The real reason people ignore security awareness training
And how to get them to do, what you need them to do
Learning should have purpose, a human side. It should inspire.
Tidy your room! Wear a mask! Use a strong password!
What do you feel when you hear those words?
Frustration? Anxiety? Anger?
It’s normal. The feeling is called “psychological reactance”. It’s your brain’s reaction to a potential threat to your freedom, or limitation of choice.
Let me say that again, so it sticks. The feeling is totally fucking normal.
The response can lead people to do the exact opposite of what they’re being asked, even when safety is involved. This is a common problem when it comes to security awareness.
I’ve written previously about how security training can generate a false sense of security. The thing is, “training” is here to stay. At least until our regulators stop smoking crack and realise there are better ways to reduce risk.
So we’re stuck with it. And, whilst we are, we should make it as effective as it can be.
Finger wagging vs inspiration
For me, communication falls into one of two categories:
- Ineffective communication, or “finger wagging”
- Effective communication, or “inspiration”
Understanding the characteristics of effective and ineffective communication allows us to craft advice people want to follow. Let’s take a look at each.
Finger wagging
Finger wagging is better described as “telling someone what to do”.
For the most part, finger wagging isn’t usually aggressive, and it often comes from a good place.
But, finger wagging is based on some dangerous assumptions:
- It assumes people have the same motivations and incentives as you (i.e., keeping the workplace safe)
- It assumes they have the same situational awareness as you (there is a threat, and it is real)
- It assumes they care enough to do something about it
Most security awareness messaging is grounded in finger wagging. As a result, most security awareness advice is ignored by its audience.
For the avoidance of doubt, here are some ways you can wag your finger:
- You should…
- You shouldn’t…
- If you don’t do this, then this will happen…
- Never do this…
- Always do this…
- It’s critical / essential / vital / crucial / important that you…
Boring. Isn’t it.
Inspiration
The language of inspiration is different.
The language of inspiration acknowledges our colleagues aren’t children, and they are capable of making their own decisions.
The language of inspiration recognises (most) people want to do the right thing and, if they have the right tools, they’ll make the right choices.
The language of inspiration is powerful.
How to inspire
People believe nothing you tell them, some of what you show them, and everything they tell themselves.
Inspiration is the process of opening people’s minds to new ideas, so they can decide to take action themselves.
When we communicate, it’s critical that we…joking! Understanding this concept allows us to communicate effectively.
It’s not easy.
You need to show people you understand what keeps them awake at night. You need to argue from their point of view. And you need to show genuine empathy.
It’s not easy. But it works.
1. Lose the ego
People have problems. Their problems are not the same as your problems.
Security messaging is so often “ego-centric”. I.e., It speaks to people from our point of view.
The most common manifestation of this egocentrism is the phrase, “To keep our organisation secure…”
“To keep our organisation secure you must…”
“…is crucial in keeping our organisation secure.”
“Together, we can all help keep our organisation secure.”
No one.
Fucking.
Cares.
“Organisational security” is only a problem for the security team. For everyone else, it’s additional friction that slows and frustrates.
Go and wipe this awful phrase from your training materials. Immediately.
2. Understand what keeps people awake at night
The biggest mistake in security awareness is encouraging people to behave safely, before understanding why they don’t already behave safely.
It’s tempting to assume. Don’t.
Knowing what keeps people awake at night means you’ll be better able to hold their attention. The best way to understand what keeps them awake is to ask them. Radical, I know.
Surveys and interviews are a great starting point. So too is understanding the bonus and incentive structures in your organisation.
Specifically, you want to know; what motivates people to do a good job, how security prevents them from doing a good job, and what stops them from already acting safely.
Here’s an example:
“The reason I don’t use a complex password is not because I’m worried my account will be hacked. I’m worried about not being able to remember it, and locking myself out. I can’t risk this happening because I rely on the system when I meet with clients.”
Insightful.
Armed with information like this, we can begin to craft a message that connects emotionally, pulling the reader in. We can start with “why”.
3. Lead with value by “starting with why”
Knowing what keeps people awake at night allows messages to be positioned from their point of view.
The technique is called “starting with why”. The phrase was coined by Simon Sinek in 2009. His TEDx talk has been viewed over 57 million times!
His message is simple:
“People don’t care what you do, they care why you do it.”
Whether you’re selling products, or advice, the same principle applies.
Think of it another way, “people don’t care what they do, they care why they do it.” If you can talk their language, you can resonate with them on their frequency.
Let’s apply this to our example and craft a “why” statement:
Forgetting a password can cost you commission.
Now we’re talking.
4. Inspire
So, you know what keeps people awake at night. And you’ve used this information to craft your value statements. You can now construct the remainder of your message — the “what”.
The “what” is what you need people to do. It’s the information part of your message.
It’s tempting to just spell the “what” out. This is not the most effective way to do it.
Remember, people only believe what they tell themselves. Inspiration is about helping people realise the “what” for themselves:
- Point out possibilities: People are the heroes of their own stories. People aren’t receptive to behaviour change messaging if they can’t see themselves in the content. Help them visualise what it looks like to win. Help them reach their potential.
- Scare less: Security is full of angst-inducing images like locks, server rooms, and men in hoodies. It often ignores the fact audiences may not connect with content that lacks diversity, or is based too much in fear. Most people have become desensitised to fear-based messaging. Create positive content with inclusive, clear, and compelling images.
- Explain the benefits: “To keep our organisation secure” is not a benefit. Looking after friends and family is. So is being successful. And so is learning new skills that may help secure future roles, or promotions. Work out what makes people tick, and connect your message to it.
- Acknowledge contribution: Most people are already doing a great job. Their actions already contribute to success. Acknowledge their efforts and show them the next steps. They’ll know what to do.
- Curb the enthusiasm: Don’t be overly positive! Or overly negative!! An exclamation mark after every sentence loses the effect!!! OMG! See!!
- Empathise: Cyber security does not come naturally to everyone. Never suggest something is “easy” or “simple”. This can lead people to think acting safely is beyond their ability, and they’ll just not bother.
- Challenge: People like challenges. They like to challenge others. They like to challenge themselves. They like to challenge the norm. Used appropriately, challenges (individual, or group) can be powerful incentives.
- Show vulnerability: People look to security as an authority. If they see we are like them, that we are vulnerable, then we become more relatable. Try saying these things, “We don’t always get it right”, “We know this isn’t easy”.
- Resonate using your audience’s frequency: How you say what you say matters. Talk like your audience talks. Pay attention to the words you use, and how you use them. Check out CybSafe’s tone-of-voice guide for more.
- Tackle implementation: Show people how to do things. Don’t just tell them. Provide actionable advice with clear outcomes. Simulations, walk-through guides, and real-life examples are all great tools.
Time to wrap up our example:
[Why] Forgetting a password can cost you commission.
[What: Benefits] Why risk it? A password manager remembers passwords so you don’t have to. It’ll also type them in for you.
[What: Possibility] Less stress. More productivity. More closed deals.
[What: Challenge] What are you waiting for, champ?
I’d steer clear of the word “champ”, unless you’re communicating with sales people…
A real-life example
I went to IKEA at the weekend. I saw this in the car park.
It’s an outstanding example of value-based messaging.
The “why” identifies a problem lots of people have when buying gifts — they don’t know what to buy.
The “what”; points out a possibility (put a smile on their face), explains a benefit (they never expire), and curbs the enthusiasm (not an exclamation mark in sight).
Simple. Powerful.
Security is a by-product of empathy
When done right, security should be a by-product of our ability to understand and help people with their problems.
To recap:
- Lose the ego. The reason you want people to act safely is not the same reason they want to act safely.
- Find out what keeps people awake at night. Talk to them. Run surveys.
- Start you messaging with “why” statements. Show them you understand their problems.
- Help people see “what” they can do to solve their problems. Inspire.
Final words
This piece is about messaging. But, modern security awareness responsibilities are a lot wider.
By understanding people’s problems we can better work with other departments to shape environments and systems, and craft policies that are truly people-centric. A topic for another day.
I hope this has been useful.
If you would like to submit an article for publication, please get in touch. The best way to reach me is LinkedIn.
