When was the last time you crawled inside someone’s mind? You would probably perceive it as not a very comfortable place to be. After all, people are generally impatient. They don’t follow policy and they find tech speak frustrating. Let’s face it, everybody is a bit quirky when you get down to it.
This may all be true; but what’s also true is that, until you get them by perceiving who they are as fellow workers, they will never get you. And this situation of ‘not getting each other’ translates into fighting an uphill battle when attempting to get fellow workers to follow basic security protocols with the end goal of ensuring corporate data remains protected.
Spelunking Gear for the Mind
Journey mapping is a concept that was originally developed by marketers and product teams to help them better understand their customers and prospects. But you can use this same concept to help understand “a day in the life” of your typical user or worker. The process can take time and will require some conversations and observations, but the time spent will be worth it.
Let’s take a look at the steps behind leveraging journey mapping within the context of your security program:
At a high level, what you will be looking for as you complete the journey map are opportunities to capture the attention of these employees. You’ll want to identify the points of time, locations, and contexts that you can design for within your security training regimen.
You want to understand—deeply understand—the journey an employee takes in each role you’ve identified in their day-to-day activities and how these interactions might vary by day of week or time of year, as well as by various job-related impacts.
A Focus on Behaviors
As you consider each role you’ve identified, you’ll benefit from using a Journey Map Brainstorming Sheet where you can jot down answers to questions such as:
There are other prompts I’d recommend, but this should give you a sense of the type of behavioral and attitudinal detail you want to drill down into. Why? Because the more you understand “a day in the life,” the better you’ll be able to identify the opportunities you have to deliver messages and behavioral interventions at points in time when they are most likely to be receptive and act upon them.
You’re attempting to find points of time, locations, and contexts to design for within your security program. Can you add a gentle nudge at the point of behavior? How about a timely reminder? Or maybe find a way to alter the social dynamic around a type of behavior. At these points of intersection, you may also consider how you might reward and reinforce successes while providing just-in-time, at the point of behavior interventions to help minimize failures.
Understanding Leads to Intervention Opportunities
That’s what happens when you take the time to climb inside the mind of your people and understand—really understand—a day in their lives. A day that is filled with myriad interactions and opportunities for you to reinforce key messages and actions that will enliven a degree of security awareness in the effort to keep your systems and data safe.
Gleaning these insights through journey mapping can help to understand how your program elements intersect with discrete points in the lives of your employees. This, in turn, will help you become more intentional about how and when you deliver your security program elements.
The bottom line: You need to understand the lives, actions, and interactions of your people so that you can more strategically intersect their lives with relevant awareness and security-first behavior.
Keep in mind, also, that these maps will change over time as the internal and external environment changes. Consider, for instance, how journey maps created before March 2020 and the spread of the coronavirus looked when compared to how they would look today. Environmental impacts aren’t usually this extreme, but things do change.
Journey mapping is a process, not an event. It’s a process that, when carefully considered and frequently revisited, can help you ensure that your employees “get it” because now you “get them.”
About the Author
Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).
Antivirus software is not enough. Apex Technology Services used its decades of IT and cybersecurity
experience to create budget-friendly network security packages every company needs.
Please take a moment to fill out your information so we can contact you directly regarding your request.
Shabodi, an Application Enablement Platform (AEP) provider unleashing advanced network capabilities in LTE, 5G, 6G, and Wi-Fi 6, announced they have l…
Endpoint protection, also known as endpoint security, is a cybersecurity approach focused on defending computers, mobile devices, servers, and other e…
Databricks is an innovative data analytics platform designed to simplify the process of building big data and artificial intelligence (AI) solutions. …
Blue/green deployment is a software release management strategy that aims to reduce downtime and risk by running two identical production environments…
Lateral movement is a term used in cybersecurity to describe the techniques that cyber attackers use to progressively move through a network in search…