Security leads should learn from the marketing department to make sure their awareness programs have impact, according to ISACA.
The IT industry association has released a white paper with Infosec, which provides tips on driving effective security awareness efforts, using techniques inspired by marketing principles.
The whitepaper notes that there are a number of issues hindering security awareness, including lack of time and resources to implement adequate training programs. However, awareness campaigns may also be falling down due to basic marketing errors, like lack of effective messaging; lack of engagement and failure to communicate the importance of awareness; and poor campaign design which may be inapplicable of mistargeted, which cause the audience to stop listening.
ISACA said that these shortcoming can be addressed with proven marketing techniques, such as creating content that is targeted to a specific outcome, presenting information in a structured fashion, which breaks down information into a series of engaging messages that progress the users along a journey to better awareness; and creating content where the engagement can be measured, such as making it online so its possible to track when it is accessed or shared.
In addition to that, the whitepaper says that organisations should look at more advanced marketing techniques.
These include using the ‘sales funnel' model to describe each step of the journey for a person learning about security best practices, and to track where there might be weak points in the process of education.
Organisations can also create customer personas, which characterise and segment different users within the organisation in order to create targeted and tailored content to best reach them. They should also use ‘purchase intention' research, which in marketing is used to measure how likely a consumer is to buy a particular product within a given time period, which helps the marketing team understand any roadblocks and create tailored marketing collateral to address each group of personas at each stage of the process.
Purchase intention can be adapted for security awareness by measuring users' anticipated behaviours in response to hypothetical security relevant situations. Enterprises can present a scenario to users and ask them how they would respond. The users' responses give the enterprise an understanding of the effectiveness of campaigns that it has launched.
These techniques can help security professionals to improve the impact of security awareness training, but the whitepaper also stresses the importance of ongoing management of any awareness campaign, and of tracking the results.
The whitepaper can be downloaded here.