Make Your Employees Think! Creative Design and Information Security Awareness
Information security awareness campaigns must be deployed within a carefully considered creative framework. Without it, you run the risk of being ignored. The creative director of a large information security company explains why.
One of the reasons I don’t favour generic approaches to employee information security awareness is that they don’t go far enough to address the specifics of an organisation. As largely a ‘one size fits all’ package of good practice behavioural messages, they can leave organisation-specific processes wide open to risk unless the holes are filled in. In some cases, enough time can be spent amending generic campaign materials that a bespoke campaign would have been more cost-effective.
My other chief concern is the lack of an organisation-specific creative framework within which the messaging is deployed. Without this, you’re simply firing more information at your already information-overloaded employees. To be blunt, if you don’t deliver messages in a way that catches your employees’ attention and makes them think, then your valuable budget could be wasted.
Making the audience think
I’m a creative director, which means I spend most of my day sketching Packaging Company in Vietnam visual solutions for campaigns. So let’s use images to highlight the essential need to make employees think.
Generic information security awareness campaigns tend to be supported by standard library images. We’ve seen them time and time again: chained up laptops, printed circuit boards with padlocks etched onto them, and the good old skull and cross bones on a computer screen. These standard images don’t make employees think for a simple reason: once the human mind has registered something as familiar, it no longer considers it distinctly. It skips over it as part of the scenery.
Human attention and thought require novelty. Every time we see something for the first time, our minds are forced to analyse it and arrive at an understanding. Therefore, if you wish to communicate a message in a way that’s going to catch the audience’s attention, then it absolutely must be done in a way they haven’t seen before.
For example, in one of our recent campaigns we associated a key information security message with a popular board game. We produced a highly detailed custom image of the board game that incorporated the information security message. The audience had never seen this before, and was forced to associate the two distinct concepts of the familiar board game and the information security message we were imparting. This not only caught their attention, it was highly memorable as well.
Making the audience think in context
A further benefit of creating a bespoke image is that it can be targeted to the culture of the organisation. For example, compare a law firm and an IT consultancy. These are two very different professions with extremely distinct cultures. A bespoke campaign allows you to create visual reference points that perfectly suit the audience you are communicating with. That’s another problem with generic images; they’re often so generic that no audience can really associate with them. In some cases, the image is just plain wrong. For example, the online industry prides itself on its agile working practices. The image of a laptop chained to a desk is entirely alien to their culture.