Oftentimes, it’s tempting to introduce security awareness to your organization in very concise terms (in ways that don’t exactly get people excited).  It’s a symptom of wanting to formalize everything.  However, if the program is not introduced well, people will not internalize the information or willingly participate.

Telling a story, on the other hand, can be very powerful because of how our brains are wired to react to stories.

Let’s jump right into an example of using a narrative to sell a product. Then we’ll extend that to getting buy-in for a security awareness program.

Suppose you want to make people aware of a product that protects credit cards from being read by electronic scanners.  We’ll call this product Jammerz.

Scenario 1.

Never worry about being electronically pick-pocketed again!  Jammerz is a great new product that will protect your credit card data from being read while you’re out and about.  Here’s how it works:  Just place this small insert into your wallet.  Because it’s near your cards, it will jam any signals that can be read by criminals with electronic scanners.

…

A person reading this may think, “So what?”  By the time they get through the material, they may have forgotten why the product is needed in the first place.  So little time is spent on the problem. They don’t even know if the problem really exists for them.

Scenario 2.

Last month while traveling through an international airport, my credit card was stolen.  The problem?  I didn’t realize until I was part way through my trip.  You see, my credit card wasn’t physically stolen.  It was electronically hacked.  When the fraudulent charges began adding up, the bank locked my account, and I wasn’t able to use it for the rest of my trip.  After weeks of working with my credit card company’s fraud department, the fraudulent charges were finally removed.  They told me that my credit card data was most likely stolen at the airport, a common denominator in many credit card fraud cases.  And even though this happened at an airport, they say this kind of theft is on the rise everywhere.  It’s known as electronic pickpocketing.

That’s why I’ve chosen to use Jammerz.  The insert protects my credit card data by jamming signals from electronic scanners. I’ll never have to go through the trouble of clearing my credit again and gives it me peace of mind, whether I’m traveling or at the mall.

Which one makes you want to buy this product more?  If you travel, you’re more likely to consider it because you can relate, but it also plants the seed for those who don’t travel.

Let’s apply this same experiment to a security awareness and training program that you want to roll out in the fall.

Scenario 1.

We are introducing a security awareness and training program this fall due to the rise of cyber attacks.  This is a mandatory program because our organization is a target for cyber criminals.  Our faculty and student data is highly desirable for criminals because they can use it in identity theft, medical claims, and other scams.  We need everyone to take this awareness and training program to satisfy our new cyber insurance policy and to reduce liability in the event of a data breach.

vs.

Scenario 2.

This past Spring, a neighboring school district fell victim to a data breach.  Their employee records were stolen, which resulted in the school district purchasing credit monitoring for each employee.  It caused a great deal of anxiety for staff members with at least one case of reported identity theft.

We want you to know that here at ACME school district, we are taking every measure available to protect our employees’ information.  But as with our neighbor, technology solutions aren’t always enough.  Their data breach was triggered by an employee who fell for an e-mail phishing scam.  Criminals are getting really good at crafting e-mails that look legitimate.

Because of incidents like our neighbors’ (and many others across the country), we are introducing an awareness program to help each and every one of you avoid common pitfalls that could open the door for a cyber attack.  We recognize this is new information for most of you, and you may be concerned about how to find the time to accomplish this new training.

Here are some highlights of the program.

….

We’ve also posted a video on our school portal that will walk you through what to expect: <link>

Comparing the two approaches, which one makes you more inclined to focus your limited time and attention to the awareness program?

Notice the first one is more “stick” (from the carrot and stick theory) because of the word “mandatory.”  It’s also more “me” centric as it focuses on benefits to the organization versus to the individual.

Bottom line, scenario one sends the message: “This is good for us, who cares about you?”

Scenario two is lengthy, but it’s written with the employee in mind: “This is beneficial to you.  YOU can avoid having to worry about identity theft.  YOUR data could be at risk, not just the district’s.”

Use anecdotes to introduce security awareness to your users.  They can relate to these stories, internalize the information, and benefit so much more from the program.