Security Awareness programs tend to favour written content over all other forms of delivery. Business Reporter’s resident U.S. ‘blogger Keil Hubert suggests that an effective program has to mix up interpersonal exchanges with written content to match users’ learning preferences.
Many people don’t like to read. They’ll do it when they absolutely have to, but put the minimum required effort into it. Case in point: on our flight out of New York City, my wife and I were enjoying a quiet few minutes of post-boarding reading when one of the last arrivals – a well-dressed woman with an arm full of shopping bags – nudged me and said ‘Excuse me, but you’re in my seat.’
I set down my material and smiled at her. The air hostess behind the passenger was clearly irritated by the delay, since we were right up against the deadline to seal the plane and start taxiing. This late boarder was holding everyone up … and now, it seemed, I was too.
‘I’m fairly certain that I’m not,’ I said. I retrieved our boarding passes and held them out for the air hostess’s inspection. They showed the seats that we were currently occupying in large block letters. ‘1A’ and ‘1C.’
The latecomer grew agitated and waved her own boarding pass. ‘But I’m in that seat. It says right here that I’m in seat 1C.’
The air hostess, now displaying a venomous seethe, deftly plucked the latecomer’s boarding pass out of her hand and examined it. She suppressed a glower of irritation, and said ‘No, ma’am. You will be sitting in seat 1C on your next flight from Dallas to Chicago. This flight is going from New York to Dallas.’ She then flipped the boarding pass over to reveal the current flight’s card … which said ‘seat 1D’ … the only empty seat on the entire airplane.
You’d think it would have clicked at that point. There’s one seat left open. You’re the last person to board. Do the math …
The bewildered and angry latecomer had to be told twice to turn around and sit in her clearly-assigned seat so that we could take off. The air hostess apologized to me for the interruption. I told her that it was a non-event and not to worry about it.
I’d be willing to bet that the latecomer wasn’t an idiot. She was rude, perhaps, but didn’t show any signs of being unintelligent. I doubt that she had any sort of reading disability. Everything about her demeanour screamed ‘agitated,’ not ‘confused.’ She’d been handed a set of boarding passes during check-in, clearly hadn’t listened well to the gate agent’s instructions, and then couldn’t be bothered to read the LARGE BLOCK LETTERS on her critical travel documents. I suspect that’s why she was late to board, too. She probably went to the wrong gate (based on the wrong boarding pass) and had to be redirected.
I bring this story up for two reasons: first, because it’s funny. More importantly, because it’s National Cyber Security Awareness Month here in the USA, and this story relates to a very common failing in most companies’ Security Awareness programs. Some people just don’t like to read … and what they don’t like to do, they either won’t do, or else won’t do well.
Lots of SA programs lean heavily on printed materials. Products like newsletters, broadcast e-mails, posters, intranet articles, fliers, and wallet cards. This is because written artefacts make for the best evidence to submit to an inspector, regulator, or auditor to prove that you’re actually doing something to meet your externally-imposed. It’s darned difficult to get an auditor to accept that you conducted a live classroom lecture or a brown-bag luncheon since the last inspection because there’s often little evidence of a person-to-person event to substantiate that it actually happened (other than maybe a sign-up sheet). Written content, however, is tailor-made for the task. You hand over the example artefact, along with a time- and date-stamped delivery receipt, and BAM! You have acceptable proof.
Love it or hate it, audits and inspections are often won by sheer weight of documentation.
The trouble is, over-reliance on printed materials leaves you vulnerable to some of your people not receiving or else understanding the intended message. In any given written product, some people will devour all of it and understand exactly what you meant. Many others will read it and get the gist of your intent. A small but significant percentage of users will either decline to read it at all, or else will skim it and walk away with the wrong understanding.
This isn’t limited to awareness advisories; it happens with policies, process guides, procedures, handbooks, and darned near all other forms of official written content, too. I once had a senior manager berate me at an organisation-wide meeting because (she said) my IT department wasn’t following a required process to the letter. I pointed out that the official process didn’t say what she was claiming it said.
‘You’re completely wrong,’ she said. ‘I read the *£&$ governing publication.’
‘That may be so,’ I retorted, ‘but I wrote that *£&$ publication.’
It still tool three re-readings of the source material to prove to the angry that I wasn’t making things up. She couldn’t believe the words that I recited from my own regulation that described my team’s process. She’d misunderstood it the first time that she’d read it, and wasn’t about to back down.
This is why your Security Awareness can’t rely on purely written content alone. Yes, you can and should use written content. It satisfies auditors well, makes it simple and efficient to synchronize performance standards across an organisation, and sets a virtual ‘stake in the ground’ for your customers on how Things Will Be Done.
It doesn’t matter what line of business you’re in. Clean, clear, and unambiguous process documentation makes everyone’s lives better.
That being said, it’s crucial to supplement your written content with appropriate interpersonal encounters: classroom lectures, seminars, small group training, mentoring, personal visits, hallway chats, phone calls, video presentations … You teach the same points in multiple formats to ensure that people receive and process the required content in the fashion that resonates best for them.
People have a range of different learning styles. Some people can’t focus when you speak to them and will ignore everything that they hear, but will (somehow) completely grok a clearly-written memo. Other people function exactly the opposite way and can’t be bothered to read anything, but will still respond positively to what you say. Neither style is wrong; they’re just different. A good Security Awareness administrator needs to keep this in mind at all times, and design redundant delivery products that take into account different people’s learning preferences.
Personally, I actually prefer to communicate via live, instructor-led lecture because in a lecture I can see for myself when people are ‘getting’ what I’m communicating. When I can see my audience’s facial expressions change, I know that I’ve scored a metaphorical ‘hit.’ As much as I love to write , I find it frustrating that I have no idea whether or not my point made it through in a one-way written piece where I can’t observe or quiz my readers. If no one contributes to the contents section at the end of the article or sends me a note, I have no clue whether or not my work was a ‘hit’ or a ‘miss.’
The trouble is, it’s darned hard to get dozens, hundreds, or thousands of audience members into a common space for an hour’s discussion. So, we make do with fliers, e-mails, posters, and the like. Every awareness tactic has its own advantages and disadvantages to factor, not to mention cost, difficulty, logistics burden, time lag, etc.
Written content is often the fastest, easiest, and most documentable technique to use, and there’s nothing inherently wrong with that. Just be sure to vary your delivery tactics in order to reach as many people as you can, as effectively as possible. Meet your people where they are (so to speak) rather than insisting that they all conform to your preferred delivery method. You’ll get better compliance and understanding from people if you make a reasonable effort to cater to their idiosyncratic learning styles.
Title Allusion: None this week.
POC is Keil Hubert, email@example.com
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.