In my last post on Awareness, I discussed an overview of our Awareness program and how we break up our initiative into breadth campaigns and depth programs to cover both the generic and the specific. In this post, I’d like to discuss a little bit about the framework we use to build our messaging for our awareness efforts.

ISAWARE Framework

Socialize

At the core of our framework is the concept of socializing security. In simple terms, what this foundation means to us is that we will look to transcend organizational boundaries of information security and help connect people with people that can facilitate in the process of managing information security risk. So it’s not just about formal mandatory courses that you have to sit through, pointing people to policies and standards that need to be interpreted or throwing nebulous tasks at the user (e.g., “protect confidential data”) without perspective and contextual guidance. Instead, it’s really all about trying to engage in a dialogue, understand the pain-points of the customer and laying clear, concise and actionable controls (guidance, tools, etc.) in front of the users. Some of the mechanics we have employed include:

  1. Conducting podcasts with security and non-security SMEs to discuss emerging risks, new controls or other thoughts from the information security and business landscape.
  2. Drive positive reinforcement by recognizing and showcasing individuals that go above and beyond their duty to support the mission of information security.
  3. Socialize people’s thoughts (good and bad) on information security to help maintain a level of awareness for information security.
  4. Focus on providing clear, concise and actionable guidance and/or tools to users.

Localize

With this core foundation established, the next step up in the framework is the acknowledgement of the locale or context in which we want to deliver a message. Microsoft is an incredible diverse place and our ability to leverage this diversity is critical to effective messaging. What this means is that we need to take into account the business and/or geography where we are conducting the awareness. Some examples include:

  1. Recognizing the need to localize the content into local language for some regions in an effort to ensure effective consumption of message.
  2. Recognizing the security baseline of different organizations and teams which means certain teams may require Security 101 type messaging (e.g., Why is it important classify data?) while other more security mature organizations may need details on specific controls (e.g., How do I go about segmenting my vendors from my full-time employees on my network properties?).
  3. Understand team priorities and culture so you can better position your message. Some examples of this include teams with a strong culture of innovation where you want to ensure you are not in any way looking to impose too much structure (e.g., Forcing individuals to take some 4 hour training before they can use a tool) that impedes the organic nature of innovation. Contrast that to a team with a strong operational focus where it may be perfectly fine to impose 4 hour training but we need to ensure we are making this training part of the yearly training cycle for that team.

With our core foundations of socializing and localizing security messages established, we turn our focus to the specifics.

Risk

Every message we develop as part of a single deliverable or a larger campaign has to be aligned back to an information security risk that we are trying to manage.

Resources

Over the foundation of socializing and localizing our message, we look to determine the best form of resources that we can develop that individuals can consume with the intent of managing information security risk. Is it a checklist of To Do’s? Is it a tool we need to get developed and pushed out with the help of our Information Security Tools team? Is it an ACE service offering we need to position from our Information Security Assessment team? Is it a training we need to develop? An important aspect of developing the resource is trying to make it fun. For example, you can setup little quizzes to test security knowledge or have spot-the-bug competitions for developers to identify security bugs, etc. A fun little game tied to an incentive can be a powerful delivery mechanism for a message you want to land.

Incentive

This is an important and often overlooked element of an awareness campaigns. What is the incentive to the individual for wanting to consume and act on your message? There are two categories of incentives and it really goes back to the stick versus carrot approach: do you want to negatively incentivize someone or positively incentivize someone? I don’t believe it’s a matter of wrong or right approach but rather a question of what’s more effective given a situation. I have my views on what I believe to be a more effective and scalable approach in terms of information security in general but a case can be made when you need to negatively incentivize against a behaviors change (i.e., if you don’t comply with this, you could lose your job) – this discussion does often times get into regulations and right now, I’m not willing to touch that topic with a 10 foot pole! :-)

Here are some examples of positive incentives:

  1. Establish individual developer’s commitments to write code with 0 security bugs. At the same time, have the training and educational modules ready for the developers to consume. This puts the positive incentive (tied back to their bonus!) on the developer to do the right thing and aligns them your resources to help them with the task.
  2. Setup fun little games (spot-the-bug, etc.) or quizzes to “Test your Security IQ” with simple drawings to give out prizes for randomly chosen or most active participants of the game.
  3. Establish rewards and recognitions to showcase and exemplify positive security behavior by individuals.

Whenever possible, I highly discourage negative incentives for awareness. Granted they may be needed in certain situations but in the long term, they only add to the perception that security is an obstacle to business and not an enabler. The most common example of negative incentives I’ve seen others talk about beyond citing the fact that policy violation can lead to termination of employment is making examples of and showcasing individuals that we reprimanded for violating policy.

So this is our framework. It all boils down to making sure people are aware of security and going about their business securely, every time and all the time. Microsoft, like a lot of companies, is a culture of hard working and passionate individuals. Collectively they help define a crucial element of the overall organization security posture so we have to make sure they are all thinking about and acting secure, one individual at a time.

In my next post, I’m going to discuss some of our key learning: what’s working, what’s not working and what are some of the new tactics we’re looking to employ in Awareness.

-Todd