Information SecurityInformation Security“Only as Strong as the Weakest Link”“Only as Strong as the Weakest Link”

Information SecurityInformation Security“Only as Strong as the Weakest Link”“Only as Strong as the Weakest Link”

Promoting a low-risk Promoting a low-risk environment through sustainable environment through sustainable end-user behavior changeend-user behavior change

Promoting a low-risk Promoting a low-risk environment through sustainable environment through sustainable end-user behavior changeend-user behavior change

Is There a Weak Link in Your Organization? Is There a Weak Link in Your Organization? Is There a Weak Link in Your Organization? Is There a Weak Link in Your Organization?

?

End-user Awareness Can “Sustain the Chain”End-user Awareness Can “Sustain the Chain” End-user Awareness Can “Sustain the Chain”End-user Awareness Can “Sustain the Chain”

Designing Effective Awareness CampaignsDesigning Effective Awareness Campaigns Designing Effective Awareness CampaignsDesigning Effective Awareness Campaigns

1. Follow The 80/20 Rule to Focus Awareness Campaign ResourcesInvest disproportionately in addressing the small number of behaviors that cause disproportionate harm to the enterprise. Triage based on the sensitivity of information risks to end-user behaviors, the prevalence of these behaviors among end users, and the relative attractiveness of technology alternatives.

2. Customize Tactics to Audience for Effective Behavior ChangeSegment target audiences by psychographic profile and organizational position and develop customized tactics for each segment.

3. Tap Peer Experience and Existing Resources Outside of Information SecurityIdentify relevant expertise in peer functions such as Marketing, Communications, HR, and Compliance and Ethics and actively solicit their help to avoid reinventing the wheel.

1. Follow The 80/20 Rule to Focus Awareness Campaign ResourcesInvest disproportionately in addressing the small number of behaviors that cause disproportionate harm to the enterprise. Triage based on the sensitivity of information risks to end-user behaviors, the prevalence of these behaviors among end users, and the relative attractiveness of technology alternatives.

2. Customize Tactics to Audience for Effective Behavior ChangeSegment target audiences by psychographic profile and organizational position and develop customized tactics for each segment.

3. Tap Peer Experience and Existing Resources Outside of Information SecurityIdentify relevant expertise in peer functions such as Marketing, Communications, HR, and Compliance and Ethics and actively solicit their help to avoid reinventing the wheel.

4. Integrate Awareness into Risk Mitigation Planning to Allow for Scaled ResponseDetermine the need for awareness measures as a part of due diligence for mitigation initiatives and develop suitable campaigns early in the project lifecycle.

5. Monitor Compliance to Ensure Continuing Relevance of CampaignsRealign the themes and emphases of awareness campaigns to your company’s evolving risk profile and changing patterns in user behavior using a combination of automated monitoring and regular audits.

6. Communicate Results Broadly to Sustain MomentumReport simple before-and-after measures of target behaviors to the end-user population at large to create positive momentum and build support for ongoing awareness efforts.

4. Integrate Awareness into Risk Mitigation Planning to Allow for Scaled ResponseDetermine the need for awareness measures as a part of due diligence for mitigation initiatives and develop suitable campaigns early in the project lifecycle.

5. Monitor Compliance to Ensure Continuing Relevance of CampaignsRealign the themes and emphases of awareness campaigns to your company’s evolving risk profile and changing patterns in user behavior using a combination of automated monitoring and regular audits.

6. Communicate Results Broadly to Sustain MomentumReport simple before-and-after measures of target behaviors to the end-user population at large to create positive momentum and build support for ongoing awareness efforts.

Designing Effective Awareness Campaigns (Continued)Designing Effective Awareness Campaigns (Continued) Designing Effective Awareness Campaigns (Continued)Designing Effective Awareness Campaigns (Continued)

Ten Tips for Creating Engaging ContentTen Tips for Creating Engaging Content Ten Tips for Creating Engaging ContentTen Tips for Creating Engaging Content

1. Keep Messages Simple and ActionablePosters and other communications materials should involve only one concept at a time and explicitly mention the desired behavior (e.g., “Don’t disable antivirus updates”).

2. Use Examples That Resonate Personally with EmployeesTo strike a chord with the audience, frame points about enterprise information security in terms that resonate with employees’ personal experience (e.g., analogies with personal or home security).

3. Describe Stakes for the CompanyUsers are more likely to remember and comply with awareness messages if they have an appreciation for the potential consequences of noncompliance. Awareness messaging should include a crisp formulation of the connection between specific user actions and the company’s mission or bottom line.

1. Keep Messages Simple and ActionablePosters and other communications materials should involve only one concept at a time and explicitly mention the desired behavior (e.g., “Don’t disable antivirus updates”).

2. Use Examples That Resonate Personally with EmployeesTo strike a chord with the audience, frame points about enterprise information security in terms that resonate with employees’ personal experience (e.g., analogies with personal or home security).

3. Describe Stakes for the CompanyUsers are more likely to remember and comply with awareness messages if they have an appreciation for the potential consequences of noncompliance. Awareness messaging should include a crisp formulation of the connection between specific user actions and the company’s mission or bottom line.

4. Deliver Content Through a Variety of ChannelsDelivering the same message through a variety of channels increases the probability of its being remembered and acted upon. As a rule of thumb, each message should be delivered in at least three different ways to the same audience.

5. Refresh Content RegularlyWhile the underlying goals of awareness campaigns should be revisited at the same frequency as risk assessments and compliance audits, campaign materials should be refreshed more frequently in order to maintain employee interest.

4. Deliver Content Through a Variety of ChannelsDelivering the same message through a variety of channels increases the probability of its being remembered and acted upon. As a rule of thumb, each message should be delivered in at least three different ways to the same audience.

5. Refresh Content RegularlyWhile the underlying goals of awareness campaigns should be revisited at the same frequency as risk assessments and compliance audits, campaign materials should be refreshed more frequently in order to maintain employee interest.

Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued) Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued)

6. Be Sensitive to Cultural ContextCISOs of global organizations should adapt the language and tone of awareness materials to local contexts. Local groups should not only translate text but also ensure that the tone is appropriate, that the examples are likely to resonate with the local audience, and that the formats are consistent with local preferences (e.g., references to “Dialing 911” or to American sports will not make much sense to line employees in Vietnam).

7. Give Awareness Campaigns a Brand IdentityFor long-term behavioral change, it is essential that users view specific awareness messages as part of a larger effort to manage information risk through behavior. A recognizable brand used in all security-related communication is of great value to this end.

6. Be Sensitive to Cultural ContextCISOs of global organizations should adapt the language and tone of awareness materials to local contexts. Local groups should not only translate text but also ensure that the tone is appropriate, that the examples are likely to resonate with the local audience, and that the formats are consistent with local preferences (e.g., references to “Dialing 911” or to American sports will not make much sense to line employees in Vietnam).

7. Give Awareness Campaigns a Brand IdentityFor long-term behavioral change, it is essential that users view specific awareness messages as part of a larger effort to manage information risk through behavior. A recognizable brand used in all security-related communication is of great value to this end.

Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued) Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued)

8. Present Information in Innovative FormatsLearners retain information best when they absorb it in an entertaining, interactive setting. As far as possible CISOs should present security policy information in quizzes, board games, role-playing, and the like rather than in traditional formats.

9. Stress Experiential LearningKnowledge of security policies is of little avail if users are unable to apply it to real situations. CISOs interested in changing behavior rather than merely imparting knowledge should invest in training materials that stress learning by doing.

10. Refer to External DataWhile adverse experiences involving one’s own company are especially compelling, CISOs can paint a vivid picture of the security landscape by citing publicly available data about the misfortunes of other companies. End users often find such external data more convincing than hypothetical loss scenarios.

8. Present Information in Innovative FormatsLearners retain information best when they absorb it in an entertaining, interactive setting. As far as possible CISOs should present security policy information in quizzes, board games, role-playing, and the like rather than in traditional formats.

9. Stress Experiential LearningKnowledge of security policies is of little avail if users are unable to apply it to real situations. CISOs interested in changing behavior rather than merely imparting knowledge should invest in training materials that stress learning by doing.

10. Refer to External DataWhile adverse experiences involving one’s own company are especially compelling, CISOs can paint a vivid picture of the security landscape by citing publicly available data about the misfortunes of other companies. End users often find such external data more convincing than hypothetical loss scenarios.

Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued) Ten Tips for Creating Engaging Content (Continued)Ten Tips for Creating Engaging Content (Continued)

1. IncentivesFinancial incentives in the form of variable compensation are best suited to specific high-risk constituencies who are required to perform new tasks as part of their workfl ow and to perform old tasks differently, e.g., applications developers. Nonfinancial incentives, such as occasional raffle drawings, are a useful complement to standard internal marketing tactics to motivate generic end-user compliance.

2. Ease of UseAll else being equal, users are more likely to adopt secure behavior the less difficulty it causes them. Wherever possible, CISOs should use technology and forethought to embed security into the workflow and reduce the effort demanded of users to the minimum.

1. IncentivesFinancial incentives in the form of variable compensation are best suited to specific high-risk constituencies who are required to perform new tasks as part of their workfl ow and to perform old tasks differently, e.g., applications developers. Nonfinancial incentives, such as occasional raffle drawings, are a useful complement to standard internal marketing tactics to motivate generic end-user compliance.

2. Ease of UseAll else being equal, users are more likely to adopt secure behavior the less difficulty it causes them. Wherever possible, CISOs should use technology and forethought to embed security into the workflow and reduce the effort demanded of users to the minimum.

Five Levers for Changing BehaviorFive Levers for Changing Behavior Five Levers for Changing BehaviorFive Levers for Changing Behavior

3. EngagementSecure behavior involves extra effort, and an engaged workforce is more likely to put in that effort than an unengaged one. While CISOs cannot on their own create an engaged workforce, they can work with peers in Human Resources and Compliance & Ethics to understand current engagement levels and learn how to reinforce these in awareness campaigns.

4. ExampleIf secure behavior is presented as an extension of corporate values, it is important for senior executives to be seen to embody those values. Furthermore, the deterrent effect of sanctions for noncompliance will be greatly enhanced if they are applied publicly (even if anonymously) to errant executives.

5. CompetitionCISOs should take advantage of natural “competition” among senior executives by providing BU heads with visibility into user awareness and compliance levels at other BUs.

3. EngagementSecure behavior involves extra effort, and an engaged workforce is more likely to put in that effort than an unengaged one. While CISOs cannot on their own create an engaged workforce, they can work with peers in Human Resources and Compliance & Ethics to understand current engagement levels and learn how to reinforce these in awareness campaigns.

4. ExampleIf secure behavior is presented as an extension of corporate values, it is important for senior executives to be seen to embody those values. Furthermore, the deterrent effect of sanctions for noncompliance will be greatly enhanced if they are applied publicly (even if anonymously) to errant executives.

5. CompetitionCISOs should take advantage of natural “competition” among senior executives by providing BU heads with visibility into user awareness and compliance levels at other BUs.

Five Levers for Changing Behavior (Continued)Five Levers for Changing Behavior (Continued) Five Levers for Changing Behavior (Continued)Five Levers for Changing Behavior (Continued)

From: Rod Sanders [mailto:rod.sanders@greatwd.com] Sent: Wednesday, October 07, 2009 1:03 PMTo: anyone@anywhere.comSubject: Re: Message from eBay Member Regarding Item #200312895067

Dear ,

Your package is ready to be delivered, but I am still waiting for the payment confirmation. Please let me know when its done. Confirm that it is the same auction with the one posted on

http://189.73.168.197/Baydll/Secure/#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/

I am very interested in this auction and ready to complete the deal as soon as possible. Thanks,

Rod Sanders

--- On Sun, 20/03/09, <anyone@anywhere.com> wrote:From: <anyone@anywhere.com>Subject: Message from eBay Member Regarding Item #200312895067To: Rod.p.sanders@greatwd.comDate: Mon, 23 Mon 2009, 11:23 AM

I am waiting for payment confirmation.Thank you

From: Rod Sanders [mailto:rod.sanders@greatwd.com] Sent: Wednesday, October 07, 2009 1:03 PMTo: anyone@anywhere.comSubject: Re: Message from eBay Member Regarding Item #200312895067

Dear ,

Your package is ready to be delivered, but I am still waiting for the payment confirmation. Please let me know when its done. Confirm that it is the same auction with the one posted on

http://189.73.168.197/Baydll/Secure/#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/

I am very interested in this auction and ready to complete the deal as soon as possible. Thanks,

Rod Sanders

--- On Sun, 20/03/09, <anyone@anywhere.com> wrote:From: <anyone@anywhere.com>Subject: Message from eBay Member Regarding Item #200312895067To: Rod.p.sanders@greatwd.comDate: Mon, 23 Mon 2009, 11:23 AM

I am waiting for payment confirmation.Thank you

Share Real ExamplesShare Real Examples Share Real ExamplesShare Real Examples