Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people’s perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in ‘selling’ behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can make people laugh by showing a man in a gorilla suit playing the drums. Or, advertisements can make people feel guilty about children in Africa. Or envy by wanting to imitate the dress style of an idol. Usually though, it’s humour which has long been a stock standard way of attracting attention to a message. Most advertisement humour is on a level with awkward dad-dancing but somehow it works. Do you recall a marketing message that made you happy? Maybe you emailed a link to your friends because it was so good?
Traditionally, information security awareness has not set out to create an emotional impact in the audience. Let’s face it, the traditional mandatory computer based training (CBT) and PowerPoint sessions aren’t designed to be emotionally engaging and are usually about as funny as diphtheria. It’s no wonder we find it so difficult to get people to attend. Historically, security awareness as been about equipping people with the facts that the experts though people needed to know. We need to consider though, who would have bought Coca-Cola if its marketing had focused on nutritional content?
Humour serves as a way of reinforcing societies norms of behaviour. Do you remember last time some bad humour made you cringe? If so, it was probably crossing a line of what you considered to be good taste. Even when comedians make jokes in poor taste they are often reinforcing perceptions of right and wrong by helping us to remember where the line of acceptability. Humour allows us to discuss that line of acceptability in a non-confrontational way. It’s common to hear information security awareness professionals complain of a ‘lack of engagement’ in their audiences. Actually, the engagement failures are more a result of how information is being presented and the information security community is starting to wake up to the power of humour. In this column I’d like to call out some examples that I think have been particularly successful. And funny.
Host Unknown is a collaboration between the naturally funny Javvad Malik, Thom Langford and Andrew Agnes. Some of you may have seen Javvad’s delightful spoof of the CISSP credentials. While all of their videos may not be everyone’s ‘cup to tea’ it’s undeniable that they have broached exciting new ground in bringing humour to the information security landscape.
Twist & Shout Communications are a professional security awareness agency founded by veteran producer Jim Sheilds who has a background in making people laugh. He has brought his skills to the information security field with two seasons of highly watchable short films. Each episode covers a different aspect of an information security issue. What makes it work is that the characters could be found in any office. In particular, the social consequences of security failures are shown. I actually found myself wanting to watch the next episodes which is very strange for a security awareness product.
Channel Four’s privacy information video shows just how easy it is to take mundane topics such as the mechanics of marketing permissions and turn it into entertainment. Alan Carr certainly camps it up but there’s no denying that it’s entertaining.
Privacy communication has been somewhat fatigued in the aftermath of Snowden’s revelations but Google has shown just how easy it is to make it into entertainment. Who would have thought that a description of an evidential disclosure process could actually be funny?
These examples all show actually how easy it is to make information security content entertaining. This is a huge area of opportunity for security awareness professionals. Is your content tedious? Do you have to make people read it or watch it? If so, have a think about how you could make it less factual and more engaging. Do you have any great examples to share? If so, please get in touch.
Finally, the best security joke I’ve heard in years comes from Nick Helm in 2011 at the Edinborough fringe festival: ‘I needed a password eight characters long, so I picked Snow White and the Seven Dwarfs.’