The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, how you address “feedback” is crucial to your success. When we learn new concepts and try new ideas, we need constructive feedback to keep motivated and provide guidance. I’ve noticed that many of the security awareness training programs I assess use punitive measures to show users when they do something wrong — things like red tape flags when people violate a clean desk policy.
Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.
Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).
Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.
2. Most users keep a log of their “steps” per day – helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.
3. Most of us are motivated by a challenge – using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!
4. The challenge can be spread to others. Everyone likes healthy competition.
5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.
One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.