Information Security Awareness - It's Time We Know What Works
Unfortunately, making such an assertion is much harder than it sounds: simply identify a cyber security awareness slogan, icon, or training methodology that permeates the airwaves, cuts through today’s online clutter, and results in a workforce that doesn’t fall for phishing emails, understands that financial institutions will never email requests for account owners’ passwords, and is conscientious in applying the latest operating system and client-side application software patches. Just as importantly, we must know why the slogan is effective and why it is able to get consumers and employees to modify their thinking and behavior.
Without understanding “why” a particular awareness campaign works, the information industry will not be prepared for when the next generation of cybercrime and malware is effective on the next generation of Netizens. For this reason, research into cyber security awareness campaign effectiveness is paramount.
Forty years before the personal computer was born, the Advertising Council created the advertising mascot/ icon Smokey Bear (who is, often, incorrectly called Smokey the Bear) to educate Americans about the dangers of forest fires and wildfires. Per the Ad Council, 95% of adults recognize Smokey Bear and his slogan, “Remember… Only YOU Can Prevent Forest Fires”; however, I am unaware of any research and measure of effectiveness that emphatically concludes the U.S. National Park Service’s investment in the Smokey Bear advertising campaign has reduced the number of forest fires or wildfires. This is not to say that our beloved Smokey Bear campaign is not worthwhile. It is just that everyone is extremely cost conscientious and measuring an advertising campaign’s return on investment (and then investing only in effective campaigns) is a necessary evil; however, it implies a correlation between a message or training and something that doesn’t happen. And this “proving of a negative” will also be an issue in an effectiveness measure of just about every cyber security awareness campaign: we might be able to determine why a consumer clicks on a link but will we be able to determine which catchy slogan or training tidbit caused someone not to open a malicious attachment?