Security Awareness work involves changing user behaviour. Business Reporter’s resident U.S. ‘blogger Keil Hubert reports from New York City on the problem of marketing security concepts in way that runs directly against users’ deeply-entrenched cultural practices.
October is ‘National Cyber Security Awareness Month,’ a proud tradition that goes all the way back to 2004. Although, to be fair, I only know this because my boss asked me a few weeks back what-all I was planning to roll out for ‘National Cyber Security Awareness Month,’ and I had to scramble to come up with a plan right that moment because I’d never heard of it before. Somehow, I’d missed it being mentioned for twelve straight years. Probably because I was paying attention to something else at the time …
Speaking of, ‘Security Awareness’ has far more to do with the second word in that title than the first. That is, awareness of what’s going on around you. Clues that something might be amiss. Something reportable. When we push memos and broadcast alerts and articles and catered luncheons and open bar mixers in the name of ‘Security Awareness Month,’ what we’re really trying to do is to get people to be a little less complacent and a little more engaged on a daily basis. We’re not demanding that ordinary, everyday users go out and pick up a graduate degree in security engineering; anyone so predisposed already has. Instead, we’re trying to remind our friends, co-workers, and bosses that their eyes are sometimes the best sensors that we have for spotting early signs of a compromise.
We’re fortunate (in a horrible perversion of the word) that we’ve had so many awful breaches lately that penetrated the usual political headlines. Three weeks ago US credit monitoring behemoth Equifax announced admitted that it had lost 143,000,000 customers’ sensitive data to adversary action. Last Thursday, US fast food icon Sonic Drive-In announced that bad guys had made away with an unknown number of its customers’ credit- and debit-card numbers from an as-yet unidentified percentage of its 3,600 stores. Between credit monitoring and fast-food businesses being hit, it’s a reasonable bet that 95% of the adults in the US have been affected by cybercrime escapades recently. That sort of news opens eyes. As Security Awareness professionals, we can – and will – use these stories to get our users’ attention. Makes our October marketing campaign a bit easier than usual.
At least we got people’s attention. That’s … horrible.
But what about the rest of the year, when there isn’t a major breech getting headlines (and, therefore, media emphasis)? That’s when we have to get inventive. We have to come up with ‘hooks,’ just like any Madison Avenue advertiser, to catch our viewers’ and listeners’ attention and try to get our message through. In order to pull that off, we need something short, catchy, and memorable … and we need to ensure that what we say resonates within our company culture. It doesn’t do us any good to have a fantastic security jingle if the message we’re sending runs contrary to how our people perceive their world.
That leads me to one of the most peculiar security marketing slogans I’ve ever encountered: New York City Metropolitan Transit Authority’s controversial slogan ‘If you see something, say something.’ Everything about this marketing pitch seems to be 100% at-odds with how normal New Yorkers live their lives.
I wondered if things had changed since the last time I’d visited NYC back in 2000. The last time I visited, I discovered that New Yorkers never make eye contact with you. Back then, every person you were near on the street kept strictly to themselves. They looked at the ground, or past your shoulder, or just off into space. It was a sort of coping mechanism for the problem of being constantly surrounded by thousands of strangers. People moved fluidly past one another without any sign of recognition.
It was fascinating to watch … especially for a Texan, since we have a cultural imperative that adult males actively acknowledge one another’s presence when crossing paths. What probably started out as a hat-tip salute or salutation became a silent nod. One gentleman makes deliberate eye contact and nods to the other, as if to say ‘I acknowledge your presence and don’t intend to cause trouble.’ The gentleman on the receiving end returns the eye contact and nod to signal mutual respect, and then both men (and whomever might be traveling with them at the moment) move out of the other party’s way. It’s a deeply ingrained civil custom … in Texas. God help you if you try it Manhattan. You’ll start to wonder if you’ve become invisible.
I have seen New Yorkers come within an inch of falling onto the electrified tracks to avoid having to make eye contact with a stranger. It weirds me out every single time.
So, have things changed in NYC since 9/11? Oh, yeah. They have. Only, it wasn’t a bunch of jackass hijackers changing people’s social rules; it was the introduction of the iPhone. Now, no matter where you go, it seems like half of everyone you pass on the street is head-down, lost in their personal screen. On the subway it’s even worse. As long as there’s space to hold a phone , you can darned well guarantee that 80%+ of the other riders in your train will refuse to acknowledge your earthly existence until you actually physically either sit on them or knock them off their feet.
I brought my wife to visit NYC for our 25th anniversary last week, and spent a great deal of my time watching the locals. No, not in a creepy way. I’m an amateur social scientist; it’s what I do. I watch how people act, especially with one another, and try to understand their motivations and shared rules. On this trip, I spent most of my time watching people watch their iPhones. Didn’t matter if it was early morning on the rush downtown, afternoon as the schools were letting out, or late at night as weary (and/or drunk) people trickled home. The omnipresent screen held people mesmerized.
That’s why the security awareness slogan ‘If you see something, say something’ slogan posted in many of the subway stations and train cars seems so out of place. What in blazes is anyone going to see, let alone watch closely enough to report? I watched an artist board the #6 uptown local one night carrying a full-size impressionist painting and no one other so much as glanced at him, even though he was blocking the door. 
I’m not going to say that NYC is in any way failing at their job of keeping people safe. Quite the contrary. I’ve been to the city several times and I’ve never felt safer than I did on this trip. People everywhere were more civil, more polite, and more welcoming. Also, armed police seemed to be freaking everywhere. I never saw a single altercation. Heck, the worst thing I saw all week was a frustrated pedi-cab driver who punched a car that had illegally blocked an intersection.
Seriously … Don’t screw up rush hour for everyone else. Tempers will flare. It’s freaking hot out here.
What I’m saying is that the marketing slogan doesn’t seem to fit the people that it’s aimed at. The imperative in the message is to report those indicators of suspicious activity that might help police thwart a criminal act in progress or one that’s about to happen. The trouble is, the imperative doesn’t work for the people. If you see something … Yeah, whatever. That’s a really big if.
The takeaway, as we kick off ‘National Cyber Security Awareness Month,’ is that you need to tailor your messages to resonate with your people as they actually are, not as you’d wish them to be in an ideal world. Assuming that people will change who they are in order to emulate your vision for them a classic mistake that marketers, teachers, priests, politicians, and parents all make. As security professionals, we need to reach people where they live if we expect them to implement any positive behavioural change.
For New York, maybe that ought to be: ‘If you’re forced by an inconsiderate stranger to see something and what you’re forced to see is suspicious, tweet us.’ Or something along those lines. For you and your company, figure out what message will best tap your local Zeitgeist and stick in people’s heads. After all, we’re in the business of encouraging realistic action, not changing people into something that they’re not.
 Meaning, not rush hour.
 It was a damned good original painting, too. White base with black rising diagonal slashes highlighted with red accent streaks.
Title Allusion: None this week.
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.