• United States




The biggest threat to building organizational cyber awareness

Jan 29, 20184 mins
Data and Information SecurityIT SkillsTechnology Industry

Leadership needs to make retention, not just engagement, the ultimate measure of success.

security training ts
Credit: Thinkstock

In case you haven’t noticed, public airline safety announcements (PASAs) just got more interesting. People genuinely enjoy these formerly tedious messages.

Wouldn’t it be nice to see everyone in an organization engaged in the same way when immersed in complex cybersecurity awareness and policy? Perhaps we can learn something from the airlines to enhance this type of engagement.

The good news is that we can. Unfortunately, the lessons the PASA teach are a bit different than you might imagine. Let me explain.

I’ve studied the effectiveness of the PASA in depth, and one of my takeaways is that the communication of important messages starts as a leadership issue, not a creative one. For example, as the entertainment levels of the PASA increase, retention is still below the 50 percent level, and that level drops significantly beyond two hours. Why?

The naked truth about too much info

The Federal Aviation Administration provides a mandate for what must be covered during the PASA. The airline complies. Yet nowhere is it required that passengers retain the message. There’s no test to see what people actually remember. Thus, engagement becomes the measure of success, not what is actually learned. The result: poorer decision-making when it’s needed most. Just look at the passengers standing on the wing of the plane that landed in the Hudson River; only a few were wearing life vests.

The PASA is (and always will be) an impossible laundry list of thirteen checkoff points, regardless of how they are delivered: in song, via cartoons, or by deliveries from naked airline attendants (yes, Air New Zealand did that). There are just too many points of information given in a short two-minute frame.

Cybersecurity awareness is vastly more complex than a PASA. Yet the same logic in communicating key points is often followed—that is, half-day or full-day sessions bombarding the non-tech executive with too many data points to be truly assimilated, just like the information in the PASA.

Challenging leaders to think differently

Generating cyber awareness is a big business and there are many new innovative training programs that deserve both attention and praise. But it’s not enough if the leaders of these organizations are not fully immersed in the process.    

For example, surprising results are achieved when you challenge executives to think differently about retention versus mere engagement.

Workshop experiments on using leadership skills to change the PASA experience have led to thought-provoking concepts. Examples include family days at the airport where kids learn the PASA in a fun environment early in life; watching an actual airline accident that wakes you up to the reality of accidents while flying; or using touch screens to answer PASA questions before being allowed to watch in-flight movies.

The positive results of turning a boring message into an experience that engages and drives retention suggest a similar path for pioneering ideas enhancing cybersecurity awareness and internalizing proper cyber behaviors.

Here are a few examples.

Confront the enemy

Get to meet hackers (role-playing actors) with the intent to harm your business. After all, confronting the enemy face to face isn’t easily forgotten and leaves you with a memorable message regarding the seriousness of the issue.

Imagination sessions

The malicious actors spend a lot of time coming up with creative ways to hack your business, from replacing your business overnight to holding your data ransom. But looking forward to what will happen rather than in the rearview mirror as to what did happen will allow an organization to anticipate the knockout punch it wouldn’t have seen coming.

Behave like the enemy

You can’t defeat the enemy if you can’t think like them or act like them. This experience encourages your participants to act like the adversary by encouraging them to cheat on a test and then assessing their creativity. This will raise their radar regarding how hackers enter your organization’s systems.

Within the course of the examples above, the C-suite leaders and their teams expand and retain their knowledge base in order to make smarter security decisions and adapt smarter behaviors. Of course, as a leader you must be willing to invest not just the money and the time to go beyond traditional teaching methods, but your time as well. Otherwise, your organization’s cybersecurity efforts will never truly get off the ground.


Andy Cohen is a cybersecurity and infosec thought leader, TEDx and Google Talks, West Point speaker and published author. His new book, Challenge Your Assumptions, Change Your World will be reviewed in the upcoming Army Cyber Defense Review in which Cohen is also a contributing columnist. He customizes his keynotes/workshops to infosec teams, organizational cyber awareness, CEO and senior leaders and to CIOs/CSCO and their teams.

Andy is founder of Andy Cohen Worldwide.

The opinions expressed in this blog are those of Andy Cohen and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.