Dr Jessica Barker urged security professionals to reconsider the use of both fear and humor in security awareness during her keynote at RSA Conference in San Francisco
Dr Jessica Barker took to the keynote stage at RSA Conference to educate the audience on how to communicate security awareness and best practice to users in the most constructive and responsible way. “We have to consider how to talk about this subject and not scare people,” said Barker, admitting that inherently it’s hard not to evoke fear given that the industry has to speak about threats. “But consider how we can raise awareness with the most positive impact,” she urged, “we must be responsible when dealing with the emotion fear.”
In order to put people at the heart of security communications, we need to understand them better, explained Barker. “People are more scared of things that they feel they don’t understand or if they feel something is out of their control.”
The cybersecurity industry has seen a huge rise in public attacks, making headlines on a daily basis. “This is good for awareness,” commented Barker, “and it warms up our Boards and brings the topic to the front of people’s minds.” The flip side of that though, she added, “is that it makes people feel out of control. People worry that if [breaches and attacks] are happening to tech-savvy organizations like Facebook and Google, what chance does anyone else have?”
Research shows that fear is effective if you are trying to promote and solicit an initial kneejerk reaction, explained Barker. Social engineers for example use fear all the time in phishing messages and attack simulations. However, fear is not effective if you want to encourage long-term behavioral change, which ultimately, is the goal. “Research shows, and I’ve experienced this myself, that you never have success by going heavy on the fear,” said Barker. “We need to be more intelligent and considered when using fear-based messaging ourselves.
People worry that if [breaches and attacks] are happening to tech-savvy organizations like Facebook and Google, what chance does anyone else have?
“We talk in a technical language which is unfamiliar to most,” Barker continued, “and this makes people feel more out of control, and thus fearful. That’s why in cybersecurity people have a disproportionate level of fear.”
How to Make People Care Without Scaring Them
Dr Barker shared her formula for making awareness messaging land, and more importantly, making it count. “The first thing you need to do is appraise the threat and show that yes, the cyber insecurity is real.”
Next, she said, consider susceptibility. “We have to convince people not just that the threat is real, but that it applies to them and they are susceptible”
The most important part though, she explained, is efficacy. “People have to feel that there is something they can do that will effectively control the threat” and that there is a solution. Otherwise, she said, they will only engage with the emotion of fear. “We need efficacy to stop them switching off. Without it, people won’t believe that the messaging is important to them. They’ll either switch off, or they’ll become so terrified they won’t want to go on the internet, into emails or click on any links. They’ll engage with avoidance and doubt and convince themselves that what we are saying doesn’t apply to them.”
Empowering the user by making the message relevant to them and convincing them they can make a difference is key, explained Barker.
How to Succeed
Barker gave recommendations for a successful security awareness program. First, she said, you need to reduce the noise. “It’s hard for end-users to engage with long and overwhelming recommendation lists. Pick three to five key messages, based on your risk assessment and top priorities, and focus on those.” Overwhelming your users is counter-productive, she said, “so change a couple of behaviors at a time and continue to build on those.”
Second, she insisted on making sure you give people the right tools to do the job to support efficacy. She used passwords as an example: “The cognitive load of remembering tens or hundreds of complex passwords is too high,” she said. “So give people the tools to solve this issue, be it password managers or allowing them to write them down, in some cases. If you don’t offer a solution, people will switch off.”
Next, Barker stressed the importance of making people feel empowered and confident. “People feel intimidated by tech in general, and specifically security. So you have to make people feel intrinsically motivated to engage in security.” How can you do this? “By shift the messaging,” she explained. “We’re generally quite negative in our messaging, because we are usually dealing with threats. People are far more likely to engage with a positive message. Positively reinforce good behaviors, don’t just wait for people to make mistakes and punish them.”
Beware of the Security Clown
“People don’t expect us to be funny in cybersecurity,” said Barker, “but there are so many funny things we can talk about, and funny and weird messaging is more memorable.” She issued this advice with a caution: “We have to understand that this can backfire if you don’t know what you are doing. Using humor [in cybersecurity] comes with a warning.” Sometimes, if people think something is really funny, they won’t understand it’s real or take it as seriously, she cautioned.
Barker concluded her keynote by gifting the audience a list of key takeaways:
- Scary messages need strong efficacy
- Reduce noise so people can engage with the signal
- Build engagement with optimistic messages and social proof
- Provide the tools so people can change their behaviors – check what you are asking of people is realistic
- Harness a positive cybersecurity culture