Making security messages sticky

When it comes to making messages sticky and memorable, context is king. Nowhere is this more true than when the content itself is less than engaging. Like, say, every security awareness training ever.

Do your users know why the infosec advice you spend so much time and effort conveying to them exists? Do they get a practical understanding of how they could be affected personally? If not, the message isn’t sinking in like you want.

Giving advice without context leaves yet another arbitrary rule that you probably can’t enforce fighting for limited mindshare.

Without context, you’re setting an extrinsic goal - being compliant with the rules.

The alternative is helping people fulfill an intrinsic goal - people want to be secure. Nobody wants their account breached or to cause a data leak.

By giving context along with the advice, you’re providing your users with the knowledge necessary to make smart decisions that fulfill their own goal.

Personally relatable stories are another technique to make your messaging much more relatable and therefore, memorable.

I’ve shared in the past how I had reused my Airbnb password elsewhere. That same password was then leaked via some other site that was hacked.

The attackers sprayed my credentials everywhere and when they were able to log into my Airbnb account, they were treated to what was by all accounts, an extremely fun, slightly debaucherous Amsterdam weekend in my name.

Hearing about my own, less fun and not-at-all debaucherous weekend dealing with the fallout allowed the audience to make a concrete connection between action and outcome and provided an opportunity to learn from my mistake without having to feel the pain.

Make sure rules that people need to follow come with the context for why they exist. Doing so enables their critical thinking abilities rather than having a population of users mindlessly apply a heuristic in a vacuum.