I had the opportunity a couple of months ago to meet Kevin Finke at a conference. Kevin isn’t a security guy, he’s a self described design nerd. But Kevin has changed the way I look at my security awareness program.
We talk a lot about how we need to “revolutionize” our security awareness programs, but other than offering training more regularly, I haven’t really come across a transformative way to change the way we do things.
Kevin challenged us to actually try and design the user experience of security awareness. This was different, in part, because usually I’ve just taken what a vendor has to offer. And that’s usually a one-size fits all approach. But if you’re like me, you’ve got thousands of users, and they all have different values.
Notice I said values, and not needs.
The first step in changing our focus in security awareness training is that it’s not about the security teams that are purchasing or buying the training. It’s about what the end users will get out of it. What’s in it for them? And they all want different things out of technology and have different personal histories with security.
Maybe they’ve been the victims of identity theft. Maybe they have full admin rights to all your servers. Maybe they don’t have a computer and work from a tablet on the road.
When we write our security policies, or create our training, or build our incident response plans we write them as though we only have one type of employee. The problem with that is that we have a wide variance between employee personas, their use of technology, and their levels of access inside the organization.
If we were in marketing, we would build “personas” for each type of employee in our organization. We would try and understand the needs, motivations, pain points, and communications styles for each and meet them where they are at to connect with them rather than expect them to connect with us. A good “persona” would include a photo, a name, demographics, motivations, quotes, and more.
Using use of technology and level of access as the two axis, I’ve created a matrix of security personas that employees can fall inside of. On the matrix, I’ve identified 9 profiles that I wanted to focus on.
- Larry Luddite – Larry hardly ever uses a computer and doesn’t want to.
- Hourly Henry – Henry uses his computer from 9-5 to do data entry, but never uses the Internet.
- Social Sally – Sally’s uses her computer for social networking first, and her accounting software second.
- Telecommute Tommy – Tommy loves never having to come into the office, and he uses the computer the company gave him to take service calls.
- Millennial May – May is always connected to her computer, her smart phone, or smart watch, so she can be connected to her employees even while she’s in meetings.
- Eddie Executive – Eddie gets reports and sees real time dashboards for almost everything in the company from his computer or tablet.
- Carol Cloud – Carol is a talented designer and helps translate what the tech guys dream up into things that normal humans like using.
- Gadget Greg – Greg buys every new device as soon as it hits the market and expects it to work seamlessly at the company.
- Amy Admin – Amy is your IT server administrator that makes all of the technology in the company happen, as if by magic.
After looking at these different employee archetypes, I’m astonished that our one-sized fits all approach to security training has been effective at all. Okay, it hasn’t been that effective. Maybe this is part of the explanation?
I’ve left open another axis for security awareness training, and I think the personality profiles will open up clues to what kinds of training might be more effective for different people. For example, as a mobile device road warrior, Gadget Greg values his time. I can’t expect him to watch one 30-minute video. But maybe several two-minute videos that he can watch on his mobile device might work. Telecommute Tommy, on the other hand, needs to block off his calendar to schedule his training between calls. A longer video that covers everything he needs to know would be better so that he can schedule it once.
Sample Security Awareness Personality Profile – Eddie Executive
Here’s a sample of a cybersecurity marketing persona I put together. That’s me in the picture, btw. The goal of building this persona is to help put you in the hypothetical person’s shoes, and once you’re in them, to understand their needs. What if you didn’t require Eddie to watch an annual security training video like most other employees, but instead tailored the training offerings by scheduling a tabletop exercise, and invite him to a monthly 15 minute conference call check up, followed up by regular simulated phishing campaigns to help prevent him from falling victim to spearphishing?
Maybe those things would work with the executives in your company, or maybe not. However you do it, tailoring your approach is the next step in revolutionizing security awareness.
George Finney, is the author of No More Magic Wands: Transformative Cybersecurity Change for Everyone and has worked in Cybersecurity for over 15 years. He is currently the Chief Information Security Officer for Southern Methodist University where he has also taught on the topic of Information Assurance. Mr. Finney is an attorney and is a Certified Information Security Manager as well as a Certified Information Security Systems Professional and has spoken on Cybersecurity topics across the country.