Cybersecurity awareness is a journey to embed secure behaviors in people's daily lives
To do so, you need to build a strong cyberawareness program, focus on your key cybersecurity themes, that engages your people and respects their uniqueness, with practical positive actions and diverse activities. In other words, a program that meets your ambitions and aims:
- An effective behavioral change
- The development of a security culture in your organization
We developed our TAMAM framework to formalize our strong beliefs about how best to build a cyberawareness framework.
TARGET: set concrete and measurable objectives
AUDIENCE: adapt the approach according to the people concerned
MESSAGE: choose a concise, positive message that calls for action
ACTIONS: set up effective, concrete and various actions
MEASURES: evaluate the program's impact on behavior
This article explains the principles, the stakes and the role that TAMAM has to play to support you!
But first, let’s put some contextual elements about cybersecurity awareness…
Why do they keep clicking on these phishing emails?!
- Our journey doing cybersecurity awareness started more than 15 years ago. And things looked quite different back then. It was the time of the new awareness programs, led by newly appointed cybersecurity managers, with little means and yet a key objective to tell people what they must do to protect the information systems. Nothing more, nothing less. It was the time of the Top 10 best practices; the Do’s and Don’ts; the mass training sessions; etc.
- Once said, these messages were considered to be common knowledge and applied by everyone; and just like that awareness was deprioritized and no longer a priority for the cybersecurity managers. It was the rough time of insufficiency and budget cuts.
- Then came the rising number of cyberattacks and the GDPR. With new risks came new appetite for awareness and education of users. Cybersecurity awareness was back in the agenda, yet with variable means and interests. Over the years it remained part of the cybersecurity topics but with great variability between the organizations when it came to effectiveness and efficiency.
- And here we are now: at the beginning of the year 2023 and the same questions remain: “I’ve tried everything but there are still some people who do not perceive the risks– what can I do?”; “I need to keep my people interested in the topic, what new things can you propose?”. Basically, what we notice is simply a lack of consideration of the effectiveness of the program: they seemed to be reaching a glass ceiling. Efforts were put, investments were made, but little change happened. That triggered our attention and led us to discussions and research until we finally came to the evidence: efforts and investment are vain if they don’t aim at effectively changing behaviors and ultimately establishing a culture of cybersecurity. But how do you do that? That’s the focus of this article.
Are you getting everyone on board with cybersecurity?
Based on these observations of the past years of cyberawareness, we developed a framework to build an effective cybersecurity awareness program. We wanted this model to be customizable so that it could be applied to every organization regardless of its size, maturity, budget, or current culture. Not a one-size-fits-all, but a backbone to be adapted to every organization.
Just like with everything, you have to start with the “why”. This serves to define the objectives: a target to reach, a vision of where to go and a path to reach that place.
These objectives must be targeted to your priority battles, i.e., what change you want to see in your organization, precise behaviors that you expect from your people. They do not just represent good intentions – like “raising awareness among my employees” – but precise behaviors that you want to see every day. For instance, if phishing is one of your primary concerns, and it sure is : “How to educate my employees to report phishing attempts and incidents?”. Like this you see your target and the way to reach it.
Precise objectives also enable measurable results. When you define them, you also define the KPIs and metrics that you will use to assess their success. As a rule of thumb: if you are unable to find a measure for your objective, that means it’s more illusional than achievable.
Finally, you share these with your employees. Isn’t it plain fairness that to tell your people from the beginning what you expect from them? This way, you make them actively engaged in the change of behavior that you expect from them. By giving them the rules of the game, you enable them to play by these rules and to win the game with you, because cybersecurity is a collective win.
This first step is largely overviewed, and few are the organizations that take the necessary time to reflect on their true target when it comes to cyberawareness. However, it is the essential starting point of our journey. Just like with any journey: we can only reach a friend’s house if know their address.
And who do you want to reach exactly? That is your audience, your population, your people that need awareness, training, and education. A clear identification of these specific audiences will help you define an approach that is meant to reach them. To know these needs you will need to start by differentiating people in clusters – mostly based on their positions in the organization, their closeness to the topic, their expositions to the risks you want to prevent, their role figures, etc. These clusters can gather newcomers, external staff, local ambassadors, IT staff, etc.
For each of these populations, you will want to assess their current level of mastery of the different targets defined. That is basically performing a skills gap to know what topics requires more attention for each population. This information will be essential to customize the program to the needs of these populations (because you understand what they do in life) and their current level of mastery (which you have assessed precisely).
Off we go now with the messages you want to communicate to these people to reach these objectives; the moment where you find this catchy phrase that will be repeated oftentimes. The people with whom you will be communicating also receive numerous other communications for numerous other causes (name it: CSR, compliance, values, etc.). Hence the importance to select your messages wisely and to stay concise. The time and attention available are limited, this is why you will prefer to select a few messages that address key risks and meaningful objectives.
Eventually, the tone used to communicate these messages is crucial as it must be adapted to the organizational culture: funny messages work in some environment while serious ones work better in others. Regardless of the tone used, the messages will need to be positive and call for action. Drop out the negative injunctions (“don’t”) and embrace the positive actions (“act”).
With these first three steps in mind (Target, Audience and Message), you build up the framing of your cyberawareness program: you know what you want to tell, to whom, in order to reach the expected behaviors.
Now that you have tailored your messages for your specific audiences to reach the defined objectives, time has come to identify the actions that you will implement in this framing. Although you now open the catalogue of action, you must be focus and pragmatic. The principle when doing so is to think of the effectiveness of the chosen action in your journey to reach your objectives. Creativity and innovation are surely important to keep people motivated but is not the sole success factor. You want to make cybersecurity practical for people, to bring the topic closer to their life and to involve them in their learning (e.g., practical activities, application of the behavior expected, etc.) on top of a more theoretical top-down approach.
The way you implement these activities is also an essential success factor, with the right resources, people and planning to enforce the selected messages:
- Who is the bearer of these messages? Internal or external?
- How to repeat them in different ways (as different people will respond to different stimuli that can be practical, visual, spoken, etc.)
- From what angles and with what activities should these issues be addressed in order to raise awareness among employees in the most appropriate way?
With few selected messages, you build different activities, at different moments, with different approaches, to embed these behaviors in your audiences’ daily lives.
Finally, this whole program needs to be evaluated in order to say if it actually allows to change behaviors – for the management that will ask to see the value delivered for its investment, or for the awareness team that will want to show tangible results from its efforts.
In your quest to raise awareness, you must focus on the effectiveness of what you implement, beyond the implementation itself. All too frequently, organizations focus on numbers of activities or people addressed. But these figures seldom provide a real understanding of the change of behaviors happening.
When building your evaluation plan, you need to include quantitative measures and qualitative feedback to obtain a comprehensive understanding of the achievement of your objectives. Perhaps this will require new ways to gather this information – like getting the helpdesk involved, or even obtaining fresh data from the SOC – but the outcome will bring terrific value to your program as it will allow you to review it and keep it continuously adapted to your objectives; which can also be subject to adaptations if the organizational context changes.
Oh, and don’t forget one last thing if you want to create a positive trend in awareness: communicate your achievements and celebrate the victories with everyone. You deserve it.
Take the first letter of these 5 principles and you obtain TAMAM. It is no coincidence if the world translates into “all right” in Turkish; this is what you want from your people: an adherence to your objectives and an agreement to onboard your journey to more secure behaviors.
Where to start?
Now that you have a better understanding of the iterative journey to build a strong awareness program, you must find yourself in the middle on a strong questioning: where do I stand in that and how do I lean more towards what you’ve just said?
A first action to take is probably to take a step back to look at your current maturity level in cyberawareness. You will need to have a clear and honest understanding of how your organization addresses this topic in order to define a path towards a greater maturity.
The power of TAMAM resides notably in its ability to be used regardless of your maturity level, because its principles are adaptable and true to different situations.
Wrap up | Do you TAMAM?
When you TAMAM, you:
- Visualize a clear and precise target – behaviors – that you want to reach
- Tailor your approach around the need of your specific clusters of people
- Define the few messages you want communicate to your audience on these objectives
- Select the best manner to communicate your messages with activities that focus on effectiveness
- Monitor and assess this effectiveness to adapt your approach and finetune your whole program
This article is only a glimpse of what TAMAM can bring to your cyberawareness program. Contact us for a full understanding of how our framework can help you step up your awareness!