The next NoticeBored topic is security innovation so today I've been thinking up innovative approaches for security awareness to include in the module's awareness activities paper.
"When the classic strategies aren’t delivering, you send in the guerrillas. They’re the extra-special forces – the ones that implement killer strategies to turn the tide and defeat the enemy." WordStream
Guerrilla and viral marketing suggest a deliberately unconventional approach to security awareness. Instead of overtly promoting information security, privacy, compliance and related matters as usual, awareness messages may be circulated covertly, passed-on discreetly by word of mouth and social media. Think best-kept-secret, not megaphone marketing. Branded suck-blankets and comforters rather than ordinary security posters.
Eye-catching visual jokes (think Escher, Heath-Robinson or Dali) may spark the imagination, making people laugh and think. Other possible hooks aside from art are alliteration and allegory, paradoxes and conundrums, prose and poems, jingles and tag-lines.
You can seed the viral process to get it started, for example passing content to selected awareness contacts or leaving small quantities of artwork to be discovered in offices, coffee areas, meeting rooms, stationery stores or similar dark corners of the corporate intranet.
Prize draws, tickets to social events and other "free" giveaways stimulate more interest, while artificially limiting the number of rewards or the promotional period prompts people to respond quickly. [Hinson tip: you can always release further rewards or extend the period 'due to popular demand', a common technique in retailing. People are strangely drawn to passing bandwagons and fads.]
Another unconventional awareness approach involves using intrigue and doubt to generate interest, perhaps even spreading the exact opposite of whatever message you mean to put across in the sense of playing the devil’s advocate. An example is to turn risk management on its head: instead of asking ‘What do we need to do to minimize information risk?’, try ‘How much information risk can we afford to take?’ or ‘How close to the line can we push it?’.
Yet another creative technique is to take your adversaries' perspectives. Paint a picture of the organization in the eyes of a social engineer, hacker, fraudster or industrial spy, emphasizing the vulnerabilities. Their opportunities are your risks.
'Painting a picture' itself suggests organizing some sort of creative art competition for employees and their families. Perhaps collaborate with local schools or an art college to come up with an information security-related brief (such as that adversarial perspective thing) and prizes or rewards - which may be as simple as exhibiting a selection of contributed artworks on the premises or online.
'Online' ... hmmmm ... take a long hard look at your Security Zone or whatever you call your intranet site for information security. It does have a name, right, and a logo, a professional design, a good structure and plenty of valuable, fresh content?
Oh and a blog. Don't forget to keep your blog up to date. Floss it regularly to avoid decay. When was the last time anything was posted? [Hint: if you have to think hard or look it up, the answer is staring you in the face.]
You might already have links to the Security Zone from other intranet pages, perhaps even little advertisements or banners - plenty more opportunities to get creative here. [Hinson tip: which of these two links are likely to generate more clicks, "Click here to visit Information Security's intranet pages" or "Ten top tips to tackle Trojans"?]
In product marketing, distinctive designs and retail packaging are very much part of the mix ... so think about how your awareness content is designed, presented and delivered. If your branding is limited to a lame logo, this is your cue to free your mind and think more creatively about how you are packaging your stuff.
Stimulate demand for security awareness by finding out what people actually want before attempting to satisfy the demand. Yes, ask them! Run a survey. Give them options/choices and solicit ideas. Interview people. Be careful with this though: if you get a clear direction from your audiences, you had better be able to deliver accordingly, otherwise seeking opinions and suggestions may backfire. Be prepared to juggle your finite resources between potentially unrealistic or conflicting demands and competing priorities. [Hinson tip: demonstrably strong demand and support from employees, especially influential audience groups, can give your next budget proposal a powerful boost.]
By the way, many of these suggestions come from the world of marketing, promotion and advertising, so why not hook up with your organization's marketing professionals? Get their help and creative input, perhaps collaborate on a 'marketing plan for information security' ... and make them more aware of information security in the process (free bonus!).