Can cyber security have auras?
How can cyber security have an “aura”? It sounds like a meaningless question. But step back a little and think about how direct marketing works.
Commonly, people in direct marketing use a simple mnemonic to describe the steps they take consumers through when persuading them to buy: AURAL. I think this is relevant for cyber security.
AURAL stands for Awareness, Understanding, Relevance, Action, and Loyalty. In other words:
- You start by making people aware of your product
- You move on to helping them understand what it does – its benefits and features
- Then you persuade them that the product is relevant for their own needs, that it solves a particular problem they have
- Next you call them to the action you want them to take, which is generally putting their hand in their pocket and shelling out for whatever you are selling
- And finally you hope to generate some loyalty so that they will come back and buy again, and perhaps even recommend your product to their friends.
As I said, this process (which by the way doesn’t have to be linear) is pretty relevant for cyber security too. Except that “loyalty” isn’t really appropriate. But rather than simply getting rid of the “L” I am going to change it to an S: AURAS. The final S stands for Socialise. You will see what I mean in a moment.
So what do I mean by “AURAS”?
As with direct marketing, in cyber security we need Awareness. This is aimed at keeping cyber threats, and the need for cyber security, at the front of everyone’s minds.
You might create awareness with posters (remember to move them around and change their message so that people don’t become blind to them), emails (personalised messages can be highly effective), messages when people start their computers up or start to do certain things (again remember to change them), even things like mugs and mouse mats which can be given to reward cyber safe behaviour.
It isn’t enough to be aware of a threat though. People also need Understanding about what they can do. For instance, if you have a policy of insisting on complex passwords that are changed every month then you need to give people the tools to do this – otherwise they are likely to write their passwords down on sticky notes and put them on their monitors, hardly the cyber safe behaviour you want to encourage. (There is a hint about complex passwords at the end of this post.) This is where training comes in: helping people understand how they need to behave to keep safe.
You also need to ensure that people feel the training they have had has real Relevance to their own lives. Not everyone lives to work. Most people regard work as a way of getting the things they want in life. Of course their job is important – so stressing that unsafe behaviour could damage their employer, and hence their own job, is one tactic.
A stronger tactic though (and one that might even generate a bit of gratitude) is to show them how being cyber safe can help them outside their work life – protecting their identity, their bank accounts, their children’s physical safety.
Now you need to call them to Action. This involves communication at the moment they are doing something. For instance, BAE’s email security service has a very handy feature: if a user is tempted to click on a link in an email (generally accepted as unsafe behaviour unless you are certain who the email is from) they can be served a CAPTCHA image which makes them stop and think about what they are doing before they click on the link.
(I haven’t seen these images: it would be nice to think that instead of a standard CAPTCHA image such as a random set of numbers they contain a little message like “Are you sure?” or “Links can hurt”.)
And finally you need to Socialise cyber safe behaviour into the organisation. The aim will be to make unsafe behaviour socially unacceptable – just as drink driving, not showering after a lunchtime run, or eating fish soup at your desk are all pretty unacceptable.
One of the most powerful way of socialising behaviour is telling people that the majority of their fellows act in the way you are hoping to persuade them to act.This doesn’t have to be complicated. For instance Northern Illinois University halved the amount of binge drinking by students simply by promoting the message “Most students drink in moderation.” People follow the crowd.
AURAS: it’s a great way of thinking about the different things you need to do to change the way people think about cyber security and to change the way they behave.
An easy way to complex passwords
Now I did say I would give you a tip about remembering complex passwords that change every month. It’s easy. You need two things: a memorable phrase; and a date “protocol” (I’ll explain).
Let’s say your IT people have demanded a password of at least 12 characters that includes at least one of each of the following: upper case letter, lower case letter, number and symbol. They also want you to change it every month.
First of all, the phrase. This isn’t the same as a “pass phrase” where people use several words as a passwords: there is some evidence that this isn’t very secure.
You need to think of a phrase such as: I love my job at Acme Widgets, Dorking! Take the first letter of each word and the symbols and you get: 1lmj@AW,D! (the word “at” is useful as it turns nicely into a symbol and the “I” is useful as you can turn it into a number 1).
Now think about a date “protocol”. A really simple one might be to use the first of the month. It’s October 2015 so that makes: 01 10 15. Just for a bit of fun I am going to put the first thee numbers at the start and the last three numbers at the end. So my password this month is: 0111lmj@AW,D!015. Easy to remember and I can change it every month.
Keep cyber safe!