Shocking and scaring into awareness?
Malware hits the Mac but is it worth worrying about?
A report appeared in the Telegraph this week that said that security awareness campaigns should be as striking as the AIDS campaigns of the early 1980s.
Speaking on BBC Radio Four's Today programme, Major General Jonathan Shaw, who was formerly head of cyber security at the Ministry of Defence, has called for a widespread cyber hygiene campaign, in response to the UK being ‘extremely vulnerable' to cyber attacks.
Shaw said the government must "launch a cyber hygiene campaign like they did with the AIDS epidemic in the 1980s" and said that individuals are "on the front line" and must be warned their computers are at risk, as the government is "not in charge of cyber space".
Those who remember the early 1980s (whether you were there or not) will recall the impact of the AIDS awareness adverts, with icebergs and the dramatic John Hurt voiceover, and how they scared the general public into reading the leaflet that dropped through their letterbox.
Is this the sort of impact we really want to have upon the general public? With the AIDS awareness campaign, the guidance was pretty straightforward and while it required lifestyle changes for some, I suspect that for the majority the fear turned into confusion.
That could be the case here, as if the campaign says: ‘there is a new threat that is not a physical one' or ‘you must change your password to a multiple character and one that cannot be guessed by anyone', some people may ignore it and consider it as hot air, while it may be taken aboard by others but without any lasting effects.
Brian Honan, founder of BH Consulting, who has recently been appointed as a partner to Securing the Human for security awareness training programs, said that the trick is to get appropriate messages that will resonate with people.
He said: “Ongoing security awareness campaigns are crucial to ensuring people are aware of the security threats they may face at home or at work.
“Scaremongering only has a limited value in that it focuses on one particular threat or issue. As a strategy this does not work on its own but can work as an element of an overall campaign. So instead of the AIDS campaign, I would suggest road safety campaigns as being a better model. With road safety campaigns, messages are targeted to different audiences in different ways.
“A good example is how many people of a certain age still remember the green cross code? And today you see TV advertisements after the watershed showing the effects of graphic car accidents. So tailoring a consistent message and delivering it in the most appropriate format for the audience is better long term than shock tactics.”
The example of ‘clunk click every trip' is often cited to me as a good example of how a campaign can be straightforward, effective and memorable.
Last week plans were announced to get better messages about online security to school children and to men who use the internet but are not aware of the risks, but how would such a campaign work to both demographics?
Maybe the issue is one that should ensure that the power of the internet is not lost upon the beholder. Ronnie Khan, managing director EMEA North at Qualys, said: “As more and more computing power makes its way into the homes and pockets of the general public, Major General Shaw is right to raise the point that the public will need to be taught the dangers, as well as opportunities this presents on a personal, professional and national level.”
Likewise, Yogi Chandiramani, senior manager of systems engineering, Europe at FireEye, said: “We now rely on internet connectivity to support so much of our daily lives that Shaw's call for an aggressive public awareness campaign can only be welcomed. Human error still accounts for too many cyber incidents, and a widespread lack of understanding – coupled with the increasing sophistication of cyber criminals – has led to a significantly raised threat level.
“Today's hackers are moving beyond the typical phishing attempts of previous years to more targeted, intricate and complex attacks. With this in mind, continually educating and re-educating the public on the growing security risks would be a positive step for the government in controlling the threat.”
While any campaign would be welcomed, and at the same time critiqued and analysed for its effectiveness, I can see the point that Shaw is trying to make. He wants to strike at the heart of awareness to make sure that people take note, and remember the rules for ever.
However in the last 30 years the world has changed a lot and the public are arguably much more cynical than in the early 1980s, and such a tactic may be lambasted rather than appreciated.