Changing Security Behaviors: How Marketing Savvy Can Break Patterns

Data-hacking hound dogs beware. EMC recently got a little help from Elvis in battling cyber criminals.

The “King” was at the center of an integrated marketing campaign our Global Security Operations ran this spring to encourage IT users to avoid clicking on suspicious email links that could lead to phishing attacks on our company’s data.

The several-week advertising effort featured a videotaped parody of the Elvis Presley song “Suspicious Minds,” in which ITers acted out why users shouldn’t click on “Suspicious Links,” It also featured a security awareness contest.

The campaign resulted in more than double the number of users reporting phishing attempts via suspicious emails. It also substantially increased the number of users going to our security awareness site, which we call FirstLine in recognition of the fact that the actions of IT users are the first line of defense against cyber-attacks.

Advertising secure behavior

“Advertising” campaigns aren’t usually something security operations do and it was certainly a first for us. It stemmed from an evolving realization that the security awareness efforts our organization and those that many colleagues and partners have been using aren’t as successful as we initially thought. And, when you think about it, there is probably good reason for that.

A lot of people tend to get irritated by the barrage of security awareness information. We’ve come to learn people tend to have a budget of time they will dedicate to security activities. Once you overstep your welcome, then people are more likely to reject your thoughts and ideas than they are to embrace them. It’s kind of like anything else, you listen to the point of view of somebody and eventually it just gets monotonous and boring. And when it comes to security awareness, it’s hard to say what being security aware really is.

A lot of times we focus on password strength and whether you lock your laptop in the trunk of your car or whether you take it with you into the store. These are the things that, while I’ll not underplay their importance, are very irritating to people.  So we’ve been taking a long hard look at our security awareness training.

I think I’ve said in my previous blogs that user behavior is really the key, because users are out front in our security defenses. But does talking about password strength and whether your laptop should be in your trunk or in your hand really, at the end of the day, promote good security behavior?

We began to think about how to better influence our users and about who are the masters of behavior modification so-to-speak. And it occurred to me that that’s what “advertising” does. Marketing campaigns are very focused on creating or changing attitudes which will ultimately affect behavior in an appealing way.

Take one of the greatest brands in the world, Coca Cola. The messages in their advertisements are really quite simple. They’re not trying to tell you all the ins and outs of Coca Cola and the wonders of it. They’re pretty much focused on creating some very simple messages.

Being security people and IT people, when we finally get a mechanism to get the attention of our users, we tend to fill it full of bits and bytes and numbers and information and sometimes the message gets lost.

We decided to try a simpler, marketing approach to our message this time. We used the Elvis song parody to drive two simple behaviors: don’t click on suspicious links and when you get an email that has a suspicious link report it to the right people. That was it.

We chose Elvis because phishing is based on impersonating someone else; and Elvis is probably the most impersonated person on the planet. blog-doug-graham-mktg-7-14-image

Measurable results

When you wrap this “advertising” strategy around a brand promoting simple behaviors, you get some other advantages as well. If you know what behaviors you are seeking to modify, you can actually measure them and judge the success of your campaign just as you would with a marketing campaign.

As I’ve said, we got good results on avoiding suspicious links and increasing phishing reports. That’s significant when you think about the fact that 95 percent of data security breaches are still initiated by phishing campaigns, that it takes an IT organization an hour to detect and react to a phishing threat, and that most accounts are compromised within an hour of clicking on a phishing link.

We found having a contest along with the Elvis theme was effective. We got an 11 percent participation rate based on contest page views. For those of you not familiar with marketing campaigns, this is an outstanding participation for this type of program.

This, along with the increase in traffic to our website, shows that sometimes we need to step back from the traditional security mindset and consider more innovative ways for security to be successful. We absolutely value our strong technical security people but, when it comes down to it, security is also about creating influence and getting people who you don’t have formal authority over to do the right things.

It also comes down to the ever broader realization that security professionals need to think like business people. Yes, we need technology but we also need to think about creating a strong case to influence our customers. And we need to make sure that we understand the impact of what we do to the organization beyond our marketing campaign as well. What is the impact of the controls we’re putting out there?

Dr. Angela Sasse, University College, London, published a paper that made impact on me called “Users Are Not the Enemy.” The genesis of that paper is what sparked my thoughts that it’s not about security vs. the users, it’s about being able to view security through the lens of the user. Follow-up research also suggested that users have a particular time and volume budget for tolerating security information. When we treat end users like the enemy, then they can rapidly become the enemy. And only by putting ourselves in their shoes, can we understand what we’re trying to accomplish.

In the months ahead, EMC GSO will be doing more marketing campaigns focused on such issues as tailgating (following someone through a door meant to keep out intruders), piggybacking (when someone deliberately lets an unauthorized person accompany them into a restricted area), and vishing (where cyber criminals fish for security-compromising information over the phone.) And I wouldn’t be surprised if Elvis shows up again to give us a hand.

About the Author: Doug Graham