“Because I said so.”
How often did your parents answer one of your questions with that statement?
Infuriating, wasn't it?
While I'm older and can understand how frustrated and annoyed parents get at the repeated questioning of their decision, explaining why would usually work well with getting me to do whatever it is they wanted me to do (at least sometimes).
In our professional lives, it's very much the same.
No one likes to be told “because I said so” as an adult – even if that someone is paying your salary.
I don't know about you, but I perform better when I know WHY I'm doing something.
When it comes to security, explaining “why” can lead to improved security results.
How are your employees supposed to take security issues seriously if you don't explain to them:
- How serious and important information security is
- How important a role they play in keeping information secure
Why, Not Just How
If you've ever been around a three-year old, you know “why” is a popular question. It could also hold the key to successful IT (and information security) training.
We've all been in training that showed us what to do and what not to do. Click this. Don't click that. That's the majority of current IT training.
However, research shows that “mindful” training – answering “why” – lead to fewer clicks on phishing emails. A joint university study, Technology Use: Conceptual and Operational Definitions, is the source of this insight. You can read more details here.
Sharing with users why being impatient and clicking on phishing emails can hurt your business was more effective than just showing users how to identify a phishing email and being told not to click on one.
When training, think about combining both approaches and don't be afraid to explain to users and employees why they need to do something a certain way.