FISSEA Contest 2018 - Motivational Item Winner
Winner - Best Security Awareness Motivational Item
Huzzah! FISSEA awarded Native Intelligence, Inc. with best Security Awareness Motivational Item at the 31st Annual FISSEA Conference, at NIST in Gaithersburg, MD on March 14, 2018.
Our entry, Security Rounds and Stops, was chosen by independent judges from government, industry, and academia. Gretchen Morris, a NASA contractor and former Security Educator of the Year, awarded the framed certificate (unframed scan above).
Native Intelligence had help from Amira Armond of Kieri Solutions, LLC, G. Mark Hardy of National Security Corporation, Niomi Rosenberg, of Nomi Designs, LLC, and Bryan Walthall with feedback on the design for these motivational items.
The judges had a difficult decision with five motivational item entries, including a beautifully designed challenge coin in the shape of an arrow submitted by the talented folks at the Indian Health Service.
Another highlight of the first day of the conference was the talk by Sarah Moffat, the Lead for Education and Professional Development of HHS, whose topic was: "Why Cybersecurity Awareness Training is Insane."
The key points of her presentation included that if we aren't getting results in security awareness training, doing the same thing is not likely to improve the situation. She shared a quote that defines insanity. "Insanity: doing the same thing over and over again and expecting different results."
Sarah explained that we are "wired" for story - from way back in humanity's history. Stories are what people remember far more than facts or "do and don't" lists. She demonstrated this by first sharing a common security instruction about protecting data (I've already forgotten which one) and then telling a dramatic story about how a data breach put a patient's life at risk. The story involved a lady who was in a bad car accident. At the hospital she nearly received the wrong blood type (a potentially deadly mistake) because she had previously been the victim of medical identity theft and this had resulted in a change to her blood type in her medical records.
As Sarah told the story, the audience was with her. We hung on her words and gasped as one at all the right times. It was like our bodies and brains were in sync with Sarah. (We didn't have a functional MRI handy, so that's just a hunch, but it's a hunch based on a study published in the Proceedings of the National Academy of Sciences that showed that audience and storyteller brains can sync up during story telling.)
Sarah's points are true in my personal experience as well. The most successful security awareness presentation I've given is called Tales from The Cryptolocker. It's 13 stories (26 slides). Two slides for each story - the first slide is a compelling image to get the audience to sit up and wonder what's coming... while I share the details of a breach or incident. The follow-up slide shows tips for how to prevent the same thing from happening to you. Even audiences of hardcore technical staff love this presentation and join in with their own stories.
What Didn't Get Addressed
What I wish Sarah had covered (her presentation was only 30 minutes, but I could have listened to her much longer) is how to deal with management who have the final say in awareness materials content. Too often, we've put together compelling story-based content that grabs learners. Content that our client's front line security staff love. Then, at the last minute, management decides to cut the stories. And add information about security laws or regulations. Ugh!!! Worse, they also tell us to remove the personal references that make the content real and relatable to the audience. We end up removing topics like: how to protect your personal devices and data, how to keep your family safe online, and more. Yet, keeping that content is good sense and good value. Studies show that computer behaviors transfer from home to work, not the other way around. When client management instructs us to remove the stories and personal references from awareness and training materials because they're not strictly work-related we end up with a less effective course.
I've joked that I should write a security awareness book called, "Help! My Boss Wants Me To...." Each chapter would list one of the things that we are often told to do by management that will make our training less effective and then list the studies, examples, and other evidence showing why such a decision is not good for the learners. There would be chapters on stories, use of formal versus informal language, personal relevance outside of work, use of graphics, edutainment, scenarios, use of humor, music, and more.
Back to Sarah's talk. It was wonderful and resonated with the audience. May it always be so.