It’s no secret that the cyber security industry loves acronyms. Today, I’ve got the pleasure of breaking down arguably one of the cyber industry’s most infamous acronyms: Fear, Uncertainty, and Doubt, also known as FUD!
Specifically, we’re going to talk about how FUD has been heavily relied on for years when educating people about cybersecurity and why now it’s time for that to change for good.
If you want your organization to have a successful security awareness training program, FUD is not the answer. We’re going to talk about what strategies you can use to empower your employees rather than scare them.
Why FUD doesn’t work
Let’s delve into what FUD actually means. Cyber threats in general can be a scary topic, but that’s not what FUD is describing. When applied to security awareness training, Fear, Uncertainty, and Doubt can be broken down into these descriptions:
- Fear: An emotion that ignites due to tactics meant to scare people into doing something such as “if you click a phishing test you’re fired.”
- Uncertainty: A mental state where you lack clarity on a subject. This can often lead someone to not try in case of being wrong and fearing punishment.
- Doubt: A mental process that leads to questioning one’s ability to succeed due to the ‘severity’ of the topic.
So how and why did all this FUD begin?
The term FUD has been around since the ’70s and has stayed alive within technology industries after all these years. Back in the day technology was seen as some kind of ‘black magic,’ which was advancing rapidly. Since there was a big question mark for a lot of people, organizations started taking advantage of their position in the market.
One of the more popular examples is companies that used the technique of FUD to scare people from purchasing other competitors’ technology-based products. Today, technology is the new norm and touches almost every aspect of our lives but that doesn’t mean the FUD strategy is gone — but rather evolved.
Despite the industry-wide agreement that this form of education is outdated and not relevant for organizations today, some of the most successful security training companies are still getting away with using FUD to train employees. How could this be?
It’s because that’s all that’s been known until recently. You might think “it’s the same topic who cares how it’s being taught,” but in reality, it’s doing more harm than good for the mindsets of employees. Does the infosec industry even care if the training is effective?
Why fear leads to less effective security training
Even though using FUD in security awareness training might trigger an instant reaction from your employees, it doesn’t establish any beneficial long-term results. Using the research provided by Dr. Karen Renaud and Marc Dupuis in their article Why Companies Should Stop Scaring Employees About Cybersecurity, proves that fear tactics are not an effective way to propel your employee’s cyber hygiene.
The long-term effects can not only be unproductive but also detrimental to an employee’s emotional intelligence. By using fear-tactics, these could be the negative outcomes among your employees:
- Resentment: When people feel forced into doing something using negative tactics, some will often respond with a similarly negative response such as anger, denial, and resentment. This can result in refusal to participate and even something as drastic as insider threats.
- Anxiety: When you use FUD as an appeal for people to follow best cyber practices, for some individuals it can create a deeper impact of anxiety to participating in any cybersecurity-related actions. This can either deter them from participating or make unnecessary mistakes due to a lack of confidence.
- Defiance: When being told not to do something ‘…or else,’ can create a common response to just do it anyways. Anyone who had a rebellious teenage phase knows what I’m talking about. Like a child that’s been told: “don’t draw on the wall with a permanent marker or no tv” — that might work sometimes, but 9/10 times that child will still draw on the wall with a marker to see what they can get away with. This is no different than an employee being faced with FUD in security awareness training.
The risk of putting your employees in any of these three states should be enough to find an alternative option. Each of these will not only make your company more vulnerable to human error but can also create a toxic culture for your employees.
For those of you confused about what FUD looks like in security awareness training, it comes in many forms such as content that promotes complication and mystery, potential threats to your job, and the infamous ‘scary hoodie hacker’ we’ve all seen before. FUD doesn’t always look the same but you usually know when you see it with stock imagery or cringe-y actors. Your employees are probably cringing as well.
Phishing for FUD
Phishing simulation tools are one of the most common security awareness training tools that we see is still run by FUD. Something must have been lost in translation about the purpose of phishing simulations. They’re meant to teach, not punish. Even though we’ve seen a decrease in FUD within training content through the years, phishing tests are different because it’s all about short-term wins.
Employees should never fear making a mistake in practice, that’s why it’s called practice. It creates a safe environment for employees to understand the reasons they failed so when it comes to the real thing they’re more prepared.
As an IT admin, using phishing simulations as your only frame of reference to determine your security health creates tunnel vision. The new standard for employee phishing tests becomes what can I do to not get in trouble rather than what could actually do to keep my organization safe. The goal using this tactic is ‘checking the box’ for convenience and quick wins instead of trying to build up employees’ critical thinking for long-term security benefits.
This is the reason people in IT security have negative stereotypes amongst employees. It’s because we’ve been taught to fear IT more than the hackers themselves. But in reality, everyone should be working as a team to stop the real threat of cyber attacks, and IT is just doing its job to help.
As we said before, it’s the tools and the approach that matters the most — it’s not what you do, but how you do it.
Why fun tactics work
So what’s the alternative? FUN! And no, fun isn’t an acronym for anything, there’s enough in the industry. It’s just capitalized for importance and remembrance that just because something is serious, it doesn’t mean we can’t have fun learning about it.
The question you have to ask yourself is: what motivates your employees to learn? I guarantee it’s going to be backed by words like excitement, entertainment, and interest rather than fear, uncertainty, and doubt.
Think back to when you were in middle or high school. Was there a teacher that stuck out to you as a role model or helped you get to where you are now? Most likely that teacher was encouraging, transparent, and helpful.
Now also think back to a teacher that did the opposite and you dreaded going to their class every day. That teacher was probably boring, overly strict, and negative. As a result, I’m sure made that subject became less enjoyable and demotivated you in your studies.
This approach is exactly how you should view your security awareness training by teaching your organization’s employees in a way that is beneficial for them.
A few examples of the strategies in the FUN category include:
- Focusing your program on positively motivating your employees
- Relatability – use the behavioral science of storytelling and other engaging activities to incorporate fun tactics throughout your entire program
- Activate engagement through interactive learning such as gamified phishing simulations, quizzes, prizes, etc.
- Reward employees who are doing well to incentivize them
- Encourage and take into consideration feedback
Incentivize vs. Penalize
In the discussion: if you should incentivize employees for their successes or penalize employees who aren’t succeeding, it’s clear which one is FUD vs. FUN.
Let’s use the carrot and stick analogy as an example:
🪵 The Stick: The stick acts as the strictly compliance-focus security awareness training that targets employees doing poorly in a negative way and ignored employees who are doing well. This offers only FUD as a motivator — and we know how that can work out.
🥕 The Carrot: The carrot aligns with an approach that celebrates employees doing well in their security awareness program and motivates those who aren’t to do better. Now you can even go one step further and candy-coat your vegetables by implementing security awareness training by offering fun training that people are both engaged in and want to do well because they enjoy learning. Some fun incentive initiatives include:
- Publicly recognize the good work individuals or departments are doing with words of affirmation
- Monthly prize pool for the people with the highest phishing test success rate
- Reward everyone who got a perfect score and completes their training on time
- Team initiatives like a pizza party for when everyone gets below a certain click rate
The Outcome
The most compelling reason to use fun-tactics over FUD-tactics is the outcome that can be seen by doing something as simple as changing the strategy in which your employees perceive security awareness training. Ditching the FUD for fun can result in all of the following:
- Establishes open communication and trust between employees and the IT department
- Builds a security culture in your organization
- Employees learn from success — and bounce back from mistakes
- Makes employees more susceptible to change if new procedures have to be put in place
And of course, the main goal is to create a more secure organization and better protect your employees from the never-ending cyber threats. Remember since your employees are your first line of defense it’s critical to get them on board when it comes to keeping the organization safe. After all, teamwork makes the cybersecurity dream work!
Saying Farewell to FUD
The hurdle to change your employee attitudes about cyber security is a big one. Organizations have a tendency to scare their employees into being aware of cyber threats. This anxiety-inducing approach may make people temporarily reactive, but it doesn’t create any positive lasting effects or give your employees a reason to actually care — it does the opposite.
Whereas, using fun tactics to educate your employees with positivity will help encourage them to care about the security of their organization and work together with their fellow colleagues to mitigate a bigger problem. So why wouldn’t you choose an option that is both better for the wellbeing of your employees and more effective in building up your organization’s cybersecurity culture?
