Seat Belt Use and Lessons for Security Awareness
From Lance Spitzner:
In January of this year the National Highway Traffic Safety Administration released a report called “Analyzing the First Years Of the Ticket or Click It Mobilizations“… While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 – 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal of the campaign was to change behaviors, specifically to get people to wear their seat belts when driving… The campaigns were very successful, resulting in a 20-23% increase in seat belt use regardless of which statistics they used. The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage.
I feel the key lesson here is not only must an awareness program effectively communicate, but to truly change behaviors what you communicate has to be enforced. An information security awareness campaign communicates what is enforced (your policies) and in addition it should communicate why. Then, follow-up that campaign with strong, visible enforcement.