Reinventing Security Awareness

The late David Ogilvy – perhaps the greatest advertising genius of our time – included a chapter in his landmark book, Ogilvy on Advertising, on the use of video to influence human behavior. His chapter offered several practical tips, and it is interesting that his first two suggestions focused on humor and slice-of-life to drive customer behavior. Both techniques, in Mr. Ogilvy’s estimation, are effective at influencing viewers to act.

This advice is powerful in the context of cyber security, because most companies have discovered the power of video to train employees. They’ve come to recognize that if you want employees to be judicious with email links, or discrete in discussions, or careful with sensitive data, then video is an excellent way to accomplish this goal. And if you listen to Mr. Ogilvy, then human and slice-of-life are preferred approaches.

I had the opportunity to spend time with Michael Madon, CEO of Ataata, to discuss how his company is creating world-class video content for business customers to improve employee security awareness. It was fun to discuss the creative process, production design, and platform-related issues on how risk can be scored and used to improve the overall posture of a company. Here is a summary of our conversation:

EA: Michael, let’s start by going through exactly what you and your team do at Ataata.

MM: Ataata’s model is software-as-a-service, and the process is simple: Each month, our customers receive a new learning module which guides them to watch one of our original security awareness videos. The employee is then directed to answer a question designed to reinforce the key takeaway from the video. And then, they will see a measure of their performance relative to colleagues. Companies can customize their training by including their own material relevant to that month’s topic. It’s all quick and seamless. The process typically takes three minutes to complete. And since the platform is universal, employees can complete their training wherever they are from any device.

EA: You said Ataata’s security awareness training is making a difference. What makes your approach more effective than other solutions in the marketplace?

MM: A lot of security awareness programs miss the mark. The challenge is finding a way to engage people who’ve been conditioned to tune out training completely. You can’t expect to change employee behavior if you don’t give them a reason to care about security. That starts with better content and a seamless user experience. Our learning modules are written and produced by veterans of the TV industry who understand how to use humor and related techniques to influence user behavior. The result is content that looks and feels like a typical workplace comedy. Once we capture their attention, then we can show employees how their security decisions can impact the company and their own lives.

EA: How do you find the right balance between entertaining your users and getting them to change their behavior?

MM: Our top priority is keeping our audience engaged. The challenge is presenting everything in a way that any employee can relate to and understand. Our creative team consults with industry experts to make sure we’re covering the most important topics and conveying the right messages. Our goal is to get people to pay attention and understand why their actions matter. Most security breaches involve human error. If we can get employees to take a step back, breathe and think about what they’re doing, we can help companies reduce those breaches and ultimately save time and money. And we know it’s working. After three months of training, 83% of Ataata users indicate that they’ve changed something in their daily lives to make them more secure.

EA: Explain the connection between employee risk and Ataata’s security awareness training.

MM: We know our training platform is changing the way employees think about security and making a real difference for our clients. But at the end of the day, it all comes down to data. Our proprietary algorithm analyzes sentiment, engagement, and knowledge. And every time a user interacts with the platform, it tells us something valuable. Ataata’s platform continuously collects information about individual employees, specific organizations, and industries at large. Are certain employees completing their learning modules right away? Who has missed three knowledge questions in a row? Which employees seem susceptible to specific types of phishing tests? Do employees in one department have different attitudes about security than another? Are certain industries better about protecting information than others? Data from one event won’t tell us much. But data collected from millions of events over time can reveal incredibly valuable information for the companies we serve.

EA: How do you see this process helping companies deal with and analyze employee risk?

MM: Ataata helps security professionals identify immediate issues by assessing employee risk and analyzing notable deviations to predict future problem areas. Security professionals know how difficult it is to separate the noise from true warning signs. If logging in to the company’s network after midnight triggers an alert, should a CISO be concerned every time that bell sounds? Or every time someone prints a document after 10PM? Or any other action that might get flagged? False positives abound, and it’s difficult to clear the clutter surrounding an employee’s digital footprint. It’s critical that we understand why one person’s behavior might be more problematic than another’s.

EA: Talk about the Ataata dashboard and how security professionals can monitor their training.

MM: At Ataata, we put as much thought into our analytics as we do into our content. We know that awareness training only has value if you can measure its effectiveness. Our dashboard gives CISOs the ability to see who’s watching their videos and who’s answering their knowledge questions correctly. We also assess employee attitude about security and track how that changes over time. And we show companies how their workforce is performing compared to people in their industry specifically and compared to all industries in general. Much of the information available on our dashboard plays a critical role in how we assess employee and company risk. That’s by design. Training gives us better insight into risk. And understanding risk helps us develop more effective training.