Oct 27 2016

EDUCAUSE 2016: Good Habits Are the Key to a Strong Cybersecurity Culture

National Cyber Security Alliance leader shares best practices for developing messages that change behavior.

Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), presented “Creating a Culture of Cybersecurity” on Thursday at EDUCAUSE 2016, sharing tips with attendees to improve the effectiveness of security messaging on their campuses.

The NCSA, a public-private partnership, is the creator of the “Stop. Think. Connect.” campaign, a global initiative to raise online safety awareness. Kaiser used the campaign to demonstrate some of the best practices that higher education institutions can use to adopt or develop messaging for their campus communities.

Everyone Has a Role to Play in IT

A primary driver behind the campaign is the idea that cybersecurity is a shared responsibility, Kaiser said. In surveys, consumers tend to identify themselves as being responsible for their online security, a finding that is beneficial for IT departments. “That’s a good thing when you’re trying to create a culture of cybersecurity, because your audience already believes they play a role,” he said. Typically, messages about cybersecurity take a negative tone, Kaiser said, using scare tactics or telling users what they can’t do. Neither have been shown to be effective, he said: “You don’t create a culture of cybersecurity by telling people not to do things. When you put up a wall, what do people want to do? They want to go over it.”

As an alternative, he proposed discussing security as an enabling factor that allows people to do what they want to online — connect, engage, conduct business — but to do so more safely.

Changing Culture Over the Long Term

Kaiser presented the analogy of Americans’ changing attitudes toward recycling and smoking. Neither change happened overnight, but through dedicated efforts to change habits over time, individuals began to adopt different attitudes and behaviors in these areas. The same approach can be applied to cybersecurity, he said. He likened the “Stop. Think. Connect.” campaign to other phrases that have been widely used to drive public awareness, such as “Stop, drop and roll” and “Look both ways before crossing.” “You start at the most basic level, and you start to teach habits,” he said.

Messaging Matters with Consumers

In 2009, in response to President Barack Obama’s call for an action plan on cybersecurity, the NCSA and the Anti-Phishing Working Group led a group of 25 companies (Facebook, Google and Microsoft among them) and seven federal agencies to create harmonized messaging on cybersecurity. In conducting research with experts and consumers, the group affirmed the importance of developing messages that resonate.

“You can’t just tell people, ‘Here’s what you have to do,’” Kaiser said. “They don’t respond to that so well.”

The strategy the group landed on was to give aspirational advice (such as “keep a clean machine”), a related tip, and technical advice or “how to” information. In keeping with the goal of using these campaigns to encourage good habits, the “clean machine” ads compared consumers’ online behavior — keeping software up to date and keeping connected devices free from malware and infections — to habits such as eating a balanced diet and exercising regularly.

The group also tested various taglines among demographic groups to identify the most effective. The gauge was whether consumers found the taglines attention-grabbing and easy to understand and whether they motivated users to change online behavior.

“When you’re trying to create a culture, you have to talk to the people you’re trying to reach and you have to understand the message that you’re creating,” Kaiser said.

Institutions can use materials from the NCSA’s “Stop. Think. Connect.” campaign for free, either by license or by using premade materials, for both internal or external initiatives. For more information, visit staysafeonline.org.

To stay up to date on all of the news and ideas coming out of EDUCAUSE, follow EdTech's coverage on the EDUCAUSE 2016 conference hub.


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.