As security advisors, we are constantly looking for ways to convince organizations, companies, local governments, and schools about the importance of information security. We can’t count the amount of times we have stated all kinds of statistics and shown them the hard data of how much money is lost to data breaches. Over and over we warn against the dangers of loose regulations on security, yet CEO’s and government representatives continue to nod politely and never call back.
Perhaps the answer lies in how we approach the issue of cybersecurity. How do other industries communicate their ideas to the general public? Interestingly enough, it seems that health promotion agencies, including the Center for Disease Control, have plenty of experience when it comes to convincing the population.
Extensive research has been done in the public health realm to see how to effectively convince a wide array of populations to do something that is good for them, like wash their hands. Nowadays it seems obvious to wash your hands often but it was only in the 20th century that people started to actually wash their hands in hospital settings in the United States.
How the CDC approaches issues of health and the spread of disease should be something cybersecurity experts look into. Essentially, they have done studies on why people don’t listen to them and politely name these reasons as “Risk Factors”. To take an example from a study that attempted to see why healthcare workers did not wash their hands, they found a number of risk factors. These included “Physician status”, how busy the hospital was, and “Working during the week (rather than during the weekend)”. Physicians had the highest rates of non-compliance and washed their hands less when the hospital was particularly busy.
Then, researchers studied the barriers to why healthcare workers did not wash their hands. Among the barriers were “Skepticism, sink was in an inconvenient location, or that the soap was irritating to the skin”.
From these studies, health promotion agencies started to figure out how to get people to listen to them by mitigating these barriers and risks. One by one, they studied different approaches. One of those approaches they named the “recognize-explain-act” approach, which sounds similar to what we do when it comes to cybersecurity. We tell consumers that we recognize they have a privacy issue, explain why they do, and implement our own practices and hope they listen.
Well, turns out that this approach does not work because there is little collaboration with the people we are working with and yet we expect a full system change to how they protect their privacy. Nowadays, other approaches are used that are called “PDCA- Plan, Do, Check, Act”. This approach requires much more collaboration with the consumer.
The point is that we need a different approach when it comes to communicating the need for information security. Cybersecurity experts riddle their explanations of why a company needs computer security with jargon and lose their audience. That’s why we need to follow the example of public health campaigns, where they needed a way to communicate an idea to the general population since disease sees no class, job title, or wealth.
More companies, schools, organizations, and people must be linked to more security providers. Cybersecurity promotion campaigns that mimic the language of health promotion campaigns might be the most effective way to spread the word. After all, it is our well-being at risk – this time in the form of our most private information.