Security Awareness Content: Deciding What is Needed to Change Behavior
Making good content is hard and easy to mess up. This is evident with the loads of boring training videos, out dated posters, and cheesy slogans slapped on a mouse pad. But don’t fret, just because it’s hard, doesn’t mean it’s impossible. Making good content is all about asking the right questions before hand.
What content needs to be made? What are the different options? What should be used in tandem? What can be used in place of other things? These are all valuable questions that need to be answered when making content that has a lasting effect on your users. If done correctly, your security content will lay a solid foundation of information that is quickly/easily called back to to ensure that your users are able and motivated to change their behavior.
Video v. Posters
Videos and posters serve two very different purposes and need to be seen as supplemental to each other NOT synonymous. A video is an effective tool for transmitting larger amounts of information because –if done right- it grabs the viewers attention through movement and pictures. A poster is just like a billboard on the highway. You have about 2 seconds in which to catch the viewers attention and transmit information. Any poster that takes longer than a few seconds to get the message will be lost.
If used supplementally and correctly videos and posters represent two very powerful resources. Videos create the foundation of information (e.g., common vocabulary, motivating information, etc) on which the posters pull from. Lets use an example. Lets say users are consistently working remotely and being attacked while on an unsecure site at their local coffee shop. Through annual training you provide them with the information that (1) they can be attacked when working remotely, (2) show them how easily a hacker can gain access to their information on an unsecure network, and (3) how to properly protect themselves. Also, you tie the slogan “be aware or be a target” to the information with a picture of a public wifi signal.
All in all this will be about a 3-5 minute video.
Keep in mind, giving them all this information in written form will loose more than half the users before they have even read 3-5 minutes of information. The visual aspect is what helps get all that information across before loosing their attention.
Now that the base of information has been created, you can make posters that have the Wi-Fi signal and words “Be aware or be a target!” in bold letters. Suddenly the poster is calling back to/reminding users about 3-5 minutes of information they were taught in SECONDS!
Newsletter v. Poster
Newsletters and posters are a common duo that shows up in conjunction with training videos but again they are NOT synonymous. Newsletters are great for transmitting larger amounts of supplemental training information (e.g., check lists, how to’s, anecdotes) that are just too much for a poster. Because of this, newsletters are great informers and motivators while posters are much more effective reminders- as mentioned previous. If used synonymously you end up with a 2’x2’ poster covered in 4 pt font. Not only will it take longer for them to read, but now they also have to stand next to the wall to read it.
Animated v. Live action
Recently, more and more videos are being created for security content plans in two different mediums (1) live action and (2) animated. Live action videos are usually, and more effectively, made as a viral video. These viral videos are funny/inspiring/catchy and users share them with each other and their family. They also are watched more than once and not easily forgotten. While live action videos are great at getting a quick
reminder/message/motivator across the company, they are not as effective for training. Training videos are more complex, with denser information, and therefore animation is the better bet. Animation does not limit you to the law of the world and you can easily have a server room fly in stage right- behind your IT guy- without it looking cheesy and weird. You also have the ability to show words, and are not limited to one ethnicity, culture, etc. Viral videos can be culturally specific in order to get the funny message across whereas training videos need to be more general and broadly applicable.
Activities and events are a more recent addition to an organizations content plan. They create a different, more interactive way of giving users more information on a topic they did not pick up the first time or behaviors they need more motivation to perform. For example, lets say your organization is having a hard time with information on social media. Your content plan is informing, motivating and reminding users that they need to stop putting all their information on Facebook, and to enable their privacy settings. Regardless of these efforts users are still saying things like “I thought I did” or “I don’t know how.” A brown-bag (virtual or in-person) is the perfect place to simply walk them through the process of protecting themselves on social media. In this you can show them (1) how their information is easily seen by everyone, (2) how it can be used against them and (3) how to enable privacy settings to mitigate this risk. While activities can’t be used for everything, they serve as a valuable tool in informing your users, motivating them, and keeping them up-to-date on constantly evolving threats.
Now that we know the proper place and use for each type of resource, now we need to know the challenge of each to ensure that our content is noticed, digested, and effective at changing behavior. Stay tuned.