Sometimes it’s tough to get users to participate in your information security awareness program. Employees don’t want MORE work thrust upon them, even if it is something that will help them be better at their jobs (and help protect their families at home)! So you, the project manager for the awareness campaign, have to get creative. How do you get employees to care about the security awareness training and actually complete it?
1. Make it mandatory.
The number one way to get user participation is to force them to participate. Now this doesn’t make it the most successful way to earn user buy-in or engagement, but if you goal is strictly participation numbers this is the way to go.
You could put a spin on it by making ‘part of the job’ in the same way that occasionally working late nights or going to after work social events are ‘part of the job’ — not mandatory, you won’t get fired for not doing it but it is expected of you.
2. Attach real consequences – both positive and negative.
People need reasons to do things. We workout because we want to lose weight or get healthy. We drive the speed limit because we don’t want a speeding ticket or to be in an accident. We take classes to learn new skills or to get better at our jobs.
So why should I take this awareness training? Will I get in trouble if I don’t? Will I get called out in a meeting for not completing it? Will I get praised if I do? Could I get a pat on the back from my manager if I do? Is the training an expected part of my job or will I slide by unnoticed if I just happen to forget about it?
Unless your users understand the consequences – either positive or negative – you will have a hard time getting them to participate.
3. Make it fun and competitive.
Think Fitocracy. Think Duolingo. Think about all those video games you used to (or still do!) play on weekends and why you liked it: getting that high score and beating JohnSmith334. Bragging rights and competing with friends/coworkers can make something mundane (such as exercise, language learning or policy training) more appealing and fun. Oh a new awareness video just came out? And if I watched it I can earn 500 CyberSavvy points? YES please! Because then I’ll only be 1000 points away from getting the Most Security Aware Employee Badge. 🙂
4. Do it for your users, not for compliance.
If you approach your awareness training (or any training really) from the standpoint of “let’s just get this over with and check off that compliance box” then your training probably won’t be very good to start with and your users won’t think it’s important either. But if you approach it from a positive, upbeat and enthusiastic viewpoint, one that empowers your users to be better at their jobs and better and protecting their families from the dangers of the internet, then you’re going to get a lot less resistance. Your content will reflect how it was created – meaning if it was created with passion, it will be better than if it was created with a lot of head-desk-banging and feet-dragging. And your users will be more responsive if they get the sense that the organization cares about their own personal security and privacy, and not just trying to comply with some industry regulations for the sake of compliance.
5. Ask yourself: what would I do?
Go ahead, we’ll wait. Ask yourself: if you were a user who was told they had all this training to complete, what would you do? Would you read that newsletter if you knew it didn’t matter? Would you take that voluntary training module if you knew no one would ever ask you about it? Would you do something on a purely voluntary basis if there was no reward for doing so or punishment for not completing it? Would you resent the extra work if it were made mandatory without any cutbacks elsewhere? Stop being You the Admin, put yourself in the users’ shoes and be You the User. What would make you happy?
Have you found a different tactic to get increase user participation? Tweet us at @secawareco and share your secrets to help fellow cyber security admins improve their awareness programs!
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Newsletters - January 12, 2017