What makes cybersecurity awareness campaigns effective?

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

This workshop tried to explore reasons why cybersecurity awareness campaigns often fail to change people’s behaviour. The session moderated by Ms Carolin Weisser, Portal Content Manager, The Global Cyber Security Capacity Centre, was organised in a format in which the panellists interviewed each other on specific issues about cybersecurity, comparing what makes them effective, and what are the challenges. 

In the first introductory round Ms Maria Bada, Oxford Martin Fellow, The Global Cyber Security Capacity Centre, introduced the centre, and detailed some of the reasons why awareness campaigns often fail. She mentioned insufficient management, lack of resources, incorrect selection of target groups, the lack of long-term sustainable initiatives, and bad linkage to national strategies as possible causes.

Mr Michael Kaiser, Executive Director, National Cyber Security Alliance (NCSA), talked about the situation in the United States, as a very large and populous space. He stressed the importance of giving a thought to who the messenger is – who do people listen to. Kaiser supported the need for a very robust representation of the private sector in these campaigns.

Ms Barbara Marchiori de Assis, Cybersecurity Policy Consultant, Organization of American States (OAS), briefed the group about assistance to countries that start developing educational awareness raising campaigns.

Mr Jorge Bejarano, Director of IT Standards and Architecture, Ministry of Information Technology and Communications, Colombia, shared the Colombian experience with awareness campaigns. One of the lessons learned showed that young people seek advice from their fellow generation (contemporaries), and it is necessary to offer engaging activities like contests, certificates, etc. 

The second round of talks focused on possible metrics to measure the impact of cybersecurity awareness campaigns.   The quantitative part of metrics is usually simple to measure and implement. The real challenge is the qualitative part. How can we capture whether the message was delivered? How can we identify peoples’ behavioural change, i.e. the success of the campaign? The panellists agreed that it is important to set a baseline, focus on goals, re-evaluate, always adjust, avoid too many complex messages, and do not expect people will become experts. Bejarano suggested to think about and utilize a strong national concept that is clear to everybody. He gave an example: Don’t give away ‘cyberpapaya‘ (In Colombian, ‘Don’t give away papaya’ in Colombia is a well-understood message meaning do not bring treats to the bad guys – don’t let yourself be taken advantage of).

A significant part of the workshop was dedicated to the Q&A block. The first section of the debate concentrated on recommendations for awareness campaigns in the sector of justice and law enforcement. Suggested steps were to link campaigns to the national campaign for end-users, and to utilize the mutual interconnection of both groups. Several examples of cooperation were provided.

A very long debate was focused on the question of whether it is good to put the factor of fear in awareness campaigns. All of the panellists warned against the fear factor, arguing that this strategy used to be applied in the early stages of cyber safety campaigns, and proved to be unsuccessful. Although some members of the audience pointed out that awareness of bad consequences could be beneficial. The recommendation was made that we should rather focus on developing habits that eventually lead to good cyber hygiene. Another participant in the debate added that fear messaging becomes tricky in a country where the Internet is already propagated as the root of evil. This could be counterproductive, and lead to a completely wwrong perception of the Internet by people in these countries. The panellists supported this point and shared their experience in this matter. The organisations that work in cyber safety often have to navigate through two difficult positions: careless use of the Internet and deliberate disregard for the Internet.

Another point made by a member of the audience reflected that a lot of cybersecurity campaigns today focus on youth, and that the education of adults is neglected. Kaiser offered several resources, and mentioned the cyber seniors documentary as an example of mutual cross-generation exchange of knowledge. Younger people master the technologies but older generation can utilize life experience, and in fact, have shown to be more capable on filtering bad and good.

The last point of the debate highlighted the opportunity for awareness campaigns in parts of the world that are newly connected or not yet connected. People in connected parts of the world have already established bad habits. We can teach digital newcomers to employ good habits while they are using the technologies for the first time.

by Radek Bejdák