Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
242
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • 1. Follow The 80/20 Rule to Focus Awareness Campaign Resources Invest disproportionately in addressing the small number of behaviors that cause disproportionate harm to the enterprise. Triage based on the sensitivity of information risks to end-user behaviors, the prevalence of these behaviors among end users, and the relative attractiveness of technology alternatives. 2. Customize Tactics to Audience for Effective Behavior Change Segment target audiences by psychographic profi le and organizational position and develop customized tactics for each segment. 3. Tap Peer Experience and Existing Resources Outside of Information Security Identify relevant expertise in peer functions such as Marketing, Communications, HR, and Compliance and Ethics and actively solicit their help to avoid reinventing the wheel.
  • 4. Integrate Awareness into Risk Mitigation Planning to Allow for Scaled Response Determine the need for awareness measures as a part of due diligence for mitigation initiatives and develop suitable campaigns early in the project lifecycle. 5. Monitor Compliance to Ensure Continuing Relevance of Campaigns Realign the themes and emphases of awareness campaigns to your company’s evolving risk profile and changing patterns in user behavior using a combination of automated monitoring and regular audits. 6. Communicate Results Broadly to Sustain Momentum Report simple before-and-after measures of target behaviors to the end-user population at large to create positive momentum and build support for ongoing awareness efforts.
  • 1. Keep Messages Simple and Actionable Posters and other communications materials should involve only one concept at a time and explicitly mention the desired behavior (e.g., “Don’t disable antivirus updates”). 2. Use Examples That Resonate Personally with Employees To strike a chord with the audience, frame points about enterprise information security in terms that resonate with employees’ personal experience (e.g., analogies with personal or home security). 3. Describe Stakes for the Company Users are more likely to remember and comply with awareness messages if they have an appreciation for the potential consequences of noncompliance. Awareness messaging should include a crisp formulation of the connection between specific user actions and the company’s mission or bottom line.
  • 4. Deliver Content Through a Variety of Channels Delivering the same message through a variety of channels increases the probability of its being remembered and acted upon. As a rule of thumb, each message should be delivered in at least three different ways to the same audience. 5. Refresh Content Regularly While the underlying goals of awareness campaigns should be revisited at the same frequency as risk assessments and compliance audits, campaign materials should be refreshed more frequently in order to maintain employee interest.
  • 6. Be Sensitive to Cultural Context CISOs of global organizations should adapt the language and tone of awareness materials to local contexts. Local groups should not only translate text but also ensure that the tone is appropriate, that the examples are likely to resonate with the local audience, and that the formats are consistent with local preferences (e.g., references to “Dialing 911” or to American sports will not make much sense to line employees in Vietnam). 7. Give Awareness Campaigns a Brand Identity For long-term behavioral change, it is essential that users view specific awareness messages as part of a larger effort to manage information risk through behavior. A recognizable brand used in all security-related communication is of great value to this end.
  • 8. Present Information in Innovative Formats Learners retain information best when they absorb it in an entertaining, interactive setting. As far as possible CISOs should present security policy information in quizzes, board games, role-playing, and the like rather than in traditional formats. 9. Stress Experiential Learning Knowledge of security policies is of little avail if users are unable to apply it to real situations. CISOs interested in changing behavior rather than merely imparting knowledge should invest in training materials that stress learning by doing. 10. Refer to External Data While adverse experiences involving one’s own company are especially compelling, CISOs can paint a vivid picture of the security landscape by citing publicly available data about the misfortunes of other companies. End users often find such external data more convincing than hypothetical loss scenarios.
  • 1. Incentives Financial incentives in the form of variable compensation are best suited to specific high-risk constituencies who are required to perform new tasks as part of their workfl ow and to perform old tasks differently, e.g., applications developers. Nonfinancial incentives, such as occasional raffle drawings, are a useful complement to standard internal marketing tactics to motivate generic end-user compliance. 2. Ease of Use All else being equal, users are more likely to adopt secure behavior the less difficulty it causes them. Wherever possible, CISOs should use technology and forethought to embed security into the workflow and reduce the effort demanded of users to the minimum.
  • 3. Engagement Secure behavior involves extra effort, and an engaged workforce is more likely to put in that effort than an unengaged one. While CISOs cannot on their own create an engaged workforce, they can work with peers in Human Resources and Compliance & Ethics to understand current engagement levels and learn how to reinforce these in awareness campaigns. 4. Example If secure behavior is presented as an extension of corporate values, it is important for senior executives to be seen to embody those values. Furthermore, the deterrent effect of sanctions for noncompliance will be greatly enhanced if they are applied publicly (even if anonymously) to errant executives. 5. Competition CISOs should take advantage of natural “competition” among senior executives by providing BU heads with visibility into user awareness and compliance levels at other BUs.

Transcript

  • 1. Information Security “Only as Strong as the Weakest Link” Promoting a low-risk environment through sustainable end-user behavior change
  • 2. Is There a Weak Link in Your Organization? ?
  • 3. End-user Awareness Can “Sustain the Chain”
  • 4. Designing Effective Awareness Campaigns
    • 1. Follow The 80/20 Rule to Focus Awareness Campaign Resources
    • Invest disproportionately in addressing the small number of behaviors that cause disproportionate harm to the enterprise. Triage based on the sensitivity of information risks to end-user behaviors, the prevalence of these behaviors among end users, and the relative attractiveness of technology alternatives.
    • 2. Customize Tactics to Audience for Effective Behavior Change
    • Segment target audiences by psychographic profile and organizational position and develop customized tactics for each segment.
    • 3. Tap Peer Experience and Existing Resources Outside of Information Security
    • Identify relevant expertise in peer functions such as Marketing, Communications, HR, and Compliance and Ethics and actively solicit their help to avoid reinventing the wheel.
  • 5.
    • 4. Integrate Awareness into Risk Mitigation Planning to Allow for Scaled Response
    • Determine the need for awareness measures as a part of due diligence for mitigation initiatives and develop suitable campaigns early in the project lifecycle.
    • 5. Monitor Compliance to Ensure Continuing Relevance of Campaigns
    • Realign the themes and emphases of awareness campaigns to your company’s evolving risk profile and changing patterns in user behavior using a combination of automated monitoring and regular audits.
    • 6. Communicate Results Broadly to Sustain Momentum
    • Report simple before-and-after measures of target behaviors to the end-user population at large to create positive momentum and build support for ongoing awareness efforts.
    Designing Effective Awareness Campaigns (Continued)
  • 6. Ten Tips for Creating Engaging Content
    • 1. Keep Messages Simple and Actionable
    • Posters and other communications materials should involve only one concept at a time and explicitly mention the desired behavior (e.g., “Don’t disable antivirus updates”).
    • 2. Use Examples That Resonate Personally with Employees
    • To strike a chord with the audience, frame points about enterprise information security in terms that resonate with employees’ personal experience (e.g., analogies with personal or home security).
    • 3. Describe Stakes for the Company
    • Users are more likely to remember and comply with awareness messages if they have an appreciation for the potential consequences of noncompliance. Awareness messaging should include a crisp formulation of the connection between specific user actions and the company’s mission or bottom line.
  • 7.
    • 4. Deliver Content Through a Variety of Channels
    • Delivering the same message through a variety of channels increases the probability of its being remembered and acted upon. As a rule of thumb, each message should be delivered in at least three different ways to the same audience.
    • 5. Refresh Content Regularly
    • While the underlying goals of awareness campaigns should be revisited at the same frequency as risk assessments and compliance audits, campaign materials should be refreshed more frequently in order to maintain employee interest.
    Ten Tips for Creating Engaging Content (Continued)
  • 8.
    • 6. Be Sensitive to Cultural Context
    • CISOs of global organizations should adapt the language and tone of awareness materials to local contexts. Local groups should not only translate text but also ensure that the tone is appropriate, that the examples are likely to resonate with the local audience, and that the formats are consistent with local preferences (e.g., references to “Dialing 911” or to American sports will not make much sense to line employees in Vietnam).
    • 7. Give Awareness Campaigns a Brand Identity
    • For long-term behavioral change, it is essential that users view specific awareness messages as part of a larger effort to manage information risk through behavior. A recognizable brand used in all security-related communication is of great value to this end.
    Ten Tips for Creating Engaging Content (Continued)
  • 9.
    • 8. Present Information in Innovative Formats
    • Learners retain information best when they absorb it in an entertaining, interactive setting. As far as possible CISOs should present security policy information in quizzes, board games, role-playing, and the like rather than in traditional formats.
    • 9. Stress Experiential Learning
    • Knowledge of security policies is of little avail if users are unable to apply it to real situations. CISOs interested in changing behavior rather than merely imparting knowledge should invest in training materials that stress learning by doing.
    • 10. Refer to External Data
    • While adverse experiences involving one’s own company are especially compelling, CISOs can paint a vivid picture of the security landscape by citing publicly available data about the misfortunes of other companies. End users often find such external data more convincing than hypothetical loss scenarios.
    Ten Tips for Creating Engaging Content (Continued)
  • 10.
    • 1. Incentives
    • Financial incentives in the form of variable compensation are best suited to specific high-risk constituencies who are required to perform new tasks as part of their workfl ow and to perform old tasks differently, e.g., applications developers. Nonfinancial incentives, such as occasional raffle drawings, are a useful complement to standard internal marketing tactics to motivate generic end-user compliance.
    • 2. Ease of Use
    • All else being equal, users are more likely to adopt secure behavior the less difficulty it causes them. Wherever possible, CISOs should use technology and forethought to embed security into the workflow and reduce the effort demanded of users to the minimum.
    Five Levers for Changing Behavior
  • 11.
    • 3. Engagement
    • Secure behavior involves extra effort, and an engaged workforce is more likely to put in that effort than an unengaged one. While CISOs cannot on their own create an engaged workforce, they can work with peers in Human Resources and Compliance & Ethics to understand current engagement levels and learn how to reinforce these in awareness campaigns.
    • 4. Example
    • If secure behavior is presented as an extension of corporate values, it is important for senior executives to be seen to embody those values. Furthermore, the deterrent effect of sanctions for noncompliance will be greatly enhanced if they are applied publicly (even if anonymously) to errant executives.
    • 5. Competition
    • CISOs should take advantage of natural “competition” among senior executives by providing BU heads with visibility into user awareness and compliance levels at other BUs.
    Five Levers for Changing Behavior (Continued)
  • 12.
    • From: Rod Sanders [mailto:rod.sanders@greatwd.com] Sent: Wednesday, October 07, 2009 1:03 PM To: anyone@anywhere.com
    • Subject: Re: Message from eBay Member Regarding Item #200312895067
    • Dear , Your package is ready to be delivered, but I am still waiting for the payment confirmation. Please let me know when its done. Confirm that it is the same auction with the one posted on http://189.73.168.197/Baydll/Secure/#ws/eBayISAPI.dll?SignIn&ru=http://www.ebay.com/ I am very interested in this auction and ready to complete the deal as soon as possible. Thanks, Rod Sanders --- On Sun, 20/03/09, <anyone@anywhere.com> wrote:
    • From: <anyone@anywhere.com> Subject: Message from eBay Member Regarding Item #200312895067 To: [email_address] Date: Mon, 23 Mon 2009, 11:23 AM
    • I am waiting for payment confirmation. Thank you
    Share Real Examples