From cyber aware to cyber judgement: How CISOs can use the AIDA marketing model to drive change.

TLDR; Combining cybersecurity awareness with the principles of AIDA marketing can help CISOs create security cultures where employees not only understand the risks but are also motivated to take secure actions. 

October is cybersecurity awareness month. But is awareness enough to drive increased security?  

During the recent Gartner Security & Risk Management Summit in London, the Keynote speakers laid out and busted common myths in the industry today. One of them grabbed my attention: more cyber experts = better protection.  

With more technology work predicted to be done directly within business functions and less in IT (Gartner reports that 73% of managers outside of IT want more technologists on their own teams), one could raise that the decentralization of IT poses a security risk to the organization. And that more security experts are needed to ensure better protection, in a context where the number of vacancies in cybersecurity reached 3.4 million in 2022 according to ISC2.  

Gartner argues that cyber judgment - the ability of employees to make cyber-risk-informed decisions autonomously - is a more effective way forward, enabling organizations to work under minimum effective expertise. Organisations that implemented the concept have seen 2x Lower Risk Exposure 2.2x Increased Speed of deployment of new technologies. 

When faced with other Gartner statistics such as:  

• 65% of employees open emails from unknown sources on work devices. 

• 61% send sensitive information via unencrypted email.  

• And critically, 93% acknowledged these actions would increase risk to the enterprise.  

Cybersecurity awareness is not enough. Adopting cyber judgement requires transforming awareness into action. 

This is where CISOs might be inspired by marketing tactics such as AIDA and user-centric experience design.  

The realms of cybersecurity, organizational change, and marketing are increasingly intertwined. While these areas may seem distinct, they share parallels that, when explored, reveal valuable insights for CISOs and CIOs aiming to enable cyber judgement in their organization.  

We'll delve into these parallels and uncover how they can collectively contribute to a more secure and successful digital landscape. 

The AIDA marketing model (Attention, Interest, Desire, Action) can be a helpful framework to outline these parallels.  

In marketing, this stage focuses on grabbing the audience's attention through compelling content or advertisements. 

In the cybersecurity realm, grabbing attention is critical. Just as marketers use attention-grabbing ads, and compelling messaging, cybersecurity professionals employ awareness campaigns and training programs to capture the attention of employees and users. This helps raise awareness about the importance of good security practices. 

A good example is a campaign from the Internetstiftelsen (a Swedish Internet Security Organisation), poking fun at the common weak passwords that lead to rising cases of cybercrime. 

In marketing, after capturing attention, the goal is to pique the audience's interest by showcasing the product or service's unique features or benefits. 

Organizational change often begins with generating interest and buy-in among employees. Much like marketers must generate interest in a product, leaders within organizations must cultivate interest in new policies, procedures, or technologies. This interest can lead to more successful change implementations. 

This is critical considering almost half (47%) of all security incidents originate from internal actors, whether deliberate or accidental, according to Orange Cyberdefense’s Security Navigator 2023 report. 

Tactics often used in marketing can be used by CISOs to do this. For example, providing employees with relevant and compelling reasons to act on cybersecurity that crucially relate to their needs, wants, or problems. CISOs can use artifacts like storytelling, facts, testimonials, or case studies to show how individual cyber secure behaviour can benefit individuals and the organisation.  

In marketing, the desire stage aims to make the audience crave the product or service by highlighting its value and relevance to their needs. User-centric design is all about creating products and experiences that users desire. By understanding user needs, preferences, and pain points, designers can build products that users genuinely want. Similarly, cybersecurity professionals can employ user centric design to craft experiences that reduce the friction to adopt the ‘right’ cyber secure behaviours. Gartner suggests a three-step cyclical approach to do this:  

1. Ideation: Talk to employees to learn how they experience controls. 
2. Design: Co-create security controls with employees and pilot it in different business groups to understand the potential friction implication 
3. Post-deployment: Review pattern in exception requests and policy violations to uncover underlying friction. 

The AIDA model's final stage, action, aligns closely with marketing goals. It's where marketers aim to convert interest and desire into tangible actions, such as signing up for a product demo, or making a purchase. In cybersecurity, this parallels the objective of translating awareness and understanding of security practices into concrete actions, like implementing strong passwords or reporting suspicious activities. CISOs can use strategies from marketing playbooks that use behavioural psychology tactics, such as social proof. In social proof, the underlying principle is that people tend to follow others in situations where “appropriate” behaviour is unknown, as a way of feeling safe, liked, or accepted. For example, CISOs can implement mechanisms including gamification based on statistics, success stories or endorsements that can encourage more to follow the desired behaviours.  

Combining cybersecurity awareness with the principles of AIDA marketing and user-centric design can help CISOs create security cultures where employees not only understand the risks but are also motivated to take secure actions. CISOs can make it easier to implement new security measures, as employees are more likely to embrace changes that are designed with their needs in mind. This interconnected mindset is crucial to enable organizational cyber judgement, as we navigate towards further IT decentralization in an ever-evolving threat landscape.