By Cherry Delaney and Ben Woelk | Senior Member
Threat Context
Information security relies on a combination of technical and process controls to protect information resources. However, in the end, it’s about the people, not the protections. Good security awareness is a key factor in keeping resources protected and in helping people, stay safe online. Security awareness communications and training create that awareness.
Much of what we do in security awareness is informing our users about computer security risks and new trends. Creating a communications plan is a good place to begin. Having a plan will help you determine the success of your communications initiatives.
For those with a marketing or corporate communications background, communications planning is nothing new. However, creating a communication plan is an activity many tech comm professionals have not attempted.
Many of the examples in the article are from security awareness efforts at Purdue University and at the Rochester Institute of Technology.
Creating a Communications Plan
There are a number of templates available for creating a communications plan. When teaching seminars on creating security awareness programs, we often use a communications template from the Kellogg Foundation.
Planning and implementing a communications plan increases the likelihood of a successful security awareness program. Among the benefits of a plan are:
- A systematic approach
- Repeatable materials
- A strategic approach (which enables a proactive approach instead of a reactive approach based on what security incidents occur)
One of the foundations of successful technical communication is tailoring or contextualizing our messages for our audiences. In security awareness communications, it’s also important to use different tactics with different audiences. We need to understand the characteristics and demographics of our target communities to determine what works. Generally, older members of the community may not use social media, so traditional print venues may be more effective. Older members of higher education communities are more likely to use existing email groups or read email newsletters.
Plan Components
- Audience analysis
- Key messages
- Communications channels
- Scheduling
- Relationship development
To reach younger demographics, it’s important to add social media as another channel. One technique that’s becoming popular is to create online videos. YouTube videos can be entertaining and have a memorable theme (see www.youtube.com/user/SecurityVideoContest). Most university staff and faculty are active on social media, namely Twitter and Facebook. It’s important to reinforce the same message through multiple channels and repeat it often on channels such as Twitter.
Key Messages
- What needs to be communicated?
- What values are important?
- What is in it for me? Why should they care?
- How will you communicate?
- Means
- Methods
- Timing
- Use of credible sources—community leaders
- Short, simple messages—just tell me what to do
Scheduling
Timing is important. We often need to work with graphic designers, editors, or other communications professional who are not security professionals. We may want to leverage existing newsletters or newspapers. We may find that our work is almost seasonal in nature, with the heaviest period during the early fall when new students arrive.
Reuse Content—The Message Is the Same
Unfortunately, the security awareness message doesn’t change too much: update your operating system, don’t click on embedded links from people you don’t know, don’t open Spring Break pictures from people you don’t know, etc. Reuse content in different mediums. Print, digital newsletters, and YouTube videos are different mediums to convey the same messages.
Some messages are sent in a cyclical pattern: IRS warnings before tax season, holiday alerts before the holidays, end/beginning of semester reminders, and travel preparations encouraging encryption of their data can be pulled out from the previous year, touched up for this year, and sent off. Organize your files so it is easy to find needed communication messages.
Schedule Promotions
What events do you need communications developed for? Are these on a cyclical calendar? Learn what schedule works for your organization and who to develop relationships with to promote them.
Case Study: Security Awareness Communications at Purdue University
Cherry starts work on her October events early in the calendar year. She uses printed materials, which entails making sure printing services has the quantity of paper needed for a mass mailing to Purdue University. She works with a graphic designer to develop the postcard she will mail out. Cherry works with the Web team to create a digital image to place on their website promoting the October event. The information security team at Purdue may also place an advertisement in the university newspaper. They work with the schedule to get the advertisement placed appropriately. They may be able to reuse the postcard design in the newspaper. They will promote the event through the university’s daily email messages. A weekly security tip is included as part of the monthly message. It’s important to coordinate security awareness efforts with other communication efforts at a university. There are many events and news items that compete for attention. The “Get Smart” theme that was used was directed toward older users who remember the TV series, and the concept was reused for an October cybersecurity theme because it easily conveys the message.
Capitalize on Crisis
A security incident, such as a breach of private information, can provide a great opportunity to raise security awareness. Our mistakes are powerful messages of what went wrong. Use these moments when everyone is focused on the incident as a time to raise awareness and improve processes. A crisis is a teachable moment where security has become the topic of the highest importance. Use it well.
Calendar of Communications—never miss an opportunity to leverage opportunities. Some opportunities are cyclical:
- April brings IRS scams, so have articles or points prepared to share in local news, through newsletters, and in other communication channels.
- Summer break and the return to campus are opportunities to remind your readers that encrypting their devices protects the data on them. Physical security is important when traveling so use this time to promote that security awareness message.
- Purdue hands out packet of sunscreen with a logo on it at freshman visit days in late winter and early spring. If they are going someplace warm for spring break, they can use some sunscreen because Purdue takes “protecting you seriously.” They laugh and we get to make a point about our culture of security awareness.
- We create a campaign each year for October cyber security awareness month. This takes time to plan and orchestrate the implementation. We send out postcards to the entire campus and insert weekly tips into our university daily email notice.
- Holidays are a time to provide reminders about safety on online ordering. We recommend dedicating one credit card to use for online purchases, which gives you the opportunity to make your community aware of safer online purchasing practices.
Relationship Development
Developing relationships with other communications teams within your organization will help market your communications effectively. Our marketing team manages all external communications, so we have to factor the time it will take to send the security awareness materials through for their review.
It’s important to have backing from senior management (who is just as likely to fall victim to an attack and is more likely to receive a targeted attack). It’s difficult to effect change if you’re pushing from the bottom without management support. It’s also helpful to leverage your marketing department to provide guidance on your overall strategy and to gain access to existing communications vehicles.
Cross-organizational groups like EDUCAUSE and LinkedIn provide a window into how similar organizations are dealing with security issues or effective ways they may have found to deliver a message. Sometimes they provide a sounding board for ideas or allow you to see you are not alone in your struggles to create effective messages. It’s good to develop relationships with members of the national groups to see what they are doing that works or what didn’t work.
Once you deliver the message, plan a process to get feedback. Shooting messages into the dark without a way to test their effectiveness is not efficient. Survey different groups to test demographic-specific delivery methods. Does the YouTube video work better with a younger demographic? Does a long article in a newsletter that delivers great technical content get read? Or are short sound bites of information more effective? How many people visit your website and what are they viewing most? Analytics of websites can be very helpful in determining what is important to your community.
Develop Processes
Develop a process that works with you and your communications staff. It was easier for Cherry to learn InDesign and maintain full ownership and scheduling of our e-newsletter than to share a staff person’s time to do this. If you don’t have the time to do something, find a process that works.
How Do You Measure Success?
Generally, metrics for security awareness programs are difficult to determine. It’s easy to count the number of messages you’ve sent out. Measuring success in a changing threat environment can be challenging. Do you measure success by an increase in security incidents reported? Is that increase due to an increase in attacks? Is it a success if less users fall for phishing attempts? Maybe, but there may be fewer phishing attempts. At the Rochester Institute of Technology, we’ve seen the number of users who fall for phishing attempts fall from ~25 on each attack to 2 to 3 on each attack.
Summary
Security awareness communications provide a great opportunity to be innovative and try new techniques and messages. A university community often has the “latest and greatest” personal technology. This technology provides both opportunities and challenges. It’s difficult to protect new technology, however that new technology also provides new ways to communicate our messages.
Cherry Delaney (cdsaa3@aol.com) is president of TheBook IndexerOnline. She is well-qualified to create indexes for a variety of materials including books, catalogs and directories, corporate and business materials, reference books, technical manuals, periodicals, textbooks, and trade books. She has extensive experience in information technology at an institution of higher education for over 17 years. She has presented at national conferences on cybersecurity awareness. Her experience includes writing technical software manuals with embedded indexes and provided training on various software.
Ben Woelk (ben.woelk@gmail.com) is policy and awareness analyst for the RIT Information Security Office. He is responsible for security awareness communications, training programs, and policy development. Ben has authored a number of articles on information security for non-technical users and is adjunct faculty at RIT in media sciences, communication, and computing security. Current activities include leveraging social media for security awareness, participating in the awareness and training working group in the EDUCAUSE Higher Education Information Security Council, and serving as an STC Director and chairperson of the STC Community Affairs Committee.
EDUCAUSE Security Awareness Quick Start Guide, https://wiki.internet2.edu/confluence/display/itsg2/Security+Awareness+Quick+Start+Guide.
EDUCAUSE Security Awareness Detailed Instruction Manual, https://wiki.internet2.edu/confluence/display/itsg2/Security+Awareness+Detailed+Instruction+Manual.
W.K. Kellogg Foundation, Template for Strategic Communications Plan, www.wkkf.org/knowledge-center/resources/2006/01/template-for-strategic-communications-plan.aspx.
EDUCAUSE Security Poster and Video Contest, www.youtube.com/user/SecurityVideoContest.
