For any queries regarding our merger, please read boxxe & Total Computers – A Powerful Merger or contact our Customer Services Team on 0330 236 9429 or via email at letschat@boxxe.com.
Why isn't my security awareness campaign working?
Despite repeatedly informing users of the dangers of reusing passwords, plugging in unknown USB devices, or blindly clicking links, their behaviour is at odds with the information you’re giving them. So, why are they still making poor security choices despite all the information you’re giving them? Are they stupid? Is training worthless? There are many factors at play, but it’s easy to boil it down to one simple phrase: “Your users aren’t stupid, they’re human”.
As BJ Fogg, founder of the Stanford University Behaviour Design Lab described when it comes to getting humans to perform specific behaviours he said, “3 truths about human nature: We’re lazy, social, and creatures of habit. Design products for this reality.” What this means is that if you design something that goes against human nature, it will most likely fail.
Three truths about human nature:
We're lazy, social, and creatures of habit.
So, how can we get people to make better security decisions?
The good news is that you can and you should design your information security campaign and related policies around the realities of human nature. For your security awareness campaign to be effective, there are three things your organisation needs to address in how the information is delivered and measured.
-
Do you care more about what your users know, or do?
The first point is one of reflection. Too often we are concerned with the information that a user is provided as opposed to the behaviour we want to change. Think of it like this, driving down the road, I may be aware that the speed limit is 30mph, but if that doesn’t translate into me driving at 30mph, the information is pretty pointless. -
Plan like a marketer, think like an attacker
Attackers will continually attack your users and try every trick in the book. You need to plan your campaign around this reality and be consistent in testing users, and delivering learning across all mediums, whether that be executive messages, learning modules, posters, screensavers, newsletters, etc. Each aspect, like a good marketing campaign, should reinforce the other. -
Changing behaviour takes time
The final point is that even the best of security awareness campaigns will take some time before results are seen. The key is to be consistent and have patience. A bit like embarking on a fitness regime, it won’t happen overnight, but eventually the results will show.
Why isn't my security awareness campaign working?
Request a no-obligation consultation with boxxe and KnowBe4 and discover how you can enable your users to make smarter security decisions.
Contact us on the number below or complete the form and we'll be in touch.