Time for More Than Mere Awareness

By Michael Tanji

How do we know if 16 years of Cybersecurity Awareness Months have made a difference when it comes to the security posture of the average citizen? What can we do differently that would drive measurable action that in turn reduces risk?

At the risk of appearing to denigrate the efforts of colleagues and peers: is everything we do during Cybersecurity Awareness Month worth it? Has there been a comprehensive effort to track how successful such efforts have been over the past 16 years? If we cannot determine if the effort is having an impact, who exactly is Cybersecurity Awareness Month for?

On the supply-side, cybersecurity people are doing yeoman’s work. Yes, there are some that are going through the motions and doing the minimum to show solidarity with the sentiment, but for the most part those trying to make a difference take the time and exert the effort necessary to produce informative content that is meant to drive changes in behavior.

On the demand-side the problem is not a dearth of information or good advice, it is mostly a question of risk. Ransomware is a problem, credential theft and misuse are problems, the theft of credit card information is a problem; but for the most part they are someone else’s problem. How many people do you know – first hand – that have had their identity stolen? Had to pay a massive – fraudulent – credit card bill? Lost everything to an online scammer? The number is probably not zero, but it’s probably not even close to ten either. The average person can ignore calls to do more, to do better, because there is no up-side relative to the effort involved.

Since the number of cybersecurity problems we face keeps growing, it is reasonable to assume that as an industry we are doing more than our fair share of wheel-spinning when it comes to getting the average person to up their cybersecurity game. Thankfully, as a society, we have been in this situation before. If you are of a certain age you remember who Smokey the Bear was. Who McGruff the Crime Dog was. Who the Crash Test Dummies and the Crying Indian were. These, and many other ad campaigns, were the work of the Ad Council. They weren’t just any old public service announcements; they were informative, in some cases entertaining, but mostly compelling ads that actually had a measurable impact on the problem at hand. The most obvious and observable proof? In the 60s and 70s we were polluting this country so badly rivers caught fire, and we were introduced to the phenomenon of acid rain; today violators of such laws pay massive fines and go to prison. People thought nothing of tossing their trash out of their car windows while driving down the road; today, seeing litter while you travel down the highway is a fairly rare occurrence.

Security experts have their own lexicon and outlooks on how things should be that are rarely translated into the language or worldview of the average person. Think about one of the first pieces of advice you might give someone who wanted to reduce the risk of getting hacked. You would probably mention two-factor authentication…well now you have to explain what a ‘factor’ is in this context. If we’re not speaking the same language, or taking other people’s situations into consideration, and there is no compelling reason to change, is it any wonder that the 17th year of Cybersecurity Awareness Month is probably going to be a lot like the 1st?

As we work towards a day when getting online is not as risky a proposition as it is today, and when the commonplace threats of today have been trivialized, it is probably worth thinking about how we can frame our messages and campaigns to actually make a difference:

  • Make it Relatable. The Crying Indian campaign really hit home for a lot of people because you could see yourself as part of the problem. Everyone contributed to pollution in some fashion, but you did not see or think about what the impact of a thoughtless action writ large.
  • Make it Compelling. The Ad Council didn’t do the This is Your Brain on Drugs campaign, that was the Partnership for a Drug-Free America, but if you have seen it you know exactly what I’m talking about, and if you haven’t seen it I guarantee you’ll never forget it.
  • Make it Measurable. Tens of millions of Americans participated in the Presidential Physical Activity and Fitness program. That is almost 30 years of measurements against a common standard. There is no reason to think that an equivalent metrics scheme could not be designed for our information-age “fitness” problems.

Doing the same thing over and over again and expecting a different result is supposed to be the definition of insanity. We may not all be crazy, but we are crazy if we think another 16 years of what we have been doing is going to get us where we want to go. It may be too late to change what we do this year, but going forward let us all make a concerted effort to change the way we communicate the scope, scale, and nature of the problems we face in cyberspace so that we are shaping the future we want, not the one we end up with.

The author, Michael Tanji, is the Global Marketing Officer and Chief of Staff at the Global Cyber Alliance. You can follow him on Twitter or connect with him on LinkenIn.