Martin Luther King said ‘I have a dream’, not ‘I have a plan’
– Simon Sinek
Engaging end users using marketing, psychology and safety theory.
About Geordie Stewart
His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA he challenges conventional thinking on risk culture and communication.
In addition to senior security management roles in large UK organisations Geordie writes the security awareness column for the ISSA international journal.
Other than educational initiatives for schools, governments haven’t traditionally run large scale security awareness campaigns directly to the public. This has changed the United Kingdom with the introduction of the CyberStreetWise Campaign. CyberStreetWise is a cross-government campaign funded by the National Cyber Security Programme using the agency M&C Saatchi. The website features interactive security advice…Details
The landing gear light indicated a problem. The captain, first officer and flight engineer of Eastern Air Lines Flight 401 tried to figure out what was wrong. They removed the light assembly and the flight engineer left his position to go to the avionics bay and investigate. They were so preoccupied with a burnt out…Details
When it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes.…Details
It’s been a bad month for marketing claims. Red Bull have agreed to pay $13 million to settle a lawsuit and “avoid the cost and distraction of litigation”. Apparently, while drinking Red Bull might make you feel like you’re flying it doesn’t actually give you wings. Privacy provider Whisper advertised itself as “a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings”. Despite claiming that it doesn’t track IP addresses or geolocation data, it’s alleged that Whisper actually tracks both…and…wait for it…shares it with the US Department of Defence. So your ‘innermost thoughts’ shared with your date from the Russian consulate are sure to be private. As long as you re-define the word private to include half a million contractors across five countries. Much of the controversy isn’t over the fact that internet communications will always be to attributable to some extent, it’s that Whisper claimed otherwise and in doing so appears to have misrepresented their product. Just like the Snowden revelations, we’re again squabbling over the meaning of words like identity, content andDetails
I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. The majority of employees probably only skim their security policies and even if they did read them in full, would they understand them? Information security can be difficult to understand at the best of times without adding the additional complexity of overly formal and legalese phrasing. The Paretto Principle, or 80/20 rule, suggests that only a small percentage of content really matters but comprehensive approach usually means hiding itDetails
Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people’s perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in ‘selling’ behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can make people laugh by showing a man in a gorilla suit playing the drums. Or, advertisements can make people feel guilty about children in Africa. Or envy by wanting to imitate the dress style of an idol. Usually though, it’s humour which has long been a stock standard way of attracting attention to a message. Most advertisement humour is on a level with awkward dad-dancing but somehow it works. Do you recall a marketing message that made you happy? Maybe you emailed a link to your friends becauseDetails