Behavior Change Marketing and Cyber Security
Why are some marketing campaigns so compelling?
That sounds like something we should be leveraging, right?
This is not new. In fact, you probably exhibit behavior that is a direct result of behavior change marketing. Singing Happy Birthday as you help your child wash their hands or picturing the gruesome images of smokers' lungs when you see someone smoking are examples of successful behavior change marketing campaigns led by the CDC.
How can we leverage this to influence positive security culture?
Three primary components drive behavioral change.
Motivation, capability, and opportunity.
Opportunity is an external factor. In our case, cyber security needs to provide the opportunity for positive security behavior. Think tools, technology, and processes. There is no shortage of these in cyber security.
Motivation and capability are internal factors. This is where behavior change marketing comes into play.
We need to motivate and educate through marketing.
What comes to mind are newsletters, emails, splash pages, etc. However, we need to go further than that. Those digital marketing items must be compelling and thought-provoking to influence positive change.
To get started, you must understand what already motivates your target audience.
Use that as your foundation. The message should start by framing the positive consequences of the proposed behavior. Then, it should identify the negative consequences of discouraged behavior. The negative consequences should identify associated risks directly applicable to your target audience. Think back to our foundation.
Rewarding positive change is equally important. There is no end to resources debating how to motivate employees to do good work. However, there does seem to be a general consensus.
Challenge coins, public recognition, and verbal appreciation in private are all ways to reward positive security behavior.
This is a fun story from a previous employer. We had started a challenge coin program. They were custom challenge coins that we handed out for positive security behavior. The coins were slowly gaining popularity as we handed them out. At one point, there was a team that wanted the challenge coins. After a big red team operation involving infrastructure that this team maintained, the team worked endlessly to resolve numerous issues and push new features to remediate the identified risk.
This was an understaffed team that ended up working long hours. This wasn't required, and no one asked them to work overtime. But they did. The prestige of getting an Offensive Security Challenge Coin drove them to go the extra mile.
I don't encourage working unhealthy hours, but this was a perfect example of rewarding positive security behavior and a positive marketing campaign.
A common theme here is marketing. Your red team report is marketing, your penetration test report is marketing, and your compliance report is marketing.
Let's discuss red team reports. The general audience for a red team report is generally the blue team. Ask your blue team for their favorite threat intel reports and malware analysis blogs. Chances are, those reports and infographics are in a format you should start using.
Let's take an example. Let's say you just wrapped up a Red Team operation. You used a novel technique that isn't widely known. You place all the details in a standard report and attach an excel spreadsheet with the IOCs.
This works, but the blue team must switch from their regular programming to parse your deliverables.
Let's say you do all those things but give them an infographic in the same format their threat intel reports use. Now you're speaking their language, and they are likely less resistant to implementing your suggestions. That's marketing.
To recap, everyone in cyber security should think in terms of marketing. Ask yourself, who is my audience, and why is this compelling to them? If it's not, then make it compelling.
Additional Reading:
Brianna Malcolmson
Lisa Lai
Susan Michie