Finding The Hidden InfoSec Story

Learning from the Advertising Industry

Photo Credit: Stuck in Customs via Compfight cc
Photo Credit: Stuck in Customs via Compfight cc

We all get advertising messages wherever we are and whatever we do and they range from the very persuasive to simply junk.

Those created by the best advertising agencies use behavioural science and psychology to make us want whatever it is they are being paid to promote. The most successful campaigns are so smart that we don’t need to engage our attention to get the message.

One example led people to queue overnight outside the shops of a fruit-named company hoping to be amongst the first to have their first ever tablet. The success of smartphones is no different as they are perceived to be useful and the latest models become objects of desire and therefore insensitive to price and monthly cost.

Another example the UK National lottery on which the average player spends around £150 a year ignoring the fact that the odds to win any prize at all are 54 to 1 and that of getting six numbers right are 14 million to 1 – a wit once said that your chances of winning this were the same whether you had a ticket or not. There are many more examples of successful campaigns in fashion, travel, etc.

Many advertising messages are easily ignored (at least by sensible people) such as telemarketing and assorted spam because they are seen as irrelevant and therefore unwanted.

Other messages doomed to failure reflect the biblical commandments beginning with “thou shall not…” Few people, if any, are willing to accept unsolicited advice such as “smoking kills” or “limit your drinking to 21 units a week”. Unfortunately “have a complex password for each website you login” falls in the same category, as do other guidelines information security professionals know would strengthen security.

In the corporate world we need to learn how to influence the behaviour of a workforce comprising

  • The engaged, knowledgeable and smart
  • The demotivated, “not in my job description” individuals
  • The uninformed “policy, what policy – nobody said anything about this”
  • The disengaged “I do not want to and you cannot make me” (genuine statement!)
  • The malicious or toxic “I’ll show you”.

in such a way that they are converted to the “I want to do this” group. You may wish to look at the analogy “Treat your staff like dogs” posted by David Rimmer on 31 March. It is a fact that recognition of good performance works better than punishment for mistakes.

I believe we all have much to learn from successful advertising campaigns and use this to tailor our messages and security awareness initiatives and identify appropriate recognition measures – these cost nothing – and whenever possible some kind of reward.

Author: Ed Gelbstein

Share This Post On