Ways to make security awareness campaigns more engaging…
In our previous post we shared our thoughts on how employee learning is changing in the digital workplace – if you haven’t already done so, you can read it here.
Within the post we identified how traditional ways of learning are largely ineffective, for a number of reasons. Notably because they don’t allow employees to immediately apply the new learning in their role, and so they are not engaged in the learning process.
The simple truth is that employees want to learn things that they deem are going to help them in their role. If they regard the learning to be irrelevant, they will inevitably switch off. Unfortunately this seems to be the case when it comes to engaging employees on security awareness. Employees, in the main, do not see security awareness training as something that will help them in their role.
With the above in mind, and through experience, here are some recommended approaches to follow in order to help make your security awareness campaigns more engaging.
Employees may have an understanding of how the risks of poor security behaviour could impact them in their day job, but they are much more likely to become more proactive and actively engaged with information security when they understand how poor security practice could impact them personally.
The great security awareness campaigns will be those that employees find personally relevant. You can’t achieve this by just stating the behaviours that put information at risk, nor will throwing stats and figures at employees help. That is not how you paint a personal picture of poor information security. Instead, you need to continually find and tell stories that individuals can relate to on a personal level.
Personal storytelling is key.
Be relevant to employees work
As we mentioned at the beginning of this post, if employees can’t see how the new learning will bring value to their day job, then they will not engage with it. Aim to make elements of the campaign relevant to specific work, showing how the new learning will help both them as an individual, and the organisation in general, to achieve goals.
Information security awareness should not be seen as a one time training program, or even a campaign. As we all know, security is a constant threat and one that is ever changing due to new developments in technology. Therefore engaging employees on information risk management should be forever on going.
The best behaviour change programs are realised due to a change in company culture. And a culture change is only achieved through long-term support and investment.
Furthermore, given that IRM is something that will be continually communicated over a long period of time, it is key that employees are able to identify all of the many – and changing – IRM communications. Given this, an IRM brand should be created and built, which all IRM communications incorporate. This not only helps employees quickly recognise when communications are IRM specific, but also can then become a strong internal brand, one that is always top of mind for employees.
The need for continual awareness – many communications – coupled with the dry nature of IRM, means it is vitally important to keep communications fresh and engaging. Varying the type of content being created, along with the ways in which it is delivered/consumed is a must.
Aim to push creative boundaries.
It is all too easy to point the dreaded finger of blame at employees, and then demanding change from them. This rarely works. And if it does, it’ll only be a short term fix. Instead, focus on the employees as the solution, not the problem. Aim to make IRM a positive and empowering movement – Employees will only change their behaviour when they feel like they are an important part of the solution.
Also, instead of always highlighting the damages to business, – brought about through poor IRM behaviours – give attention to strong IRM behaviours and the improvements these have made to the organisation. Positive recognition of individuals and teams is a great motivator, not only does it establish that personal narrative, but it also shows how employee behaviours are helping to achieve business success.
There you have it
Five things that we believe are fundamental for the success of your IRM initiatives. We’ve helped many organisations create a security conscious culture, so if there is anything else you’d like to ask us, please do get in touch.
Until next time…