As social engineering and data breach attempts become more sophisticated, the need for cybersecurity education is more important than ever, yet the most at-risk generation doesn't seem to care about the topic. Your cybersecurity awareness campaign is competing for time with Netflix and Snapchat. How do you break through the noise?
At Texas A&M University, we strive to create cybersecurity awareness campaigns that engage students in security education while competing with the fast-paced digital world. For six years, we've created awareness campaigns featuring online cybersecurity games that entice more than 10,000 campus members to participate. This number continues to grow each year.
But we didn't start there. Planning a successful campaign takes time and patience, but is possible no matter your team size or resources.
1. Set Your Goal
Clearly defined goals and a realistic project timeline are essential for campaign success. An effective campaign must be thoughtfully planned and researched. Use the following outline to set realistic and measureable goals for your team.
Define your audience: Who are you targeting with your campaign?
Pursue an interactive course of action: How will the audience interact with your campaign? An active and engaged audience can retain more information and becomes more invested in the outcome.
Analyze your results: How will you know if your campaign is a success? Set a success metric as a quantifiable and easily measureable result of your campaign. Your metric could measure time, quantity, or intensity of engagement. For example, you may want to measure average time of participation, quantity of participants, or the percent of participants who take a certain action. Whatever your metric, make sure it will be a fair assessment of your results and easy to measure.
2. Gather Your Team
Your team is your most valuable resource. Focus not only on recruiting enough help but also on acquiring the right kind of expertise. If you are creating a campaign to capture the attention of students, involve students. Student employees have been essential in our quest to break through the noise while also supplementing full-time staff. Don't forget your security team! They know which security issues are the most prevalent on your campus.
3. Plan Your Timeline
Give yourself time to be creative. The "extra" things that make your campaign stand out will be the first to go when your team feels pressed for time. Start early and give yourself time to reach your goals. For our team, this means we begin the planning and creative phase of our October campaign for National Cyber Security Awareness Month (NCSAM) as soon as the spring semester ends in May.
Leave plenty of time to brainstorm. It is unlikely you will come up with the best idea for your campaign in the first few meetings. Starting early reduces the pressure to go with the first thing that comes to mind. Once you have landed on your brilliant idea, you will have plenty of time to implement it in a way that stands out.
4. Target Your Topic
Make sure your message connects with your audience.
Be relevant: Information security is a broad and sometimes overwhelming topic, so it is helpful to focus your campaign on one aspect of security. Pick something highly relevant to your students or campus. In the past, we have focused on blocking phishing attempts, securing social media, and protecting personal and financial information.
Be relatable: Unfortunately, valuable information alone is not going to break through the noise. To be successful, you must relate to your campus. Some of our games center around Aggie themes like campus life or Texas A&M football.1 Authenticity is key when creating these campaigns. Students are skilled at sniffing out content that seems canned or has a one-size-fits-all feel. Creating a unique and targeted campaign resonates with college students.
5. Finesse Your Structure
Structure is the way your campaign or message is presented. At Texas A&M, we build an online game where students answer 8–10 questions about security and they receive a score and result. The theme and content change, but the structure remains the same each year. This isn't the only way to accomplish cybersecurity education. Other successful structures could involve a social media campaign or an on-campus event. Use the following criteria to build a structure that would work on your campus.
Promote interaction: You want your audience to actively think about cybersecurity. In our structure, they answer questions. In another, they could be prompted to submit something for a contest, enter a short video, or answer a question on social media. In short, an effective campaign should drive some type of interaction from your target audience that promotes real learning on the subject.
Provide feedback: Humans love a challenge. Immediate feedback sparks a sense of competitiveness and motivation. If they answer a question, make sure they get a correct or incorrect result. If they interact on social media, give them a quick response. This engagement helps with information retention and encourages authentic participation.
Use repetition: The Rule of Seven states a receiver must hear or see your message seven times before it becomes ingrained. You may drive your audience mad if you repeat your message seven times, but make sure your key messages appear more than once. During our campaign, students are presented with a security tip in each question and answer. At the end, they receive a condensed security checklist in an e-mail reminding them what they just learned. When the goal is information retention, repetition plays a major role.
6. Craft Your Promotion
Getting your audience to care about cybersecurity doesn't have to feel like pulling teeth, but you will have to provide a little incentive.
Be relevant: We've said it before and we will say it again. You have to keep your ear to the ground to convince students to engage. Modern culture is a moving target, and today's young adults are exceptionally good at spotting inauthenticity. You have to speak their language and get creative—use GIFs, videos, and pop culture references. On the Internet, the better you are at fitting in, the more likely you are to stand out.
Create "virality": The ultimate awareness campaign is one that creates self-sustained promotion or "virality" with a high incentive to share. To increase the share-ability of your campaign, you must make the barrier to post on social media as low as possible. If your campaign does not live on a social media site, there should be an easy, one-click way to share your campaign across popular social media platforms. Additionally, you must give participants content worth sharing. We use a BuzzFeed model. At the end of the game, participants are given a fun result. For example, they are a super-senior and just don't quite have the skills to graduate. Or because they are so great at spotting phishing attempts, they beat our biggest rival and won the playoff game. These results make the campaign feel personalized and give students the opportunity to share something fun with their friends.
Give incentives: Even with great promotion, nothing is better to a college student than free food. But awarding prizes doesn't have to be a burden on your budget. At Texas A&M, we partner with local restaurants to give coupons to every participant. The promotion is a very low cost to the business and nets them thousands of advertisement impressions in a few short weeks.
7. Reflect On Your Success
Evaluating your results is the most important — but often skipped — step of the process. This is your time to hold yourself accountable to your success metric. If you reached or surpassed your goal, what went well? What information can you leverage for next year? If you didn't reach your goal, what would you like to try next? Is there another area that you succeeded in that wasn't included in your success metric? Answering these questions will allow you to do the following.
Improve future campaigns: After the evaluation, you should have a clear idea of what improvements can be made to increase your success in the following years.
Increase budget or resources: With hard data to back up your work, it will be easier to convince leadership to make security awareness month a priority in future years.
Celebrate your accomplishments: At the end of the day, security awareness is important. Any success in your campaign is something to be celebrated. Creating this campaign is not easy. It is an uphill battle, but one worth fighting. Take time to celebrate your accomplishments!
Creating a security awareness campaign that convinces your campus to interact and take notice is a challenge (and doesn't happen overnight). But if you follow our seven tested steps, you can create a successful campaign no matter your team size, time allocation, or budget.2
- Each year, Texas A&M creates a campus-wide information security campaign for NCSAM. View or play previous games.
- Hear Allison Oslund discuss Texas A&M's security awareness campaigns in this EDUCAUSE Live! webinar recording, "Creating a Culture of Cybersecurity and Safety on Your Campus and in Your Community."
Morgan Hampton is a student coordinator and Allison Oslund is a communication coordinator with Texas A&M Information Technology at Texas A&M University.
© 2017 Morgan Hampton and Allison Oslund. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.