Planning large-scale security awareness campaigns throws up many questions to grapple with. How can you make sure your campaign reaches the right people? What’s the best way to inspire them to take action?
And how do you run a security awareness campaign so realistic it gets banned by the national post office?
As cyber threats become both more numerous and more sophisticated, helping members of the public understand them becomes harder, yet more urgent. Throw in rapidly shrinking attention spans, and the task becomes even more Herculean.
Jasmina Mešić (SI-CERT, Arnes) is the coordinator of Slovenia’s award-winning national cyber security awareness programme, Safe on the Internet. Here, Jasmina shares her top tips for running successful, large-scale security awareness campaigns.
1. Know your audience
The most important thing, Jasmina says, is to know your target audience. Every aspect of your security awareness campaign follows from that – what you say, how you say it, which format to deliver it in.
Developing a target audience persona is a common marketing concept. It helps you to construct and deliver your messages in ways that are most likely to be effective. Rather than defining target audiences by factors such as age and location, Jasmina and her team focus on media consumption trends and lifestyle.
“You have to know what people are talking about and doing. So I look at: Which are the most-used social media platforms? What’s trending in pop culture? What are people buying online? Which sites do they use to get information?”
“You can’t say, ‘My target audience is everyone in Slovenia aged between 20-50’. That isn’t a target audience. ‘Someone who goes to work, uses mobile banking, has two kids, does reservations online, travels a lot, and uses Instagram a lot’ – that is a target audience.”
Test your assumptions
A common pitfall Jasmina sees is awareness campaigns based on preconceived but inaccurate ideas about how certain groups behave, or who belongs in that group. This leads to ineffective messages that don’t resonate with the target audience.
“I have seen so many campaigns targeting elderly people, defined as 45 years old and above. But 45-year-olds are not elderly!” Jasmina says.
“People have this perception that 55-60 year olds don’t know how to use Facebook. But if you look at the statistics, Facebook is their go-to social media platform.”
2. Use straightforward, relatable language
Explaining cyber threats in simple terms, using everyday language, is crucial for your message to be understood by as many people as possible. Most members of the public aren’t cyber security experts, and have limited understanding of how technology works.
To shape your messages effectively, Jasmina recommends listening to the language your target audience already uses.
“I follow a lot of closed Facebook groups, like for mums chatting, for example. I follow how people talk about everyday issues and see what their struggles are. Because they don’t talk about two-factor authentication. They say, ‘Oh, I get a message on my phone when I try to open this app’.
“If you really get inside the head of your persona, your target audience, then you can adapt all your messages to speak to that audience.”
The biggest lesson Jasmina has learned over her career is:
“Don’t get locked inside a cyber security bubble and just follow industry professionals. Always look for the struggles of the average person who isn’t very tech-savvy. They have totally different perspectives from cyber security experts. Otherwise, you’ll start writing things that 99% of people don’t understand.”
3. Show people why they should care
It’s important to explain to people why they should care about the information you’re giving them, says Jasmina.
“People often perceive technology as something that is ‘out there’ – not relevant to them. So we always try to explain to people that it’s part of their everyday lives – ‘look, it can affect your life in this way or that way’. We always try to answer the question: What’s in it for me? Why should I care about this?”
When describing online scams, Jasmina and her team aim to show everyday situations that many people could imagine themselves in.
“We show regular people doing normal stuff on their phone or their work computer. So maybe you’re asked to click on a link in an email and you’re not sure about it. Or you’re texting with someone you just met on Tinder, but it’s a romance scam.”
4. Focus on what people can do to protect themselves
“I see a lot of campaigns talking about the threats, about hackers in hoodies and how everything is really dangerous. But they never explain to people what they actually need to do,” Jasmina says.
“We try to teach people how they should respond to a specific threat. We always give examples and tips. And we try not to scare people. We always keep it more on the humorous side. “Because if we only talk about the danger and nothing else, people just shut down and stop listening to our messages.”
5. Be persistent and consistent
From highlighting romance scams for Valentines’ Day to shopping online safely in the festive season, Jasmina and her colleagues plan and deliver awareness-raising activities across the whole year.
“It’s not enough to just do one campaign in October for cyber security month and that’s it. You have to be persistent and consistent. We do this on a daily basis. On our web page, social media channels, newsletters, ad campaigns.”
After a decade of single-handedly running Slovenia’s security awareness programme, Jasmina was joined by two colleagues two years ago. This reflects the huge and expanding workload required to plan, create and publish content consistently across all platforms and formats.
“It’s hard to maintain a presence on social media because the demands are so high. It’s very competitive. You have to be present, you have to post all the time, and what you post has to be good. Video is the number one communication format right now, but producing videos takes a lot of time, effort and money.”
6. Create a mix of content sizes and formats
“Right now, our biggest challenge is the limited attention span of users,” Jasmina says. “People are constantly bombarded with notifications, adverts, pop-ups, messages. The sheer amount of communication today is overwhelming. So it’s really hard to get anyone’s attention for more than two seconds.”
To overcome this, SI-CERT create ultra-short snippets to share on social media and in newsletters.
“We put out bite-size information videos, to lure people in, and to say, ‘Look, you can watch this funny video for 15 seconds. Then if you need more detailed information, check out our website’.”
The Safe on the Internet website offers many different sizes and forms of content: quick videos, long articles, webinars and more. The team also write articles for print media and run TV adverts, to engage people who prefer traditional media forms.
7. Pay attention to design
The way information is presented also affects whether people will notice it or take it seriously. “Social media platforms have extremely high demands for aesthetics and visual impact. Everything has to look really good, really professional.”
Jasmina and her team have won design awards for their content. Once, however, their commitment to striking design backfired.
“We always aim for the front cover of our annual reports to really stand out. One year the theme was ransomware. So we did the report in all black and the envelope said in big letters, ‘You have to pay for your data’. But the Slovenian post office refused to send it out. They said we were blackmailing people!”
“We couldn’t get them to understand it was educational, to raise awareness of ransomware. So overnight we had to repack 600 issues of our annual report into a boring, standard envelope.”
Running better security awareness campaigns, in a nutshell
Cutting through the noise to deliver effective security awareness campaigns is challenging. But by following these tips, you can significantly increase the success of your activities:
- Know your audience
- Use straightforward, relatable language
- Show people why they should care
- Focus on how people can protect themselves
- Be persistent and consistent
- Create different content sizes and formats
- Pay attention to design
Just try not to make your awareness-raising campaign so realistic it gets banned by your national post office.
Jasmina Mešić has coordinated Slovenia’s national security awareness programme at SI-CERT for 10 years. The programme has won multiple awards for innovation and design, including the 2020 Slovenian Grand Security Award and 2014 Content Marketing Project of the Year. Jasmina studied media communication at a faculty of electrical science and computer engineering. She combines communications and marketing skills with a strong understanding of technology and cyber security. Jasmina loves the diversity of her role, tackling different activities and challenges every day.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022