Introduction
When it comes to cyber security training, it’s easy to fall into the trap of information overload. Do you start by educating your team on the too-good-to-be-true nature of phishing emails or would it be more effective to explain the value of multi-factor authentication?
Instead of assuming what your team needs to learn, you can start by asking questions. Including questions in your security awareness materials can help increase engagement and improve security behaviours within the team. But this only works if we ask the right ones.
Using Questions to Improve Security Behaviours
When deciding which questions to include in your security awareness materials, rhetorical and thought-provoking is a good place to start. During this exercise, assume that the people within your team don’t know enough knowledge about security risks to properly understand situations and keep themselves safe. Therefore, your questions should act as a toolkit for users, which can be used to assess and improve their own security behaviours.
For example, here are a few questions that team members should be asking themselves if they want to spot signs of phishing:
- “Is this someone you have emailed before?”
- “Does this email address look right?”
- “Does the email contain any unexpected attachments/links?”
- “Is the language or tone unusual?”
- “Does the message seem urgent?”
In doing so, your questions become a simple checklist that helps prepare the people within your team to assess a situation and spot potential phishing attempts on their own. In fact, American political, communications consultant and author Frank Luntz classes the need to question as one of his ten rules of successful communication. In his book, ‘Words That Work: It’s Not What You Say, It’s What People Hear’ Luntz, explains why people should be encouraged to question everything and a statement when in the form of a question, can have a greater impact on the reader.
Equally, this exercise encourages a questioning mindset, when users are left to their own vices. As a result, this will add a further layer of security protection to your organisations, that even technology can’t provide, whilst helping team members to learn the indicators of various cyber security attacks.
Building A Human Firewall
Asking the people in your team questions is a great way to measure their knowledge of security but can also serve as a tool for organisations to gather feedback and intelligence on potential risks to the business. For example, if an organisation notices people impersonating its employees on social media, asking team members questions such as:
- “Have you seen any of these people?”
- “Have any of these people tried to add you?”
Questions which help gather intel from the people within your team can help increase your existing knowledge of the threat, whilst simultaneously increasing their ability to detect the threat.
Time to Try it Yourself!
Take a moment to evaluate your existing security awareness materials. Are you incorporating engaging questions in your awareness communications? Challenge yourself and see if you can come up with a list of rhetorical and thought-provoking questions relating to security. In doing so, you will raise engagement levels within your team and help your people learn and keep themselves safe.
Stay tuned for the next blog in the series, where we’ll explore the importance of forming security related identities. We’ll dive into how you can improve the security behaviours of your team by assigning individual security related identities to them.
In the meantime, you can find the previous blog in the series “Mastering The Art of Emotional Language”.