6 strategies to talk security so users will actually listen

Getting users to follow good security practices is a real challenge. But if you understand why the message may not be getting across, you can change your approach and get real results, according to one expert. 

Kerry Matre, Sr. Manager, Enterprise Security, Hewlett Packard Enterprise, recently laid out an approach that works at the RSA Conference. One key is to put yourself in the typical user’s shoes.

“We are not like everyone else. We work in security, we attend security conferences, we live and breathe this every day. We know how the bad guys are attacking us. We’re paranoid, either by nature or because the job has made us that way,” explained Matre.

On the other hand, users “don’t have that paranoia gene we have,” she said.

6 keys

Using an example of a roofing company that asked for advice getting users to pay attention to security, Matre outlined some principles that get users to think more seriously about security.

The company had seen one of its rivals suffer a devastating breach, and it wanted to avoid being the next victim. Here’s what Matre recommended:

  1. Change the way you talk about security. Instead of talking about breaches in terms of the millions of IDs stolen or the billions of dollars lost to attackers, start smaller. Focus on human stories, like a grandmother who paid a ransomware demand in order to avoid losing all her recipes.
  2. Don’t preach, educate. Users may not understand who attackers are and why they’re doing what they do. Explain to them the connection between the information they hold and the motivation of the attackers so users can envision their counterparts. “Everyone loves crime dramas,” Matre explained.
  3. Make it personal. Tell users why their information is vulnerable, not why information itself is. For instance, users may not think about how their car can be hacked or why their medical records are worth protecting.
  4. Gather statistics. If you want to see what’s working and what isn’t, you’ll need to track users’ progress. That means getting a baseline of their security level and seeing how training and re-training affects it over time. (For instance, the company Matre worked with saw a ten-fold increase in communication with IT after she trained them on security.)
  5. Share success stories. Let users know when one of their co-workers has a security success. If someone passes along a phishing attempt they discovered, share that with the group and congratulate the user who brought it to IT’s attention.
  6. Deputize employees. Once your team knows how to recognize threats and attacks, make it known they’re partners with IT in discovering them. Make sure employees know you rely on them for help as much as they can rely on you.

Realistic expectations

Of course, no one bats a thousand. And even with this mostly success story, Matre did observe that an employee made a critical security error after the talk and introduced a virus into the company’s systems.

The important thing: Use any setbacks as learning opportunities. The only thing worse than suffering a breach is suffering a breach and not having users come out of it with a better idea of how to prevent the next one.

You can watch the full presentation below: