Improving your information security awareness program

Information security affects the entire organization. Information security is not just an IT department’s problem, so keeping information secure should not just be an IT department project. You need to get your whole organization involved. The better your information security awareness program, the better your information security.

Chris Veltsos, a faculty member in the Department of Computer Information Science at Minnesota State University, Mankato, recently presented an UMSA WebTracks series webinar on ways to improve your information security awareness program, how to draw lessons from other industries and how to engage employees to make them understand, care, and remember.

What is information security?

Truly effective information security probably means that employees need to change behaviors to keep up with current threats. How information security is viewed depends on the employee. Veltsos suggested in his presentation that tech people think changing behavior for the sake of security is easy, and that’s partly because they understand the reason the behavior needs to change and are motivated to do it. Others in the organization with a less tech centric way of thinking might not understand the need for change, so if it isn’t convenient, they aren’t likely to do it.

Changing human behavior is not easy and it’s especially difficult if it isn’t approached in the right way. Your information security awareness program’s effectiveness depends on it being done the right way.

Learning for other industries

Spreading the message of information security is not all that different from spreading the message of how to stay healthy, stop the spread of germs, or how to be safe on the road.

Public health and road safety campaigns aimed at getting people to wash hands and wearing seatbelts, have proven that repeating the message is vital to it getting through. These campaigns also used an emotional appeal in their messaging, stating that people will die if they don’t buckle up and suggesting people will get sick if they don’t wash their hands.

Along with emotional appeal, the campaigns use language and images that make the message easy for anyone to understand. Getting too technical in your information security awareness training will just mean you lose your audience. Keep it simple.

Getting others to care

To get employees involved and interested in changing their behavior to improve security, you need to engage them in your campaign. Veltsos shared a number of ways to do this:

• Present information with a positive attitude – leave out the scare tactics.
• Gamify – engage your audience at a higher level, get them working together rather than just siting and listening.
• Support, don’t punish – create a culture that encourages dialog on security topics.

Repeating the message in multiple and engaging ways will help you improve your information security awareness program. Create emotional campaigns that employees can understand and connect to. Measure and track results. If your campaign isn’t working, try something new.

Information security is everyone’s problem. Get everyone involved. Help them understand why it’s important and give them direction for change.