More and more companies are realizing the importance of security awareness and training, and the bad guys are also taking advantage of the lack of it.
From an attacker perspective, there are three broad areas of attack. The first is to compromise the hardware - this is pretty tough, takes time, and usually restricted to nation-states, or very targeted attacks. The second is the software layer, which usually involves taking advantage of public-facing unpatched software. The third and final attack area is the human - getting people to act against their self-interest is usually cost-effective, and has offers decent returns.
While this problem largely impacts businesses, they can usually roll out security awareness and training programs which are mandated as part of the job. However, what about the average person who doesn't work in a business which provides training, or doesn't work. This could be a student, someone that's retired, someone between jobs, or a stay-at-home parent.
The same tactics that works within the confines and structure of a company won't necessarily work for the masses, and that's where the security industry needs to think broader.
A cultural change
It's important to recognize that whenever we talk about the broad population, we are talking about affecting mass cultural change. For this, it's important that messages are kept simple, memorable, and repeated over a long timeframe.
This is by no means a small, or easy task. Even seemingly simple actions which are conceptually easy to grasp can take decades. Let's look at seatbelts in cars as an example. "Don't forget to clunk clink" was launched in the UK in the early 1970's to encourage drivers to wear seatbelts.
It wasn't till over a decade later in 1983 that it was passed as law. While the law caused mass adoption, the culture shift to the point where it became socially unacceptable to not wear a seatbelt took more time after that.
We can see a similar trend occurring with recycling. Some thirty or forty years back, recycling wasn't a widely adopted concept. Now you'll struggle to throw some rubbish without being presented a choice of bins, each labelled to only accept certain types of rubbish. But this too took many years to trickle down into the public consciousness.
So, what are some of the key takeaways the information/cybersecurity industry can take from some of these other campaigns that have sought to raise awareness and change behaviors of the general public?
Short and simple
The messaging for the masses can't consist of different ideas and views. There are many issues in cybersecurity ranging from passwords, to phishing, to financial scams. The core underlying behavior needs to be identified and distilled into one simple, short, and memorable message. "Stranger danger", "Don't forget to clunk clink", "Stop, look, listen" the green cross code.
Nudges
Once the behavior has been identified and distilled into a simple message, nudges should be put in place to reinforce the message at the time the user needs to take action.
For example, many recycling bins are labelled clearly, and try to encourage people to recycle through imagery. A recycling bin may show clear pristine cans and bottles, whereas the landfill bin will show an ugly picture of tons of waste.
Or how many modern cars will detect when the driver isn't wearing a seatbelt, and will sound a beep to encourage the user to put it on. Although this kind of nudge requires the security behavior requirement to be built into the design of the product.
Cross mediums
Awareness isn't something that can be raised through one medium alone. Rather it needs to be applied consistently through as many available mediums as possible. This can include traditional means such as posters, flyers, TV adverts, as well as getting mentions in movies or TV shows.
Even new mediums such as Instagram or YouTube can be very powerful in creating viral content that is educational or lend themselves to creating memes or jokes.
Patience
The final aspect is patience. There is no quick or easy way to force people to change behavior. It is something that must be continued over a long period of time, with constant reminders and nudges. With persistence and patience the culture will change and we will see more secure digital behaviors adopted.