Photo Credit: Soulfull via Compfight cc
The importance of effective security awareness training for our employees is now widely recognised, and I’ve been lucky enough to deliver security awareness training sessions to thousands of people.
I’m continually looking for new ways to keep the content fresh and engaging, and recently I spent some time considering how infosec awareness training might learn from other established and successful awareness campaigns.
Having investigated many different types of awareness programmes, ranging from infection control in healthcare to anti-smoking campaigns, the success of one particular strategy stood out – drink driving prevention.
Drink drive limits were first introduced in the UK in 1967. The first breathalyser was introduced in the same year, allowing testing of suspected offenders. The UK Government quickly followed up the introduction of this new limit with advertising campaigns designed to educate the public about the risks and consequences of drink driving.
It was three years previously though, in 1964, when the first drink driving awareness information film was broadcast. A surprisingly jolly narrator informed viewers that ‘drinking and driving are dangerous’, explained how four single whiskies can double the risk of an accident, and concluded with the message ‘Don’t ask a man to drink and drive’. But did it help?
The UK Government first started officially recording statistics relating to drink drive related accidents and casualties in 1979. Numbers from the first year show that 1,640 people were killed whilst a further 8,300 suffered serious injuries. The number of fatalities and serious injuries in each proceeding year, through to 2013, show an almost constant and steady decline (to 240 deaths and 1,100 serious injuries). The number of deaths and injuries remains unquestionably too high, however the continual reduction is impressive, and I was interested in how we can learn from this and apply that knowledge to infosec awareness.
The ‘THINK!’ slogan and campaign adopted in the UK to promote drink drive awareness states that it’s strategy is ‘to remind all drivers of the personal consequences of drink driving and that a drink driving conviction can ruin your life’. So, what lessons can the infosec world learn from this long running campaign?
- Consequences – It’s important to show people the consequences of their actions. Whilst it’s easy to claim that password re-use is bad, or that links in phishing emails really might give criminals control of your digital world – it’s difficult for our regular users to truly imagine this. Drink drive advertisements not only tell us not to drink and drive – they show us the impact this can have, sometimes in very shocking ways (check out the #PubLooShocker video if you have a minute to spare).
- Run a big campaign annually – with drink drive awareness, this is usually in the run up to the festive period. For infosec awareness the timing might not be so important, but a yearly high profile campaign is a must.
- Reinforce, then reinforce some more – Don’t treat security awareness as a point-in-time exercise. Supplement your yearly campaigns messages with continual reinforcement. This doesn’t have to be difficult, expensive or time consuming. Posters in communal areas – email footers – intranet – be as creative as you want, but keep it simple.
- Reinvent, and stay relevant – don’t roll out the same campaign and training every year, and wonder why your staff aren’t engaged. Keep it fresh, include relevant references, and remember this is security awareness training, not policy training.
- Report – encourage your staff to report suspected problems. In 2014 Crimestoppers UK, supported by THINK!, launched a campaign encouraging members of the public to report drink drivers. We should encourage our staff to report anything suspicious to us immediately, without fear of incrimination (a name-and-shame approach most definitely won’t help).
There’s no doubting that these simple lessons can be applied to infosec training, and if they’re as successful at raising user awareness as the THINK! campaigns have been at reducing drink driving, we’ll be on the right road to creating a more security aware workforce.