Journey Mapping: Cultivating a Mindset for Security Awareness

By



When was the last time you crawled inside someone’s mind? You would probably perceive it as not a very comfortable place to be. After all, people are generally impatient. They don’t follow policy and they find tech speak frustrating. Let’s face it, everybody is a bit quirky when you get down to it.

This may all be true; but what’s also true is that, until you get them by perceiving who they are as fellow workers, they will never get you. And this situation of ‘not getting each other’ translates into fighting an uphill battle when attempting to get fellow workers to follow basic security protocols with the end goal of ensuring corporate data remains protected.

Spelunking Gear for the Mind

Journey mapping is a concept that was originally developed by marketers and product teams to help them better understand their customers and prospects. But you can use this same concept to help understand “a day in the life” of your typical user or worker. The process can take time and will require some conversations and observations, but the time spent will be worth it.

Let’s take a look at the steps behind leveraging journey mapping within the context of your security program:

  • Identify and segment employee roles. Different roles impact systems differently. It’s important to map people based on the roles they have within the organization.
  • Understand the typical day of an employee in each role.
  • Consider how an employee in a specific role is influenced by their emotions and motivations. Consider also how these emotions and motivations change as they’re dealing with different technology and/or security touchpoints.
  • Consider how employee experiences in a specific role may change with the time of year, day of week, etc.
  • Consider how their moods, emotions, and ability to perform tasks might change based on aspects of work demands—e.g. busier times like holiday seasons.
  • Identify each role’s physical, technological and social touchpoints. Where do they go throughout the day? Who do they see? What distractions do they have?

At a high level, what you will be looking for as you complete the journey map are opportunities to capture the attention of these employees. You’ll want to identify the points of time, locations, and contexts that you can design for within your security training regimen.

You want to understand—deeply understand—the journey an employee takes in each role you’ve identified in their day-to-day activities and how these interactions might vary by day of week or time of year, as well as by various job-related impacts.

A Focus on Behaviors

As you consider each role you’ve identified, you’ll benefit from using a Journey Map Brainstorming Sheet where you can jot down answers to questions such as:

  • Who are they?
  • Where are they?
  • What are they doing or about to do?
  • What is their goal?
  • How are they feeling? (emotions)
  • Who else is around? (social)

There are other prompts I’d recommend, but this should give you a sense of the type of behavioral and attitudinal detail you want to drill down into. Why? Because the more you understand “a day in the life,” the better you’ll be able to identify the opportunities you have to deliver messages and behavioral interventions at points in time when they are most likely to be receptive and act upon them.

You’re attempting to find points of time, locations, and contexts to design for within your security program. Can you add a gentle nudge at the point of behavior? How about a timely reminder? Or maybe find a way to alter the social dynamic around a type of behavior. At these points of intersection, you may also consider how you might reward and reinforce successes while providing just-in-time, at the point of behavior interventions to help minimize failures.

Understanding Leads to Intervention Opportunities

That’s what happens when you take the time to climb inside the mind of your people and understand—really understand—a day in their lives. A day that is filled with myriad interactions and opportunities for you to reinforce key messages and actions that will enliven a degree of security awareness in the effort to keep your systems and data safe.

Gleaning these insights through journey mapping can help to understand how your program elements intersect with discrete points in the lives of your employees. This, in turn, will help you become more intentional about how and when you deliver your security program elements.

The bottom line: You need to understand the lives, actions, and interactions of your people so that you can more strategically intersect their lives with relevant awareness and security-first behavior.

Keep in mind, also, that these maps will change over time as the internal and external environment changes. Consider, for instance, how journey maps created before March 2020 and the spread of the coronavirus looked when compared to how they would look today. Environmental impacts aren’t usually this extreme, but things do change.

Journey mapping is a process, not an event. It’s a process that, when carefully considered and frequently revisited, can help you ensure that your employees “get it” because now you “get them.”

About the Author

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).



Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More