Manage Learn to apply best practices and optimize your operations.

Why marketing principles can help a security awareness program succeed

Veteran CISO Ernie Hayden offers ideas from the realm of marketing to help spread security awareness like a virus -- but in a good way.

Marketing is an ongoing communications exchange with customers in a way that educates, informs and builds a relationship...

over time. The "over time" part is important because only over time can trust be created. With trust, a community builds organically around products and services and those customers become as excited about the products as you are — they become advocates, loyal evangelists, repeat customers and often, friends. Marketing is a really great way to identify what grabs people and gets them excited about your brand and give it to them, involve them in the process, and yeah, the best part, build great friendships in the process. -- Renee Blodgett, chief executive officer/founder, Magic Sauce Media

While the above definition relates specifically to marketing, it can be extrapolated and applied to other fields. For example, take a moment to read it again and reflect on whether the definition holds any value when associated with a security awareness program. Any security professional who's been around long enough to see how quickly a security awareness program can fail knows that these efforts are challenging, not always effective, do not last over time and can be quite expensive (not to mention boring and repetitive).

When boiled down to its essence, though, isn't a security awareness program just trying to educate and get customers excited about a product? In other words, the organization really wants its employees and contractors to understand the security awareness messages being delivered to them, with the ultimate goal being end users following through on those messages and basically acting in a secure manner as to protect the company's physical and cyber assets.

In this tip, we'll determine ways in which the world of marketing can help enterprises create and sustain more successful security awareness programs.

STEPPS to a better security awareness program

In March 2013, Dr. Jonah Berger, a professor of marketing at the University of Pennsylvania's Wharton School of Business, published his book Contagious: Why Things Catch On, which details his long-standing research on why stories get shared, why emails get forwarded and why videos go viral. As social media continues to expand at an explosive rate, Berger is intrigued as to why some seemingly innocuous videos go viral, yet some emails or posts that appear important are stymied. In his book, Berger notes that there are six principles of contagiousness (or STEPPS, as he calls them) that will help define whether or not content will go viral, including: social currency, triggers or cues, emotion, public, practical value and stories.

"Contagious products and ideas are like forest fires. They can't happen without multitudes of regular Joes and Janes passing the product or message along," wrote Berger in his book. But what needs to be done to create this enthusiasm? And, for the purposes of our discussion, can these ideas spur a security awareness campaign toward success?

As a thought experiment, I took Berger's STEPPS and examined ways to include his principles in security awareness program messaging.

Social currency -- Gaining social currency largely revolves around sharing info that make us as individuals look smart, contemporary and up-to-speed on current issues. Translated to the security world, social currency can be gained by sharing stories about current cybersecurity news, and then explaining how that news can affect both the company as a whole and individual employees (and their families). For example, when a company or government agency experiences a large-scale data breach, send out information on the breach and, if it might affect any end users, explain how the employees can react to keep their personal information safe. Such measures will show users how information security affects both their livelihoods and their personal lives in a number of ways, making it more likely they'll buy into a security awareness program.

Triggers -- Triggers, or cues, can be used to make people think about a product or idea, or, for our purposes, following good security practices. Basically, CISOs and IT teams should design the security awareness messaging so that it is top of mind. As an example, nice polo shirts can be awarded to employees who win security contests or show excellent initiative by repairing a security-related problem, with the idea being that the nice shirt that everyone wants may stimulate more focus on following security.

Emotion -- Berger notes that emotional content often gets shared, so focus on feelings. Ask whether talking about the company's security program generates any emotion or energy.Craft the messaging so that it brings out some sort of emotion, whether it is laughter or anger. Perhaps a story of an identity theft affecting an elderly lady can be sent out; at the minimum, I would expect such a story to generate feelings of sympathy and compassion, which, again, would make employees more likely to remember and share the security aspect of the content.

Public -- How can you make the action of following the company security program advertise itself? Can people see when others are properly following security protocols? If not, try to make the security practices more apparent so that they are easier to imitate. For example, a "no piggybacking" policy can be applied at secure entrances and exits, or "good practitioners" can be publicly rewarded for following a clean desk policy. In such cases, a visual security presence can help reinforce security practices in areas that are not as visible.

Practical value -- Simply put, people are more likely to utilize the content of a message if it has some practical value for their lives. How does complying with corporate security help people to help others? How can the security awareness program be configured so that others want to talk about it and the good practices within? It might be better to give users the "carrot" rather than the "stick" in this instance, so emphasize the benefits of security rather than the penalties. For example, demonstrate how to lock a PC or encrypt a hard drive, and then detail how taking such relatively simple actions can save both the company and the end user money and angst in the long run.

Stories -- How can a security program expand so that it is "advertised" through stories and viral means that people want to share? Use stories to share lessons learned or morals, but don't make them boring police blotter narratives. Instead, build in characters and fun elements that make the employees want to tell the stories again at work and at home.


Berger's book is an interesting read that can provide new ideas to those in marketing/advertising, security or any other field. For security professionals in particular, some of Berger's ideas can take typically dry issues and help transform them into something more interesting and contagious, and thus help organizations be better protected and, as a result, financially strong. For any company looking to implement a security awareness program (or reinvigorate one currently in the doldrums), I'd suggest at least trying a few of his ideas. You never know which ones might be contagious – in a good way.

About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced critical infrastructure protection/information security professional and technology executive providing global thought leadership for more than 13 years in the areas of critical infrastructure protection, cybercrime, cyberwarfare, industrial controls security and business continuity/disaster recovery. This is in conjunction with his work in the areas of leadership and technical business management, which he has been focused on since 1974. Based in Seattle, Hayden devotes much of his time to critical infrastructure protection and analysis, industrial control systems security, energy and utility issues including smart grid security, and studying the security of these systems against contemporary threats. Hayden is an Executive Consultant with Securicon and has held roles as a Global Managing Principal at Verizon and an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), Seattle City Light and Alstom ESCA. Submit questions or comments for Ernie Hayden via email at

This was last published in January 2014

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.