“Learning is a continuum: it starts with awareness, builds to training and evolves into education“
Welcome! In preparation for your attendance at our creative security event on Wednesday 26th June we’ve put together some basic background material on the exciting world of awareness campaigns where information and guidance is provided to a target audience with the intention of influencing attitudes and – through a call to action – ultimately driving behavioural changes that help to address a known problem.
What is cybersecurity awareness you may ask? NIST’s excellent 800-16 guide on cybersecurity training provides a simple definition on the concept as it applies to the world of technology:
Awareness – the ability of the user to recognize or avoid behaviors that would compromise cybersecurity; practice of good behaviors that will increase cybersecurity; and act wisely and cautiously, where judgment is needed, to increase cybersecurity.
Awareness precedes action
It’s important to remember that the concept of ‘raising awareness’ – highlighting problems and providing easy to follow solutions as part of a coordinated communications campaign to change attitudes or behaviour – existed long before the age of the internet.
Some of the earliest awareness efforts of the 20th century focused on public health issues and provided information to fill a ‘knowledge gap‘. By providing simple guidance and a clear call to action it was hoped that citizens would be able to resolve situations that they may previously have struggled with.
This 1937 poster is a great example: “John is not really dull – he may only need his eyes examined”
In this targeted communication, the message is clear – could a quick eye examination for the child who struggles to read be the answer to a lack of educational attainment?
In order to change behavior – whether by persuading people to eat less red meat and more fish, or helping employees come to terms with a changing work force – communication plays a pivotal role
By World War II, the maturing public relations industry had perfected the art of communications designed to change attitudes and national behaviour. In the UK, the Ministry of Information produced stylised propaganda in the form of posters and black and white films to influence the population towards supporting the war effort.
And in a time of war, heightened security awareness was key – one of the best remembered slogans from this era was produced by the American Office of War Information: “Loose Lips Might Sink Ships” which encouraged anyone with knowledge of sensitive information to pause and prevent military disasters by not oversharing:
Sixty years later this simple phrase was updated for the internet age: “Loose Chips Sink Ships” reminding defence personnel to be careful what they put on the internet:
After the war this communications expertise became a part of the UK government’s Central Office of Information which produced public information films for decades to come. Their output is hugely familiar to anyone who grew up in late 20th century Britain with a range of key characters and often surprisingly scary messaging targeted at preventing young people from dying on railway lines, being electrocuted, drowning in ponds, being abducted by strangers or killed or injured whilst crossing the road.
Safety messaging – Keep it clear and simple and use humour to engage
This 1948 safety video – long before Air New Zealand brought us rapping to extol the use of seat belts – uses humour to engage and educate British citizens on the correct use of a road crossing before the days of zebra road markings:
Thirty years later and road safety messaging was still being pushed out to build awareness, change attitudes and generate action among young children with the aim of reducing road deaths and injuries.
In 1975, just a few years before he became famous as Darth Vader, bodybuilder Dave Prowse starred in a number of safety videos as the ‘Green Cross Code Man’ and championed an easy to remember set of recommendations to kids:
In the 21st century, NZ has been proven to be pretty good at road safety messages too with the 2011 ‘Ghost Chips’ video going global and the complex one liner associated with the call to step in and stop a friend from drink driving – “I’ve been internalising a really complicated situation in my head” – being named as quote of the year proving that a brief, witty and original phrase delivered in an amusing way can become a part of national culture:
Safety in the digital domain
Many aspects of road safety education touch on essential life skills – how to cross a road, the importance of wearing a seatbelt, the benefits of driving a safe car at a safe speed whilst not under the influence of drugs or alcohol. And there are serious and obviously negative outcomes for those who fail to take heed of the safety messaging.
Where family funerals and crumpled cars pay witness to road accidents, digital dangers are a lot harder to highlight. This German cybersafety video from 2005 “Where is Klaus?” uses physical visitors to a family home to push the message that “In real life you would protect your children. Then do it on the internet“:
Bridging the home and business domains of data privacy and security, the following 3 videos use different storytelling techniques to push the message that all internet users should be careful to limit the amount of information that they share online.
In the first short film from Belgium, a mystical mind reader is the public facing frontman for a team wearing balaclavas (not hoodies!) performing open source recon behind the scenes to collate detailed digital footprints. The message? It doesn’t take magic to find the kind of information useful to socially engineer a target:
The UK fraud body Cifas takes a similar approach to encourage Facebook users to lock down their privacy settings to prevent identity theft by using the side of a coffee cup to document just how much information can be found out about you from a simple page like:
Encouraging people to utilise platform privacy settings should be a quick and easy behavioural nudge. But how far do you need to go to make your message about the risks around oversharing sink in?
Kaspersky hired an artist, created physical merchandise and their own currency – data dollars – to make it apparent that personal information does have a value beyond the underlying 1s and 0s.
As the story in the video below progresses, you can sense some of the shoppers becoming increasingly uncomfortable with the explicit concept of swapping PII for purchases with one stating “I don’t want to pay you with my data.” The closing product pitch is the call to action here: Your data is valuable, protect it:
Combatting cybercrime
Transnational organised cybercrime can take many forms and affect both businesses and individuals. These next two campaigns use different video styles to raise awareness of brandjacking, ransomware and sextortion.
Working with cycle maker Brompton, insurance firm Hiscox rents a shop across the road from a legitimate outlet and shows how cybercrime plays out in the physical world by swamping staff with shoppers (DDoS) and intercepting communications to a delivery firm (BEC) before boarding up the front of the real retailer to demonstrate the impact of a ransomware infection blocking business operations:
After a spate of suicides in the UK, NCA, the National Crime Agency mounted a clever campaign using video to highlight the growing problem of sextortion with the educational message “The best way to stop yourself from becoming a victim is to be very careful about who you befriend online, especially if you’re considering sharing anything intimate with them.”
‘Jess’ has an attractive social media profile but in the original “want to chat?” video is shown to quickly morph into a male scammer looking for a blackmail payout after tricking a victim into hooking up. The summary message reflects the 21st century industrialisation of online extortion: “It’s just business.”
In order to appeal to a younger audience used to watching YouTube reaction videos the agency also created a different cut of the educational content to provide an alternative version. Unsuspecting watchers react in real time to Jess’ tempting offer and comment on how common this kind of approach now is via various digital channels:
Money no problem? The corporate cyber marketing movie
Technology services and solution vendors traditionally have deep pockets to create their own high quality videos that play out like short films.
‘A Long Day (with no Cybersecurity)’ from Thales looks at the impact of theoretical cyberattacks on critical national infrastructure from transport systems to hospital operations and the video below has a Shaun of the Dead zombie apocalypse feel to it:
Putting this knowledge into action
Hopefully that small selection of videos will give you some ideas for our upcoming contest on 26th June. At the start of the session we’ll touch briefly on the theories behind awareness campaigns and how four factors can help make your message have a positive impact:
- A well defined target audience
- Objectives and tactics for how you will achieve change
- The right messenger
- Clear calls to action
If you’re interested in reading more before Wednesday check out the following links:
- Stanford University: Stop Raising Awareness Already
- The Fogg Behavior Model
- Protection Motivation Theory
And as a bonus to budding moviemakers take five minutes to also check out storyboarding basics and how framing and different camera positions can help you craft a better narrative:
We look forward to seeing your video later this week!