Large scale awareness programs can be challenging with so many topics to cover, so many different communication options and such varied audiences to consider. Also, your communication efforts will be competing with background noise. Every day, people are bombarded with advice. Exercise more, eat more greens and don’t click on dodgy links. The question is how you can make the most of the limited time and attention available. The Pareto Principle, also known at the 80/20 rule, proposes that 80% of consequences come from 20% of causes. If we apply this to security awareness it implies that 80% of the risk comes from 20% of topics. The problem is in knowing which 20% of users and content this applies to.
If we were able to interview and survey our entire audience in detail it would be a significant advantage. We would have a much better understanding of what content needs to be targeted to who in order to drive behavioral change. The problem is of course that surveying an entire audience would normally be prohibitively expensive. Not to mention time consuming when often there are pressures to ‘get on with it’.
Fortunately this is an issue that others have given a lot of thought to. Marketers need to understand how to target their communications for the greatest efficiency. Website designers need to understand and predict how their users will respond to an interface. Both of these disciplines use personas as a way of representing the typical views, attitudes and competencies of a given demographic. Demographics are simply ways of dividing audiences into subsets by grouping them along common attributes when it would not be cost effective or practical to measure people individually. Personas can be presented in a variety of different ways but are usually summarized on a single page.
Personas are normally created from interviews with representatives from the target audience and usually include core demographics such as age, sex and job role. Typically in a large organization you will have some 8-12 personas which cover a mix of customer facing, back office and management roles. You would probably only want to create more than this if you wanted to bring out key demographic sub-differences such as geography or length of service. Or, you may need more than this if you were considering educating your organization’s customers as part of your security awareness campaign.
For security personas, we’re interested in information which could help us apply the Pareto Principle to security awareness. This means two key areas to focus on. Firstly, which users should we prioritize? To do this effectively we need to understand the organization’s key information security risks and what behaviors are most relevant to these risks.
Secondly, once we know which users we are targeting, what intervention might change their behavior and what are their learning styles? Before we offer these users a ‘solution’ in telling them what they ought to be doing, do they understand that there is a problem?
Once you’ve designed your awareness materials, ask yourself how they apply to each of your personas. Although personas are abstract in so far as they include attributes from more than one person, it’s important to give them names so that they have a personality and you can start to ask how they would react in given situations. Are they likely to see your message as relevant to them and their role? Are they going to understand the wording and terminology? Is the content presented in a way that suits their learning styles?
Corporate training budgets and user attention are both limited resources and we need to do everything we can to maximize the effectiveness of our communications. Personas offer a way of improving our ability to target intervention where it’s needed the most. If you haven’t asked yourself how a particular awareness initiative will work for different demographics in your audience then it’s probably not as effective or efficient as it could be.
Published in the January 2014 edition of the ISSA International Journal.