Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 31

Marketing programs create a mental hook in getting people to understand desired actions, and they influence people to take those actions. “If you see something, say something” is a great example of a marketing campaign that produced some noticeable results. (See the previous sidebar, “If you see something, say something.”) Understand, however, that fundamental differences exist between the practical implementation of marketing programs and security awareness programs.

Here are three of the critical differences between marketing and awareness:

 Marketing addresses completely voluntary behaviors; awareness behaviors are an expected part of everyone’s job.

 Marketing success can be achieved by minimal increases in desired behaviors; awareness programs intend to inspire as much of the user population as possible to practice the behaviors.

 Marketing campaigns typically target specific segments of the population to change behaviors; awareness campaigns target as much of the user population as possible.

Marketing is a comprehensive effort to understand and convince a targeted audience to perform a specific action voluntarily. Consider the key points of the preceding sentence: targeted audience and perform a specific action voluntarily. Advertising campaigns target very specific audiences because they need to address messaging specific to the audience. Even individual soda (or pop, or soda pop, depending on your region) ad campaigns target specific demographics. Those ad campaigns then attempt to inspire people from those demographics to voluntarily buy soda. Though soft drink companies want everyone to buy their sodas, they know which age groups and demographics are the prime targets of their products. For good reason, Mountain Dew advertisements frequently feature extreme sports, for example, and advertisements for tonic water usually feature older actors.

You, on the other hand, are targeting your entire user base, which likely contains a multitude of demographics and job roles. Remember that the security practices you promote are must-do items and not should-do items. You’re not marketing a voluntary consumer purchase that they wouldn’t otherwise make. You’re ensuring that all users are aware of the expected behaviors that will keep your organization functioning properly while protecting the organization and its customers.

Even more important, your goal is to have your users practice those behaviors. Marketing campaigns can usually declare success when they have single-digit percentage increases in their audience’s practicing the desired behaviors. For example, if a pizza delivery service can persuade 5 percent more people to order pizza during a football game, that might mean a 100 percent increase in sales — and the pizza seller is delighted. On the other hand, if you persuade only 5 percent of users to secure their workspace, it’s better than nothing — but you still have a massive security vulnerability.

Even the campaign advocating “If you see something, say something” hopes that they can inspire a small percentage of people to become more aware in reporting security exposures, in the hope that prodding one person out of hundreds to report something might prevent a major incident. Awareness programs need to create behaviors that are consistent across the organization. Again, though some aspects of marketing and advertising have applicability, such as understanding the best ways to communicate with your audience, you need to understand that, unlike in traditional marketing campaigns, you’re addressing multiple audiences, with a message that should not be treated as trivially as choosing Pepsi over Coke.

You can, however, make use of marketing principles by realizing the limitations of traditional marketing, when you realize that you need to target multiple audiences, and you will likely need to create multiple streams of communications with different messaging. More important, your messaging should be treated as critically as other serious messaging, such as sexual harassment and fraud prevention. Part 2 of this book covers methods to achieve consistent behavior change across various subcultures.