So, you’ve launched a security awareness program, eh? Here’s how to make it fail in 10 easy steps! (In no particular order.)
Introduce your program with a really long elearning module or video.
Be as detailed as possible. Keep in mind that your employees and coworkers are going to be incredibly intrigued by the idea of going through awareness training. So the more detail you can throw at them right up front, the more receptive they will be to your new program.
Avoid using too many pictures.
Seriously, the last thing you want to do is subject your employees to a bunch of colorful infographics and posters. The same goes for elearning modules and videos and all content. Thoughtful color schemes are a distraction and undermine your efforts.
Never use humor.
Humor = lawsuits. Furthermore, you’ll lose credibility. Leave the funny stuff to standup comedians and focus on the task at hand: saving people from the internet.
Hire lawyers to write all your content.
This is especially true of compliance and policies. You don’t want to come off like Buzzfeed or whatever hip communication trends seem to be floating around on the internet. Walls of meticulously detailed text are the best way to get your point across.
Don’t bother with incentives.
People in general are eager to learn more about HIPAA and data classification, so they’ll be chomping at the bit to consume every part of your awareness program. Incentives and rewards are a waste of company resources.
Use videos sparingly.
This is not a YouTube conference. It’s a security awareness training program. Short, flashy videos are an ineffective way to transfer knowledge to your end-users. Just check out the video below. Do you think anyone is going to take this guy seriously? We certainly don’t.
Keep it corporate.
Trying to make your program more personal to your end-users is a massive waste of time. Keep at it as basic as possible. Remember that your employees will have no use for this information outside of the office.
Only use formal training.
Instructor-led, classroom-style workshops are your friend. We’ve found the best time to schedule them is first thing Monday morning when you have your employees’ full attention. The classes don’t need to be super long, though. Three or four hours generally does the trick.
Don’t use mascots or clever slogans.
You are not Don Draper. If you attempt to treat your SAP like a marketing campaign, chances are, you’ll just come off as gimmicky and people will laugh at you. Security awareness is your mascot. No need to be fancy.
You want to scare off your employees? Try spinning information security materials or compliance training into a game. The thing no one ever mentions when it comes to games is that there are always losers. So, you’re just setting yourself up for failure by gamifying elements of your SAP.
Okay, that’s enough satire for one blog. Obviously, there are lot of things working against awareness programs, especially new ones. The good news is that there are many simple solutions for ensuring the success of your program. Basically, do the opposite of everything listed above. Instead, focus on creating a culture of learning. Assess your needs and address them with engaging materials that do more than just impart information.
The end-goal is to develop a learning ecosystem within your organization that benefits everyone from the top to the bottom. And we’re here to help! Check out our resource center for tons of great information on how to plan, launch, and manage your SAP. We also have a bunch of free materials including posters, games, modules, and more!
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019