When I talk to IT directors, they often say they’re not sure how to teach security.  This task is made easier, I think, if we stop framing it as “teaching IT security.”  Instead, think of how to help your users continue to do what they do best or care most about.

Most of your users don’t wake up in the morning and think about security.

“They think security is your job and that you’ve got it all handled.”

Consider technology:  It’s not an end goal, is it?  It’s a means to accomplishing an objective.  It’s a tool intended to make tasks faster, more efficient, or higher quality.

Here are some things that technology helps me accomplish:

• Communicate with colleagues on a daily basis through e-mail or messaging apps.
• Reach more users teaching through an online portal.
• Consume information from other infosec professionals while I’m on-the-go.
• Stay informed of friends’ activities through a social network.
• Share pictures of my kids with distant family.

In each of these, there is a benefit to me as the individual.  What does technology help you achieve (faster, more efficiently, with better quality)?

In order to effectively engage users with security awareness, you have to understand what it is they care most about.  The simplest way to do this is to ask.  If your users are teachers, perhaps they care most about educating their students in an autonomous manner.  Don’t assume you know what they care about, you really do need to ask.  Conduct an organization-wide survey or meet with a smaller focus group of non-technical staff from various departments.

“Once you have gathered what it is that they care most about at work and how technology helps (or hinders) them, you’ve arrived at the starting point of the security conversation.”

For teachers, connect their deep desire to educate students to the tools they use to educate students.  If the internet goes down in their classroom, is their ability to complete a lesson affected?  What if they can’t access their gradebook because of a forgotten password?  What if ransomware makes all of their lesson plans inaccessible?  When problems are introduced, people pay attention.  In fact, most will do what they can to avoid them.

“Connect what they care about to potential problems.  Then, offer a solution.”

Once you have their attention, relate these problems to online threats. Explain how some basic knowledge (that you can teach them!) will help avoid these difficulties.  All of a sudden, your people are engaged and much more willing to listen.

“I want to save you from cyber criminals” is not as motivating as “You care about X.  I want to make sure you never lose access to X”.  Why?  Because most people think “bad things” can’t happen to them online.  That’s why starting the conversation with statistics and current cyber threats isn’t very powerful, unless it relates to tasks they perform regularly or care deeply about.  Remember, use their feedback (and even their words) to frame the problem and offer the solution.

Consider this scenario for a group of educators:

Last week, two teachers in our school district lost all important files (lesson plans, activities, worksheets, letters, templates, etc.) saved to their laptops.  This was a result of ransomware, a prevalent, malicious software that locks computer files.  Here at such-and-such school district, we do our best to secure the network and computers, but cyber criminals are getting smarter and are able to evade some of the best security solutions.  These teachers are forced to recreate years of hard work because their files were not saved on the network.  

Think for a moment about your important files. If you haven’t already saved essential files to your home drive on the network, take some time today to do so.  Files saved on the network are accessible to you offline, and we are able to restore your files in the event that YOUR device gets infected with ransomware.  

<screenshot of saving to their drive on the network>

If you need extra help with saving essential files to your network drive, contact us at <contact>.

We don’t want you to spend the time and experience the frustration of recreating your work. We know your time is far better spent in the classroom with your students.  

We’ll have more details on how to avoid getting ransomware in the future.  

Did you notice the majority of problems addressed above centered around the user?  Here are the problem statements again, along with potential thoughts from your audience:

• Two teachers lost all important files (lesson plans, activities, worksheets, letters, templates, etc.) last week.
  • That’s terrible!  How did this happen?
• Criminals are able to evade some of the best security solutions.
  • Really?  I thought we had a secure network.  I didn’t realize nothing is 100% secure.
• These teachers are forced to recreate years of hard work because their files were not saved on the network.
  • How many years’ work would I have to recreate?  Is my stuff on the network?
• We don’t want you to spend the time and experience the frustration of recreating your work. We know your time is far better spent in the classroom with your students.
  • Isn’t that the truth!

Now, let’s examine the solution statements with possible thoughts from your audience.

• ….we are able to restore your files in the event that YOUR device gets infected with ransomware.
  • Phew, there is a way to save all of my work.
• Files saved on the network are accessible to you offline…
  • Good, I was wondering if I would still have access from home.
• We’ll have more details on how to avoid ransomware.
  • There’s more information coming to help me, but in the meantime I can save files where they can be restored to me.

This example was a teaching moment, but it also can be used to introduce a formal security awareness program.  In a future post, we’ll dive into how to use stories when introducing users to a security awareness program.