At Sans Serif, we love working on cybersecurity branding, messaging, and campaigns, not only because of the strategy and creativity involved. It’s also an opportunity to make a real difference in one of the most critical challenges of the world today. But a unique hurdle presents itself as well. How do you prove its effectiveness when success means something didn’t happen? You’ve probably encountered the harrowing statistics about the devastating costs of cybersecurity failures (if you haven’t, spoiler alert, it’s a lot). However, direct evidence can be hard to come by.
The question can be approached from the opposite direction though. What evidence is there regarding effective ways to motivate behavior change? We can look to psychology for some answers. So, what does the research say, and what works when changing perceptions and behavior for the long term? And why isn’t a standard, off-the-shelf, one-and-done training enough?
Thoughtful branding and creative internal communication campaigns are some of the best ways to be proactive and bolster your cybersecurity efforts at the human behavioral level. And there are well-known reasons for that rooted in the psychology of behavior and behavior change.
When it comes to adopting good decision-making in mundane but important situations, all humans face at least three challenges:
A scary news report or company pep-talk may inspire us to use complex passwords, VPNs, multi-factor authentication, and all the other recommended behaviors for a moment. But the mental load and fatigue of always doing those things is real. The key then, is to intervene proactively. According to psychological research, durable behavior change requires correcting false beliefs and introducing new feelings of identity.
For many cybersecurity interventions in the office, workers don’t have a choice about participation and it doesn’t matter what they think or how they feel about it. If you can’t log in to an employer-managed device without using a strong password or MFA, it makes no difference if you think such interventions are overbearing. You have to do it.
But to create consistent, persistent behavior change, it does matter how you think and feel and what you believe about it. If you think a cyber-attack is highly unlikely, practicing good cyber hygiene seems like a waste. If you feel that your company’s technological cybersecurity protections are impenetrable, then it won’t seem to be a part of your job. Or if you feel like cybersecurity is so big and daunting that it only leads to anxiety and despair, you’re likely to wallow in inaction. If you believe that damage control will be enough… well, you get the idea.
You can be compelled to do certain things and make certain choices throughout the day, but what you believe and feel about the issue will drive your habits and routine behavior. When one of those safeguards slips or isn’t there, huge vulnerabilities emerge.
The most durable approach is to create group identities that prompt certain behaviors and replace incorrect thoughts with correct thoughts. This is a deep intervention that requires strategy, consistent messaging, and generating buy-in. That is, it’s an ideal candidate for brand and creative campaigning that gets attention, challenges belief structures, shifts attitudes, and builds equity.
Is cybersecurity part of IT? Who do you reach out to if you see something suspicious, the Help Desk? Who is (or what even is) the CISO? Cybersecurity efforts usually lack clear identities on the part of employees and for most are an afterthought at best—until a crisis strikes.
Al Ries and Jack Trout, in their classic Positioning, talk about the need to establish a creneau, a unique niche or position that stands apart from the noise in people’s minds. Amid the relentless blitz of information we receive on a daily basis, this insight has only been amplified since its original publication. When cybersecurity sinks into the mire of technology, there’s a problem.
To be effective, internal marketing should employ the same level of creativity and invite the same level of engagement as sales-driven marketing. The strategy must be clear about values, identity, and beliefs and the creative should actually be... creative! Cybersecurity is often seen as a technical matter when in reality it’s a matter of beliefs and behavior. All the technical interventions in the world won’t stop a cyberbreach if the human element introduces an easily-exploitable weak link—the most common origin of a breach.
Eye-catching, consistent, on-message creative provides the means for interrogating beliefs without being patronizing, making messages understandable and even enjoyable. Take, for example, our cybersecurity monsters campaign, which has expanded to include an annual mandatory training for all employees. Neither is what you’d expect when thinking about cybersecurity. They appeal to emotions and beliefs, pushing and pulling emotional motivators like fun, team spirit, and occasionally fear, for maximum effect. The monsters are fun but they introduce concrete representations of the very real cyber threats that are hard to imagine or keep front-of-mind on a daily basis.
The monsters have been expanded through a number of other campaigns—and we’re currently working on more. When someone is logging in and sees a plush cybersecurity monster on their desk it’s an instant reminder, against limited time and attention, that good cyber choices matter. When someone has a coffee mug on their desk with a branded and reinforced message that resonates emotionally, it instantly appeals to the worker’s identity as a responsible user of company technology. They are reminded that they are one of thousands of links in a cybersecurity chain.
Again, while it’s difficult to quantify dollars not lost to a cybersecurity breach as compared to dollars earned from sales, the dollar amounts lost to failures are staggering. Significant investments in cybersecurity branding and campaigns are worthwhile because the messaging and creative assets must be consistent, authentic, and sufficiently attention grabbing. They must appeal at the level of identity and beliefs, not just information. That’s how persistent change and positive behaviors are encouraged and activated.
A disciplined, consistent, creative, and engaging complement to technical interventions and protections against cybercriminals has the potential to create a formidable frontline of human cybersecurity champions.
Read our case studies and other articles about cybersecurity.
And don’t be afraid to get in touch.