Chief information security officers (CISO) should take a note from advertisers such as McDonald’s and make security awareness fun and rewarding, according to one security expert.
Speaking at the Gartner Security and Risk Management Summit in Sydney, Gartner US research vice president, Andrew Walls, told delegates that traditional security education programs do not work as people remember messages through entertainment rather than sitting in a room and “beaten over the head with a PowerPoint presentation.”
According to Walls, advertisers such as McDonald’s use messages to make sure everyone knows and remembers their product or service.
“Simply being aware of security risks is a waste of time because people don’t remember the risks,” he said.
“The security program has to be attractive and the user motivated to select the right choice.”
Walls provided the following four tips for CISOs and IT executives when drafting a security awareness program.
According to Walls, security managers should pick two or three security behaviours that they want to change in their organisation such as `don’t click on phishing emails’, `don’t leave your computer workstation unlocked when you leave the desk’ and `don’t share your login details with another worker.’
“That’s the first nine months to a year of your awareness program. You have to work on specific behaviours, get them imbedded in the population, sustain them and then you can add more security behaviours over time,” he said.
Instead of blocking social media in the workplace, Walls suggested that security managers should push out security messages over social networking sites such as Twitter or Facebook.
“It’s a fantastic communications medium, if all your people are spending time on social media, why aren’t you talking to them on it?” he said.
“I work with a CISO who every Friday records a five minute video chatting about what was interesting in security that week and he posts it on YouTube. That company has over 60 per cent of employees hitting that video every week to watch it voluntarily.”
Instead of a costly security training session, Walls said this method involves a few minutes of the CISO’s time and an upload to YouTube.
Use Web proxy
According to Walls, security managers could use their company Web proxy as a security awareness tool. For example, if the user tried to access a blocked site, the proxy could redirect them to an internal security awareness site for an explanation of why certain sites are blocked.
“Offer content, quizzes and other information to explain and reinforce your security policy,” he said.
Some security vendors were offering tools which re-direct users away from phishing emails to educational games so the person gets rewarded for choosing the right security options, said Walls.
“PhishMe has had enough success with their gaming approach that they are seeing employees come back to the game intentionally to play it,” he said.
“They are learning about security but at no point are the employees dragged into a boring training session.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia