Trojan Horses for the Mind, Part 2 of Building Impactful Security Awareness Messaging

Wednesday, March 27, 2019

Perry Carpenter

211571f3e14099fd9a6c172426982ca5

In late 2018, I wrote about how we can use Trojan Horses for the mind when it comes to shaping messaging and creating an influential awareness campaigns. In other words, the way we design and deliver our messages can become a Trojan Horse that can sneak past a user’s mental defenses.

Why is this important? Here’s why: the concept of “security awareness” can suffer from a fatal flaw; what I call the knowledge-intention-behavior gap. Just because your people are aware of something doesn’t mean that they will care. And, even if they care and intend to do the right thing, a whole host of situations and contexts can interfere with the follow-through. So, there is a gap between knowledge and intention. And there is a gap between intention and behavior.

We can use our Trojan Horses for the Mind to help close some of those gaps. And we can use them to create messages that people remember and care about.

My last post focused specifically on the emotional side – how people tend to make decisions based on emotion and then build a case for their decision based on logic.  Let’s now talk about another Trojan Horse for the Mind -- visuals.

Think for a moment about all the great companies, products, media sites, and networks that you interact with daily.

When you scrolled through each of those items in your mind, did you see their names as plainly printed words? Probably not. If you are like most people, you saw the logos of the companies; or if you were thinking about a specific product, like McDonalds chicken nuggets, your mind summoned forth a product image.

Images are basically a compression algorithm that the brain easily and readily uses to unzip bundles of data whenever presented with the image. Now consider what a brand and logo really is… it is a simple word, phrase, or symbol that encapsulates the values, products, services, and history of an organization or idea. Icons can serve this purpose as well, as they can pack a complex meaning into a simple picture.

When it comes to building a successful awareness training program, you should always be seeking ways to embed volumes of meaning into simple, instantly digestible, images. For any behavior that you want to train on (password management, tailgating, incident reporting, secure document handling, etc.), consider the fullness of your message. And, as part of your training campaign, create compelling visuals and icons that represent that behavior. They can be photographs capturing the human impact of following (or not following) that behavior, or they can be icons placed at/near the point of behavior as context cues, and so on. The point is that the simple visual acts to ‘unzip’ the broader information bundle within the learner’s mind. That’s powerful!

Repetition is Magic

Remember that Britney Spears song that you hated the first few times you heard it? Then before you know it, the song is on auto-loop in your brain and you find yourself physically grooving to the music the next time you hear it. There’s a reason for that… and that reason emerges in all forms of communication, from the way words are used, to music, as well as imagery.

Here’s the reason: familiarity breeds likability. Cognitive scientists refer to this as the familiarity effect or the mere-exposure effect.

One marker of a mature security awareness program is the seriousness the program leaders place on consistency in the visual and textual components of their communication. These security leaders approach their awareness programs with an entrepreneurial mindset and treat the branding aspects of the program with the same zeal.

Another reason to use repetition in the awareness context is that you are always battling the “decay of knowledge.” Simply stating something once will not likely have a lasting impact. As a result, your once-per-year training marathons are (sorry to say this) next to useless in shaping behavior. Instead, you need to adopt this mindset: If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times…

That’s why you remember phrases like, “See something. Say something.”

The Power of Imagery & Color

It’s super important for us to understand and appreciate the power of imagery. To be human is to inherently understand the power of pictures. The moment an image hits our retinas, our mind decodes not only the data in that image, but also assigns any preconditioned emotional response. So, imagery is important if you want to evoke or enhance the emotional impact of your security-related messaging. Simple text-based security awareness messaging will always be less effective than messaging that includes well thought out and designed visual components.

A discussion about images and design wouldn’t be complete without talking about the use of color. Colors serve a much greater purpose than just being pretty. Colors imply meaning, can evoke emotion, and help establish context. While there are some general rules of thumb that you can use when working with color, it’s important to recognize that the intended meaning behind your color choices may not be interpreted the same by everyone in your audience; there are no hard-and-fast rules.

One of the best ways to think about how to use color is to see what already exists that is like what you want to communicate. Let’s say you wanted to build messaging related to how employees can secure their home networks and help their kids make better security decisions. You may have already defined the practices and now you are trying to figure out how to package and promote the information.

If you aren’t an experienced designer (or even if you are), this is where Google can be your friend. You don’t have to understand color theory, have a degree in marketing, or have studied the psychology of color to create something that can be great. Just enter brand names or search terms related to family, kids, childhood, and so on, and look at the image results. In this example, you’d quickly notice that many of the colors commonly associated with family, kids, and childhood are yellow, orange, green, light blue, and sometimes purple. And after seeing these examples, you can piece together plausible reasons why these colors have become the cultural reference point for the scenarios that you want to relate to. Green is typically associated with life and growth. The orange and yellows can be reminiscent of the sepia tones that we associate with memory and nostalgia; and so on. That’s a valuable starting place. In this Googling exercise you may even come across examples of font styles and images that you may want to use in your messaging. This is way better than starting with a blank page and agonizing about how to begin.

I couldn’t begin to cover all the critical areas or pitfalls of design. Here are some suggested books if you want to take a deeper-dive into color, and design principles in general:

  • Slide-o-logy by Nancy Duarte
  • Superpowers of Visual Storytelling by Laura Stanton, David LaGesse
  • Design Elements, Color Fundamentals: A Graphic Style Manual for Understanding How Color Affects Design by Aaris Sherin
  • Presentation Zen by Gary Reynolds
  • The Senses: Design Beyond Vision by Ellen Lupton (Editor)

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Possibly Related Articles:
27516
Infosec Island Security Training
trojan security training Behavior security awareness program
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked