In my last post on Awareness, I discussed an overview of our Awareness program and how we break up our initiative into breadth campaigns and depth programs to cover both the generic and the specific. In this post, I’d like to discuss a little bit about the framework we use to build our messaging for our awareness efforts.
At the core of our framework is the concept of socializing security. In simple terms, what this foundation means to us is that we will look to transcend organizational boundaries of information security and help connect people with people that can facilitate in the process of managing information security risk. So it’s not just about formal mandatory courses that you have to sit through, pointing people to policies and standards that need to be interpreted or throwing nebulous tasks at the user (e.g., “protect confidential data”) without perspective and contextual guidance. Instead, it’s really all about trying to engage in a dialogue, understand the pain-points of the customer and laying clear, concise and actionable controls (guidance, tools, etc.) in front of the users. Some of the mechanics we have employed include:
With this core foundation established, the next step up in the framework is the acknowledgement of the locale or context in which we want to deliver a message. Microsoft is an incredible diverse place and our ability to leverage this diversity is critical to effective messaging. What this means is that we need to take into account the business and/or geography where we are conducting the awareness. Some examples include:
With our core foundations of socializing and localizing security messages established, we turn our focus to the specifics.
Every message we develop as part of a single deliverable or a larger campaign has to be aligned back to an information security risk that we are trying to manage.
Over the foundation of socializing and localizing our message, we look to determine the best form of resources that we can develop that individuals can consume with the intent of managing information security risk. Is it a checklist of To Do’s? Is it a tool we need to get developed and pushed out with the help of our Information Security Tools team? Is it an ACE service offering we need to position from our Information Security Assessment team? Is it a training we need to develop? An important aspect of developing the resource is trying to make it fun. For example, you can setup little quizzes to test security knowledge or have spot-the-bug competitions for developers to identify security bugs, etc. A fun little game tied to an incentive can be a powerful delivery mechanism for a message you want to land.
This is an important and often overlooked element of an awareness campaigns. What is the incentive to the individual for wanting to consume and act on your message? There are two categories of incentives and it really goes back to the stick versus carrot approach: do you want to negatively incentivize someone or positively incentivize someone? I don’t believe it’s a matter of wrong or right approach but rather a question of what’s more effective given a situation. I have my views on what I believe to be a more effective and scalable approach in terms of information security in general but a case can be made when you need to negatively incentivize against a behaviors change (i.e., if you don’t comply with this, you could lose your job) – this discussion does often times get into regulations and right now, I’m not willing to touch that topic with a 10 foot pole! :-)
Here are some examples of positive incentives:
Whenever possible, I highly discourage negative incentives for awareness. Granted they may be needed in certain situations but in the long term, they only add to the perception that security is an obstacle to business and not an enabler. The most common example of negative incentives I’ve seen others talk about beyond citing the fact that policy violation can lead to termination of employment is making examples of and showcasing individuals that we reprimanded for violating policy.
So this is our framework. It all boils down to making sure people are aware of security and going about their business securely, every time and all the time. Microsoft, like a lot of companies, is a culture of hard working and passionate individuals. Collectively they help define a crucial element of the overall organization security posture so we have to make sure they are all thinking about and acting secure, one individual at a time.
In my next post, I’m going to discuss some of our key learning: what’s working, what’s not working and what are some of the new tactics we’re looking to employ in Awareness.