The last 10 years have seen waves of cyber-security awareness campaigns in the UK and elsewhere. To name but four, we have Get Safe Online, Take Five, Cyber Aware and Cyber Essentials. Yet all the evidence seems to suggest that individuals and organisations are still not as cyber-safe as they should be. In short, the awareness campaigns we have seen to date have not had the step change in behaviour we might have hoped for. A paper by Maria Bada, Angela Sasse and Jason Nurse, entitled ‘Cyber security campaigns: Why do they fail to change behaviour‘ explores the reasons for this.
In the paper they highlight the need to change behaviour and not just information and awareness. For this we need direct, relevant, actionable and simple advice. A campaign that is too impersonal or general will simply not work. Similarly, the use of threatening and intimidating messages is unlikely to work in a cyber-security context because it further erodes people’s sense of control over ‘new and mysterious’ threats. On a related note, we also need to avoid complicated and ambiguous advice that will add to ‘security fatigue’. The all too common picture of someone in a hoody is an interesting example of messaging that probably hinders rather than helps make cyber-security accessible.
The authors conclude: ‘ Based on our review on the literature and analysis of several successful and unsuccessful security-awareness campaigns, we suggest that the following factors can be extremely helpful at enhancing the effectiveness of current and future campaigns: (1) security awareness has to be professionally prepared and organised in order to work; (2) invoking fear in people is not an effective tactic, since it could scare people who can least afford to take risks; (3) security education has to be more than providing information to users – it needs to be targeted, actionable, doable and provide feedback; (4) once people are willing to change, training and continuous feedback is needed to sustain them through the change period; (5) emphasis is necessary on different cultural contexts and characteristics when creating cyber security awareness campaigns.’