook). That’s right, not even 2 months after presenting all this content most of it will be gone until next year pointing out an important part of any security awareness architecture.

Immediate v. Delayed Stimulation

In the previous example, all of the content was set up as immediate stimulation. The user was presented with all information at once and did not see it again until a year later. While this does get all of the information across, it does NOT produce consistent behavior change across the entire year. To do this you have to use a mixture of immediate and delayed stimulation. By combining the two techniques you are able to lay a solid foundation of awareness that is consistently recalled by the user throughout the year. If done correctly, you can even manipulate what is recalled based on what is presenting the most vulnerability within your organization at the time.

When to Implement Different Types of Content

Annual Training- This type of content can include everything from basic videos on passwords that everyone has to watch, to more specific role-based training that targets the information to fit the tasks of the user (e.g., Data classification for all users with a clearance). Annual training is where the foundation of information is established and is essentially ‘ground zero.’ Considering the density of the information, as well as the time required by the user, annual training should only occur once a year. Some companies choose to spread it over the year, and that is fine. The main point is that there is little to no value of using annual training in a delayed stimulation capacity.

Content Testing- After seeing a video the user has this large body of information and it needs to be stored (see previous blogs on the process of memory storage). One way to facilitate retention is through immediate testing. This requires the user to recall the information that they just learned through the training video, use it to answer questions, and re-store it thereby strengthening the memory. Without this, the message is not strengthened and the literacy foundation is much weaker. Because of it’s placement immediately after the video, content testing is most effective as immediate stimulation.

Posters and Additional Content- Something probably painfully obvious as wrong in the previous example was the fact that the only exposure the user was getting to the posters and newsletters was immediate and in conjunction with training. I have never seen a client use posters and other additional content in an immediate stimulation fashion because it does no good. Each are intended to call the user back to the information in training, facilitate recollection, and encourage more secure behavior across the entire year. Showing everything all at once is like placing all your cards on the table. You have nothing left.

While timing of your content requires more finesse and thought, classifying each part as either an immediate or delayed stimulation tool is vital in figuring out exactly where everything goes.

SAN FRANCISCO – April 23, 2013 – Today The Hacker Academy, the industry’s leading provider of cutting-edge, hands-on security training, announced it had been selected as a Best of Interop finalist for the security award category, recognizing The Hacker Academy’s innovation and technological advancements in the information security industry.  The Best of Interop winners will be announced on Tuesday, May 7 at 5:30 pm at the Interop Theater on the Expo Floor during Interop Las Vegas, happening May 6-10, 2013 at the Mandalay Bay Convention Center.  For more information visit: http://www.bestofinterop.com/.

“Interop is an ideal venue for the key players in IT, networking and security and come together and identify strategic partners, technologies and initiatives that will drive industry innovation,” said Josh Larsen, Director of Enterprise Solutions at The Hacker Academy. “It is an honor to be selected as a finalist for Best of Interop. It is a testament to the hard work the team has put together to bring this unique solution to the market.”

The Hacker Academy, a division of MAD Security, will showcase the HackRack Appliance at Interop Las Vegas, the industry’s premier technology event enabling IT professionals and technology solution providers to leverage technology to power their business. The Best of Interop Judging Committee, comprised of 16 award-winning IT editors and analysts, reviewed nearly 150 entries and selected finalists based on the products with a significant technical impact with the most potential of advancing the business technology market.

“The Best of Interop Awards acknowledge innovative products and services in business technology,” said Andrew Conry-Murray, editor of Network Computing. “At Interop, attendees can see these products on the show floor and have the opportunity to interact first hand with the latest advancements. The selected finalists for 2013 have put forth the most compelling offerings and we congratulate each of the Best of Interop finalists.”

The category areas that Best of Interop finalists were selected for include:

• Cloud Computing & Virtualization
• Data Center & Storage
• Management & Monitoring
• Networking
• Performance Optimization & Testing
• Security
• Wireless, Mobility & BYOD Support

In addition to these specific category areas, there will be special awards chosen onsite including: an overall Best of Interop, Best Startup Company and for the first time, an Audience Choice Award that will be selected during the keynote on Wednesday, May 8.

About The Hacker Academy
The Hacker Academy, a division of MAD Security, is an engaging online education platform for information security professionals. Our immersive training environment is the best place to learn how to be a true information security professional. Our students can learn at their own pace with our instructor led videos and hands-on labs.

About Interop©
Interop © drives the adoption of technology, providing knowledge and insight to help IT and corporate decision-makers achieve business success. Part of UBM Tech’s family of global brands, Interop is the leading business technology event series. Through in-depth educational programs, workshops, real-world demonstrations and live technology implementations in its unique InteropNet program, Interop provides the forum for the most powerful innovations and solutions the industry has to offer. Interop Las Vegas is the flagship event held each spring, with Interop New York held each fall, with annual international events in Mumbai and Tokyo, all produced by UBM Tech and partners. For more information about these events visit www.interop.com.

About Network Computing
Network Computing’s content adheres to the valuable “For IT, By IT” methodology, delivering timely strategy & tactics, news, in-depth features, opinionated blogs, newsletters and digital issues on an array of key enterprise technologies: backup and recovery, data center architecture and technologies, data protection, network and storage management, unified communications, virtualization, WAN acceleration, and wireless networking.

Full press release: http://www.prnewswire.com/news-releases-test/finalists-announced-for-2013-best-of-interop-203206191.html

Retention is one of the main goals of any successful security awareness architecture. Without retention every poster, video, or lunch-and-learn is as valuable as ‘Snooki’ teaching a lesson in ethics. No one cares nor would they walk away knowing anything new or useful. The reason retention is such big factor in security is because of the relationship between memories and the forgetting curve. (See previous blog for full explanation). In short:

                          “A memory is formed when you get information, encode it and then store it in the enormous noodle called your brain. As time goes by, if you do not recall that information the memory will fade. This interaction between time and memory retention is called the forgetting curve. The steeper curves represent information you don’t remember for long (e.g., the phone number of that crazy girl that clung to you at the bar) and shallower curves are those memories that you retain over longer periods of time (e.g., the last time you swam in a pool of jello).”

In order for content to achieve the goal of retention –and fend off the power of the forgetting curve- two things need to occur. First, the content needs to engage the user and provide useful information (see cultural assessments for figuring out what’s useful. See making security content for how to engage). Second, the content needs to be remembered for later use (acquired) so that the message- and ultimately the behavior change- gets generalized past the initial exposure in time and physical location. Even though this is the ultimate goal this is not the only method implemented. Usually one of three things occurs: compliance, compliance 2.0, or complete course development.

*Hint the last one is the best!*

Each of these methods is better illustrated through examples.

The Set Up

Rob just started working at Widgets Inc. They are a multi-national 3,000-person company that specializes in the production of Things. Because of the nature of their business they have confidential client information including banking data and therefore security is of high importance to them. Every user must be properly trained.

The Methods

Compliance

Widgets Inc. has decided that they just need to meet compliance requirements. Therefore, when Rob shows up for his first day on the job he goes through annual training which consists of a series of power points on topics such as PII (personally identifiable information), passwords, physical security, and working remotely. After his second year Rob realizes that the content does not change so he develops the habit of just clicking through the slides and completing the training in 10 minutes without reading the information.

PERCENT RETAINED- 5-10%: While the PowerPoint technique is great at giving the user a whole lot of information (i.e., a PowerPoint slide jam packed with paragraphs of information at 12 point font) it does NOT facilitate acquisition therefore your retention percentage is much lower than should be acceptable for a successful security awareness architecture. Furthermore, the farther from training Rob gets the less he remembers (dropping to less than 5%).

Thanks forgetting curve.

Unfortunately, in many cases, this strategy serves to ‘check the box’ for compliance but not retention.

This is the Snooki of security awareness training.

Compliance 2.0 (compliance + engagement)

Widgets realizes that their annual training is being ignored by 99% of the users and decides to make a change. To engage the user the Widget Inc. security team goes from PowerPoint’s to training videos. This enables them to engage the user more and forces them to filter out the irrelevant information.

– Lets assume they do a good job making the video-.

Other than this change, the security awareness architecture is the same. The first year of this change is amazing. Users are engaged, and retention of the information significantly increases! Things are looking up.

PERCENT RETAINED- After training, 80-90% with a slow decrease back to 5-10% over time. Over the course of the year (a.k.a., the farther from the training they get) the changes in user behavior slowly drop and user based vulnerabilities start going back up. Basically, retention was good at first but the message was not strengthened therefore the forgetting curve wields it’s ugly head again.

This is Snooki in an evening gown. Better but not great long term.

Complete Course Development (compliance + engagement + strengthen)

While the addition of video engagement helped short term, Widget Inc.’s security team has decided that they need long-term retention in their program. Having the users take the training more often does not fix the problem because it will desensitize them quickly and cost the company time and productivity. Instead, they decide to implement a security content plan that is based off of the annual awareness training videos to strengthen the message. A test- with a competence requirement (e.g., 90% or better to pass) is placed after each video lesson. Monthly security campaigns are created that use visual imagery from the videos to call back to the content. Furthermore, consistent activities (i.e., lunch and learns) are organized to give supplemental information to users. All of these serve to increase initial acquisition, strengthen the memory through consistent recall, and ultimately increase long term retention by shallowing out the forgetting curve.

Much Better!

Stayed tuned for more details on HOW to get Megan Fox…I mean increase retention.

What is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

…

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.

See any problems here?

Of course you do! The budget for this program is going to be INSANE! No practical business will support paying $1 for each ticket at the help desk for any longer than 6 months- MAX. This leads into the second, and biggest problem with using reinforcement. If the only reason that users are reporting issues is because of a reward, the minute that the reward is removed the desired behavior plummets. Unless you can replace the reward with something of equal subjective value their incentive is gone and the trained behavior is lost.

*Finding something of equal subjective value to cash on a large scale is damn near impossible. I only say ‘damn near’ because I’m sure there is some magical place out there that can do it but I’ve never come across it. *

Finally, lets say that instead of $1 you gave them a free lunch- because your users really like lunch. How long will that be an effective reward? My guess is that after about a month of free lunches have been accrued the value of the reward will go down dramatically and so will your behavior. Suddenly, you have to switch the reward to something else – of equal subjective value- to keep them responding.

Vicious cycle anyone?

How to Use Reinforcement to Your Advantage

As you can see, reinforcement is a tricky thing but when can we use it to change behavior.

Lets go back to the help desk problem. Instead of paying for each help desk ticket, indefinitely, you make it a charity fundraiser for the holiday.

“Every time you call the help desk, $1 will be donated to buy gifts for families in need. Weekly progress will be reported!”

Some of you might look at this and say “even if we had the budget for that, we still have the same problem of removing the reward and loosing the behavior once the fund raiser was over” but consider two very important differences.

1-    The reinforcement has a clearly defined ‘end point’ that has nothing to do with the user, the company, or their behavior but is a product of the reward. The gifts have to be bought at some point otherwise the fundraiser was pointless. Essentially you are isolating the reinforcement contingency and increasing your chances of the behavior persisting after.

-Not to mention periodic fundraisers to increase behavior –if needed- are MUCH more sustainable to the budget than constant reinforcement.

2-    The second and most important is how closely the reinforcement (e.g., $1) and behavior are paired. In our first example the employee saw the DIRECT effect of calling the help desk on their pay check therefore it was very closely paired to their behavior

Just like if Pavlov’s dogs were fed EVERY time the research assistant came in.

The minute that the user realized the reinforcement was removed, the behavior that followed stopped (i.e., calling the help desk).

Back to Pavloc: The dogs would eventually stop salivating once they knew that the assistants were never going to feed them.

In our second example, the users see the money increase but it is NOT directly related to each time they call the help desk. Instead it goes into an anonymous pool that may jump $100 a week even if they just called the help desk once. Since the reinforcement is not closely tied to each behavior they perform, the chances of the behavior persisting after the reinforcement is removed increases significantly.

*For a more detailed look at this process see my previous blog on Pavlov and his dogs.

Based on all of this, be careful when using reinforcement. While it may provide an immediate result, it’s something that needs budget and time to maintain. If used wrong, you will just be setting yourself up for an uphill battle.

The power of viral videos.

The propensity for people to see a video, post it on their Facebook, Tweet it, email it to friends, and show it to everyone that passes by their computer has given people like Rebecca Black, Justin Bieber and dancing babies the ability to be famous!

You can reach millions of people in days if you can harness the power of the viral video. So why not use it within your organization? Would it work to reach users about USB drives or is this just reserved for teen pop and dancing babies?

Our security behavior design team at MAD security decided to test this question. We took the concept of the ‘funny cat video’, applied it to USB drives, and voila the buddy video was born. Soon we were going onsite to talk to potential clients and they would ask “hey, can I see the cat video?” People that we had not even engaged yet had heard about our viral USB video.

Maybe it was a fluke? Does this only work for cats?

We tested again, but this time we made the HR Lady video. We showed it to a few people at RSA and suddenly our sales team was flooded with emails like “We have to have that video!”, “How do I get that sort of content for my organization?” and “Do you have more?”

So there you have it, viral videos are NOT just for teen pop, dancing babies, and some crazy Korean guy dancing on an imaginary horse.

So how do we use them in our security awareness architecture?

Appealing to Your Audience

A viral video is a very unique medium. It is something that is short and usually funny.

Come on, Justin Bieber videos are funny….the first few times

It also speaks to a topic that appeals to many. So how do we harness this in our security awareness content? Find out what your users find funny. Once you have figured out your hitch make sure you and the creator(s) are not the ONLY people that find it funny. Going off the humor of some esoteric show only seen on hulu – that development team happens to love- will not get you the impact you are looking for. These types of videos need the eyes and input of many to know if it’s going to work. Ideally, you should be able to send this to 100 of your closest friends and co-workers- inside and OUTSIDE of InfoSec- and get at least a chuckle from everyone.

Make a Lasting Message

One of the major things to consider when making a viral video is ‘what is the shelf life of this joke?’ If the topic of the video is extremely specific, you run the risk of basing your video on a 2 month fad…and for all that know how long it take to make a video- that joke will be dead before the video is released. A good viral video appeals to many, but isn’t sooooo specific that it only appeals to them for 30 days.

See Jessica Black- Friday. She went viral and then dropped off the face of the earth…thank goodness.

Picking topics that may change over time but still remain funny are good. Appeal to an intrinsic humor, not just the latest fad.

SUPPLEMENTAL Not Foundational

Knowing the effect of viral videos is not ground breaking, but being able to apply it properly is. To this note, viral videos canNOT be used as foundational training videos. Think about it, if you made every one of your 20 training video some slant on cat memes how quickly would it take for that to get old to the users? My bet is pretty quick. Your users will quickly become desensitized to that type of humor and your training has suddenly become ignored. Furthermore, you can’t use the viral video for what it’s best at, REMINDING! Viral videos aren’t for presenting large amounts of information; they are for getting a message stuck in the viewers head!

-How many of you have Gangnum style, that Friday song, Bieber, or that dancing baby stuck in your head? I’d guess at least a few.

Viral videos, and concepts, are a powerful tool. Not applying them to your security awareness content plan is just as short sided as not using email as a medium to communicate with users.

Also, they are pretty fun to make!

Got your work cut out for you right?

Lets go over a few things to consider when making a poster

#1: Words are NOT your best friend.

I have seen clients, and friends, walk around with enormous posters COVERED in text- and I mean a lot of text- and this concerns me.

Think about it, if you are driving on the road and pass a billboard with the following poem written on it are you going to stop your car and read it?

`Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
All mimsy were the borogoves,
And the mome raths outgrabe.

“Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!”

He took his vorpal sword in hand:
Long time the manxome foe he sought –
So rested he by the Tumtum tree,
And stood awhile in thought.

And, as in uffish thought he stood,
The Jabberwock, with eyes of flame,
Came whiffling through the tulgey wood,
And burbled as it came!

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

“And, has thou slain the Jabberwock?
Come to my arms, my beamish boy!
O frabjous day! Callooh! Callay!’
He chortled in his joy.
`Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.

NO! Absolutely not! I wouldn’t even stop and I adore Lewis Carroll.

-Chances are 90% or more of you scrolled past this one….and this is a BLOG!-

Even though users aren’t driving, posters are the same situation. You have a very limited amount of time to get your message across. The less reading the better.

#2: Simplicity is your friend

For similar reasons as stated in #1, a complex poster is not a good poster. Even if no words are used, an extremely elaborate collage of pictures will still be lost if it requires the person to stop and look at each detail one by one to get the message. For this reason simple is better.

#3: Posters are reminders

Posters are most effective at reminding users about messages from training. Did your training set up a unique visual associated with risk management? Bring it up. Is there a slogan attached to being safe when working remotely (e.g., “Be aware or be a target)? Show it. Since posters have a limited amount of the users attention, it’s these quick images and messages that are the most effective at prompting users to remember all that valuable information set up in training.

#4: Make them stand out

Think about it. Lets say you have 12 months of posters, for 12 months of security awareness content. Each of these posters has the same look at feel: Black letters, with a blue border, on a cream background. Furthermore, you always place the poster in the same exact spot right next to the IT help desk door. How long do you think it will take before new posters go unnoticed?

Not too long. Humans are hard wired to notice change. Furthermore we are attracted to novel items. If all of your posters look the same, and are in the same spot soon they will be as noticed as the paint on the wall.

How do you fix this? Switch it up. Move the location of the poster. Change the size. Even if your company has a color scheme, logos, and font that are required, switch up the artistic style. All of these things together help your content stand out to your users and get noticed.

#5: Know your audience

Just like everything else in your organizations security architecture, culture matters! Lets say you find a buddy the cat poster (Go here for hilarious- not PITA approved- fun) that you and your team find hilarious and decide to use it in your office. Upon putting it up, you realize that 90% of the users you are trying to reach are cat owners and they do NOT find it funny. Culture matters.

Here is a brief list of things to consider when making posters. As fun and useful as they can be, posters are one of the harder pieces of material that are made.

So how do you write a good newsletter? I will go over the top five things to consider in order to write an effective newsletter that will reach your users and change behavior.

#1: Newsletters are not just small posters

Posters are something a user passes in a hall and gleans information from. Newsletters are a document that provides users with supplemental and/or up to date information on topics covered in training. Treating a newsletter as another form of reminding people will just cause them to loose interest and not pay attention to any of the newsletters you send.

# 2: When do you use a newsletter?

Newsletters are used to motivate, inform, and decrease difficulty of a task. Want to give users a ‘how to’ on securing their home network? Newsletters are great for that? What about a checklist on how to protect their family by limiting information on social media? Again, newsletters are fantastic. Each of these examples provide information that the reader is MOTIVATED to read.

#3: When is motivation necessary?

ALWAYS. Whenever you are asking a person to voluntarily read something that may take them more than 3 minutes you need to motivate them. This motivation occurs in the topic, the first paragraphs, and the writing. A newsletter on how to save a million dollars in the next year will even loose readers if it is not visually appealing or the writing is dull and/or dense.

#4: Formatting matters

Just like a magazine, formatting a newsletter guides the reader through everything you have to say. You make the BIG messages more visually appealing to ensure users see it. You also have a clear visual flow that leads the reader through all the content rather than letting them skip around. Too much wording is not visually appealing conversely too many pictures means no further information is being provided. Treat your newsletter like a really small magazine spread.

#5: How much is too much

While you should never make a newsletter that is pages and pages long (no one will read it), the length of it depends on a few things. How often are you distributing it? Monthly newsletters will be shorter than quarterly or yearly because you have less topics to cover. What medium are you using? A monthly printed newsletter should be no bigger than one side of one page of printer paper. This does not mean that you just jam pack more in, or make the font smaller, it just means you have to be more selective with what makes the cut. Electronic newsletters are a little different. Those should not go much farther past a 1 page scroll. If users open your letter and realize that it’s 2 or 3 full scrolls down then the chances of them reading it go down significantly.

Newsletters can be a very valuable tool in your security awareness architecture. They allow you to reach your users with more detailed information, motivate them, and keep them aware of ever changing threats. If done incorrectly, they are about as useful as a floppy disk in my iMac.

What content needs to be made? What are the different options? What should be used in tandem? What can be used in place of other things? These are all valuable questions that need to be answered when making content that has a lasting effect on your users. If done correctly, your security content will lay a solid foundation of information that is quickly/easily called back to to ensure that your users are able and motivated to change their behavior.

Video v. Posters

Videos and posters serve two very different purposes and need to be seen as supplemental to each other NOT synonymous. A video is an effective tool for transmitting larger amounts of information because –if done right- it grabs the viewers attention through movement and pictures. A poster is just like a billboard on the highway. You have about 2 seconds in which to catch the viewers attention and transmit information. Any poster that takes longer than a few seconds to get the message will be lost.

If used supplementally and correctly videos and posters represent two very powerful resources. Videos create the foundation of information (e.g., common vocabulary, motivating information, etc) on which the posters pull from. Lets use an example. Lets say users are consistently working remotely and being attacked while on an unsecure site at their local coffee shop. Through annual training you provide them with the information that (1) they can be attacked when working remotely, (2) show them how easily a hacker can gain access to their information on an unsecure network, and (3) how to properly protect themselves. Also, you tie the slogan “be aware or be a target” to the information with a picture of a public wifi signal.

All in all this will be about a 3-5 minute video.

Keep in mind, giving them all this information in written form will loose more than half the users before they have even read 3-5 minutes of information. The visual aspect is what helps get all that information across before loosing their attention.

Now that the base of information has been created, you can make posters that have the Wi-Fi signal and words “Be aware or be a target!” in bold letters. Suddenly the poster is calling back to/reminding users about 3-5 minutes of information they were taught in SECONDS!

Newsletter v. Poster

Newsletters and posters are a common duo that shows up in conjunction with training videos but again they are NOT synonymous. Newsletters are great for transmitting larger amounts of supplemental training information (e.g., check lists, how to’s, anecdotes) that are just too much for a poster. Because of this, newsletters are great informers and motivators while posters are much more effective reminders- as mentioned previous. If used synonymously you end up with a 2’x2’ poster covered in 4 pt font. Not only will it take longer for them to read, but now they also have to stand next to the wall to read it.

Animated v. Live action

Recently, more and more videos are being created for security content plans in two different mediums (1) live action and (2) animated. Live action videos are usually, and more effectively, made as a viral video. These viral videos are funny/inspiring/catchy and users share them with each other and their family. They also are watched more than once and not easily forgotten. While live action videos are great at getting a quick

reminder/message/motivator across the company, they are not as effective for training. Training videos are more complex, with denser information, and therefore animation is the better bet. Animation does not limit you to the law of the world and you can easily have a server room fly in stage right- behind your IT guy- without it looking cheesy and weird. You also have the ability to show words, and are not limited to one ethnicity, culture, etc. Viral videos can be culturally specific in order to get the funny message across whereas training videos need to be more general and broadly applicable.

Activities/Events

Activities and events are a more recent addition to an organizations content plan. They create a different, more interactive way of giving users more information on a topic they did not pick up the first time or behaviors they need more motivation to perform. For example, lets say your organization is having a hard time with information on social media. Your content plan is informing, motivating and reminding users that they need to stop putting all their information on Facebook, and to enable their privacy settings. Regardless of these efforts users are still saying things like “I thought I did” or “I don’t know how.” A brown-bag (virtual or in-person) is the perfect place to simply walk them through the process of protecting themselves on social media. In this you can show them (1) how their information is easily seen by everyone, (2) how it can be used against them and (3) how to enable privacy settings to mitigate this risk. While activities can’t be used for everything, they serve as a valuable tool in informing your users, motivating them, and keeping them up-to-date on constantly evolving threats.

Now that we know the proper place and use for each type of resource, now we need to know the challenge of each to ensure that our content is noticed, digested, and effective at changing behavior. Stay tuned.