Sometimes it’s tough to get users to participate in your information security awareness program. Employees don’t want MORE work thrust upon them, even if it is something that will help them be better at their jobs (and help protect their families at home)! So you, the awareness program manager, have to get creative. Let us help!
Make it mandatory.The best way to get user participation is to force them to participate. Now this doesn’t make it the most successful way to earn user buy-in or engagement, but if your goal is strictly 100% participation this is the way to go. You can spin it by making ‘part of the job’ in the same way that occasionally working late nights or going to after work social events are ‘part of the job’ — not mandatory, you won’t get fired for not doing it, but it is expected of you.
Attach real consequences – both positive and negative.People need reasons to do things. We workout because we want to get healthy. We drive the speed limit because we don’t want a speeding ticket. We take classes to learn new skills or to get better at our jobs.
So why should I take this awareness training? Will I get in trouble if I don’t? Will I get called out in a meeting for not completing it? Will I get praised if I do? Could I get a pat on the back from my manager if I do? Is the training an expected part of my job or will I slide by unnoticed if I just happen to forget about it?
Give your users a reason! Unless your users understand the consequences—either positive or negative—you will have a hard time getting them to participate.
Make it fun and competitive.Think Fitocracy. Think Duolingo. Think about all those video games you’ve played and why you liked them: getting that high score and beating JohnSmith334. Bragging rights and competing with friends/coworkers can make something mundane (such as exercise, language learning or policy training) more appealing and fun. “Oh, a new awareness video just came out? And if I watched it I can earn 500 CyberSavvy points? YES please! Because then I’ll only be 1000 points away from getting the Most Security Aware Employee Badge.” If your culture permits it, friendly online contests, like Security Jeopardy, etc., that offer rewards ($50 at Amazon, e.g.) could be a real motivator, along with bragging rights.
Do it for your users, not for compliance.If you approach your awareness training like, “Let’s get this over with and check off that compliance box” then your training won’t be very good and your users won’t think it’s important. But if you approach it from a positive and enthusiastic viewpoint, one that empowers your users to be better at their jobs and at protecting their families, then you’re going to get less resistance. Awesome, entertaining content will reflect how it was created, meaning if it was created with passion, it will be better than if it was created with a lot of head-desk-banging and feet-dragging. Your users will be more responsive if they think that the organization cares about their personal security and privacy, and isn’t just trying to comply with industry regulations for the sake of compliance.
Ask yourself: what would I do?Go ahead, we’ll wait. If you were told you had a pile of training to complete, what would you do? Would you read that newsletter if you knew it didn’t matter? Would you take that voluntary training module if you knew no one would ever ask you about it? Would you do something on a purely voluntary basis if there was no reward for doing so or no punishment for not completing it? Would you resent the extra work if it were made mandatory without any cutbacks elsewhere? Stop being You the Admin, and be You the User. What would make you happy?
Have you found a different tactic to get increase user participation? Tweet us at @secawareco and share your secrets to help fellow cyber security admins improve their awareness programs! For more advice, check out our blog post about user participation and bribing your users.