Security awareness is just like marketing and advertising. You’ve got to repeat your message numerous times to get it to stick in your users’ minds. The more times an idea is repeated, the more likely I am to remember it. Advertising companies use this idea of repetition in marketing campaigns all day long. Do you think Coca-Cola is going to just play one commercial, once a year, during the Super Bowl, and hope that everyone remembers the name of their drink for the other 364 days? Do you think that Nike is going to tell you to Just Do It right before Black Friday and not every other major shopping week during the year? The Don Drapers of the world know that consumers are busy and overloaded with information every single day so in order for their products to be in the forefront of people’s minds, they’ve got to be repetitive.
That’s where the Rule of 7 comes into play. It’s an old adage, probably from before the days of cable TV. The idea is that a consumer needs to hear your message at least seven times before they will buy from you.
So let’s apply this to our awareness programs with a simple message: Don’t click on links in phishing emails. It’s a simple message and you’d think that most people would get it hearing it just one time. But that’s not how our brains work, especially not in today’s world when we are bombarded with information from every direction, on many devices. You need to remind your users in at least seven different ways and at seven different times that they should not click on links in phishing emails.
And don’t just tell them this in an email – not everyone learns well from reading text. Think about advertisers again – they don’t just reach us with newspaper ads or just with email blasts. No, they use web banner ads, TV commercials, magazine ads, promo mailers, twitter feeds, subway posters. They push their message in our faces so that even if we miss it over there, we’ll be sure to see it over here. So send out an email to your users reminding them not to click on links in phishing emails. But also try hanging up posters in the restrooms, posting on your company blog, sending out a video you found on YouTube, printing out an infographic about phishing emails and leaving it in the break room, have a short webinar on phishing emails, make them take a mandatory phishing quiz through your internal LMS…. there are tons of ways to get your message across. You’ve just got to think like an advertising agency!
Get creative, have fun, and share with us seven ways you get your Security Awareness message across to your users!