An interesting piece in the Harvard Business Review highlights the one of the challenges information security professionals face when dealing with security awareness; we actively avoid information that can help us.
According to research by Emily Ho of Northwestern University, survey results show that when offered information that could potentially benefit them regarding health, finances and interpersonal issues, between 15 and 50 percent of respondents stated that they would rather not know the information. Not great news for those of us trying to educate users how to be more secure online, but the study also offers us some advice:
Participants were more likely to accept helpful messages when they perceived that they could act on the information being provided.
Participants are more likely to avoid information which they believe could damage their self image.
We can use this information to tune our awareness messages over time. When people decide whether to read a message, they will think of the past messages you have sent. If you have sent messages which simply warn people of abstract dangers and don’t provide them with concrete steps to take, you are not helping them and the messages will not be read.
For example, a message warning line of business users that there is a zero day vulnerability in Windows does not really help them – there is not much they can do about this. However, messaging around how to recognize and report potentially malicious activity on their workstation does give them something to act on.
Awareness messages should not make people feel bad about their security behavior – the message should focus on how adopting new behaviors can make the company even more secure. If you can tie these new behaviors to keeping the employee and their families more secure online as well, all the better.
Security awareness messages are competing with lots of other electronic communications for employee time and attention; making them actionable, respectful and, where possible, relevant to home life are key to getting the message across.