How can IT security professionals better succeed when engaging others on information security and awareness?
Bruce Hallas is the creator and founder of The Analogies Project and the owner and principle consultant at Marmalade Box Ltd.
As someone who trained in marketing, I learnt that if you wanted someone to buy your product, you needed to identify what your target audience found interesting and the relationship with what you wanted them to buy.
Failing to engage
In the 1970’s Dyson introduced its alternative to the Hoover. Its marketing campaign emphasized the great technological achievements made in engineering.
The customers, very few with the technical expertise to understand the messages they were receiving, didn’t buy into it. Sales were low. Customers didn’t change their attitude towards their current option, the Hoover. They didn’t change their buying behavior.
Dyson had failed to engage with their target audience.
The influence of values and emotions
Then some bright spark at Dyson took a step back and asked the question “What did interest them about the Dyson?”
It turned out that what interested Dyson’s target audience wasn’t the technical bit, which the engineers at Dyson had, rightly, so much pride in. The target audience liked the fact they wouldn’t have to change a bag. This was something you had to do with a Hoover. This meant that the cost of buying bags was removed. A very logical reason for being interested in buying a Dyson.
They also discovered a strange, but very human behavior, amongst its target audience. People would empty the Hoover bag to save buying a new bag, even though this was, at times, very messy and not very effective.
Dyson’s didn’t need their bag changing, they were easier to empty and this created less mess. Their target audience were prepared to commit to pay a premium for this. They recognized that human decisions, the things they are interested in, are often influenced by people’s emotions and values. Not just logical reasoning.
An engaged audience for Information Security
Now think of this in the context of information security.
Information security professionals need to influence cultural attitudes and behavior towards security across all stakeholders from the Board to employees. At a state level government policy makers need to influence society’s attitudes and behavior. What can they learn from this analogy with Dyson?
Whilst some of the target audience will buy into information security and alter their attitudes and behavior accordingly, when presented with the technical detail and logical argument, the majority will need their values and emotions satisfied as well.
The Analogies Project recognizes these very human characteristics. It aims to leverage the relationship between what people find interesting and information confidentiality, integrity and availability.
It aims to do this by exploring our everyday experiences and researching our historical and cultural past for the hidden stories that highlight the relationship between security and our interests, values and experience. These, combined with logic, should make information security messages more compelling and help prompt changes to stakeholder’s attitudes and behavior.
Making the challenges in IT Security easier to understand
The Analogies Project is a not for profit venture exploring the domain of information security and awareness, through a number of planned initiatives. It is engaging with unique partners to explore different platforms and models for engaging with stakeholders to influence attitudes and behavior.
The first initiative, launched 2 months ago, has already received industry acclaim with its Founder’s efforts being recognized as being of real benefit to the success of the security challenge of engagement with stakeholders. Contributors from around the world, are submitting their own stories, analogies and metaphors for other piers, to use free of charge, to help engage more effectively with stakeholders. This library of content will draw on the experiences, culture and history of contributors across the world, from both within and outside of the information security community.
To find out more about the project, its planned initiatives and how to get involved please visit http://theanalogiesproject.org/