Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 37

When I worked for the NSA, it was clear that any mishandling of sensitive information could result in an employee’s termination and, potentially, prison. The NSA allowed some gimmicks and creativity as part of its security awareness efforts, but providing entertainment definitely wasn’t a priority. We employees didn’t watch comical videos. We didn’t play games where we sat around and won prizes if we guessed the amount of prison time we might earn. Violations are serious offenses and were portrayed as such.

Entertainment has its place. Contests are useful for engagement. Humor can enhance engagement. Giveaways are fun and can provide reminders of awareness messages. But the purpose of a security awareness program is to change and improve security-related behaviors. Your efforts should focus on those efforts and formats that contribute to behavior change.

Though you want material that is engaging, you can walk a fine line between engaging and trivializing. Humor, when used appropriately, can enhance learning. Avoid using humor for serious subjects, however. You don’t see humorous videos regarding sexual harassment. Humor can trivialize an otherwise important concept, and you need to ensure that people understand that strong security behaviors can prevent significant loss.

Unfortunately, I have seen many awareness efforts that lead with humor. The users like it, if it’s done well; however, it doesn’t mean that it has the desired impact, which is to change behaviors. You don’t want to bore the audience, but you do want them to take your lessons seriously and apply the information.

There’s nothing wrong with telling people sometimes that they have to do something because they simply have to do it. You’re paying them to perform a function. In other departments, such as accounting and human resources, people know that they might be fired or that they won’t get paid if they fail to do certain things, such as properly fill out a time card. You can do the same with security responsibilities.

To determine whether your awareness training is effective, ask participants what they learned from it rather than whether they liked it.