Reducing enterprise risk through information security
Cybersecurity. It’s an increasingly important challenge for any company operating in the world today. The growing pace and complexity of cybersecurity threats has become all the more apparent given very public breaches at notable companies, like Yahoo! and Sony. In light of the extensive legal and brand implications, many companies are recognizing the need for approaches that truly capture employees’ interest and inspire action.
AECOM was no exception. In an era of increasing complexity, AECOM wanted to reduce its enterprise risk through information security awareness and training. The company’s Global Information Security Group was putting preventative measures in place and must be coupled with strong communication to increase employee awareness and education on cybersecurity topics. They turned to us for help developing an overall strategy, messaging, design framework and communications plan for Information Security Education & Awareness.
A clear need for a more personal and relevant cybersecurity conversation
Interviews with employees about the effectiveness of current communications revealed that people largely did not understand the broader cybersecurity issue. They believed that information security is a given that someone else is taking care of. Thus, to foster employee engagement and understanding, any communication must make a personal connection and imbue a sense of individual responsibility. Further, tying into the company’s existing culture of caring and highlighting the security of digital data as an aspect of organizational safety would make communication more compelling and effective.
Creating a bold, unifying theme to reframe the issue
We explored several options to transform these findings into a unifying, attention-grabbing narrative. The theme must make a direct appeal to employees, evoking engagement. It also should combine messages of safety and security to create broader impact and be expressible across a variety of mediums in alignment with AECOM’s existing content plan. Recognizing the powerful impact of cohesive storytelling, we knew this narrative should possess the potential to tie into the organization’s greater resilience message, as well as the ability to stand alone.
We aimed to reframe the issue — something employees largely perceive as a hassle — into something they not only take interest in, but actually want to excel at. Tapping into a sense of social responsibility and personal achievement could make education efforts more effective, ultimately inspiring employees to make better information security choices.
Making messages sticky and brain-friendly
As we developed these themes, we wanted to maximize effectiveness through brain-friendly appeal. First and foremost, any concepts must be memorable and attention grabbing, leveraging positive emotions to reduce stress and enhance stickiness. They should be socially engaging, tapping into innate desires for relatedness and connection with others. To make the content actionable and authoritative, we incorporated concrete examples of behaviors and skills desired in employees. Making all concepts appeal to the individual also added a sense of personal relevance. Lastly, our recommendations for message dissemination were developed with a careful consideration of timeliness and consistency yet not overwhelming or annoying. For each big picture concept, we developed key messages and sample creative touch point mockups.