Why haven't cybersecurity awareness campaigns achieved the desired impact on public?!

The main reason for cybersecurity awareness campaigns is to influence the adoption of secure behaviour amongst different segments of public (Bada et al., 2019). Despite the history of cybersecurity awareness campaigns going back to the beginning of the Internet, previous and current campaigns to improve cybersecurity practices have not achieved the desired impact. This is due to their ineffective focus on awareness rather than on changing behaviours.

According to Brady (2010), cybersecurity awareness campaigns need top management support in order to succeed; it’s the most essential aspect for such campaigns. This will help align with previous and current awareness campaigns run by government and private units and accelerate the acquisition of funders for the campaign’s long-term operations.

Carpenter states that IT and cybersecurity management professionals lack the understanding about communication campaigns’ approaches as they focus only on inputs not outcomes. In addition, most campaigns are based on cybersecurity experts and service providers’ advice and recommendations. For that reason, according to Al Shamsi, there are research gaps in setting well-defined objectives and evaluating the effectiveness of these campaigns. Chang and Coppel (2020) argue that the campaigns fail because there was no research or surveys undertaken to know the extent of cybercrimes.

Measuring the effectiveness of cybersecurity awareness campaigns is a complicated process because results do not give real insights into the impact of these campaigns. The focus now is to measure the change in behaviour through risk reduction based on benchmarks and baseline. For example, some campaigns compare the number of victims based on time or location6. Such an approach is effective in identifying the impactfulness of campaigns.

As cybersecurity awareness campaigns target a mass audience, it’s advised to use advanced metrics tools to measure the large scale of data. However, these metrics need to be based on defined and established objectives to help achieve the desired impact. Each segment of audience needs a specific approach by using communication mix models.???

Different theories and models were used to enhance the effectiveness of awareness campaigns. The use of psychological or behavioural theories such as the Regulatory Focus theory or the Protection Motivation Theory are mentioned to make awareness and behaviour change significantly more effective. These theories and models are supported by messages and advertisements that match cultural differences using different persuasion techniques, such as fear appeal, promotional messages, or both.?

A study by the Global Cyber Security Capacity Centre at the University of Oxford concluded that the following five factors could enhance the effectiveness of cybersecurity awareness campaigns(Al Shamsi, 2019):

• Campaigns need to be professionally prepared and organised
• Invoking fear in people is not an effective tactic as it’s widely used as a persuasion technique
• Security education should be targeted, actionable, doable, and provide feedback
• Once people are willing to change, training and continuous feedback is needed to sustain them through the change period
• Emphasis is necessary on different cultural contexts and characteristics when creating campaigns.

Integrity and transparency are two of the Chartered Institute of Public Relations Code of Conduct’s principles of good practice. Barcelona Principles 3.0 also has emphasis on these two crucial principles by stating that “communication measurement and evaluation are rooted in integrity and transparency to drive learning and insights” (Wilkinson, 2021). Thus, campaigns’ management teams are duty-bound to avoid providing inaccurate representation of analysed data and having a biased approach to their campaigns’ measurements.

Also, for communication approaches used by cybersecurity awareness campaigns, such as messages (textual/visual) or advertisements, ethical considerations must be undertaken from all aspects (ex: cultural differences). Smith pointed out that high attention must be given to any ethical consequences when conducting fear or guilt campaigns (as cited by Gregory, 2020).

References

[i] Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?.?arXiv preprint arXiv:1901.02672.

[ii] NAGYFEJEO, E., & Von SOLMS, B. Why Do National Cybersecurity Awareness Programmes Often Fail?

[iii] Brady, C. (2010). Security awareness for children.?Royal Holloway.

[iv] Topping, C. (2017). The role of awareness in adoption of government cyber security initiatives: A study of SMEs in the UK.

[v] Carpenter, P., 2021. [online] Available at: <https://www.cpomagazine.com/cyber-security/4-critical-elements-of-effective-security-awareness-campaigns/> [Accessed 12 September 2021].

[vi] Al Shamsi, A. A. (2019). Effectiveness of cyber security awareness program for young children: A case study in UAE.?International Journal of Information Technology and Language Studies,?3(2), 8-29.

[vii] Chang, L. Y., & Coppel, N. (2020). Building cyber security awareness in a developing country: lessons from Myanmar.?Computers & Security,?97, 101959.

[viii] Wilkinson, J., 2021.?Barcelona Principles 3.0 - AMEC | International Association for the Measurement and Evaluation of Communication. [online] AMEC. Available at: <https://amecorg.com/2020/07/barcelona-principles-3-0/> [Accessed 15 September 2021].

[ix] Gregory, A. (2020).?Planning and managing public relations campaigns: A strategic approach. Kogan Page Publishers.