Security Workshops That Change Behaviour

A PowerPoint security presentation might tick an awareness box, but, Mike Carter argues, far from being a solution to the human factor in security, it’s part of the problem.

robot-916284_1280I’ll bet nobody has escaped the ordeal of a presentation where the speaker used PowerPoint. It’s such a ubiquitous method of imparting information and instruction, so normal that it’s noticed only when it isn’t there, and so very, very dull. Who hasn’t had a moan about the draining effects of ‘death by PowerPoint’, or complained that you were going to have to sit through one? We know it can switch us off from an interesting subject, but using it for the subject of security – hugely important, though, to the average employee, dull in equal measure – then there’s no hope that even the most animated and charismatic speaker will engage hearts and minds.

There’s something of a running joke out there about company security inductions using a 65-slide PowerPoint – yet they really do exist. We might argue that they’re better than nothing, but barely. Better than computer-based training? There’s not much to choose between them.

Why is PowerPoint so Ineffectual?

There are reasons why PowerPoint exerts its soporific effects, though we’re so acclimatised to it that we no longer see them. Using a slide presentation sets up a dynamic in the room where the speaker is separate from us. It embodies a hierarchy, where the speaker is the fount of knowledge and we are merely the recipient of it. The audience is rendered passive: nothing is being asked of us but to listen. The screen dwarfs the speaker and dominates our attention. Worse, the speaker is often looking at the screen as they present, rather than engaging us with eye-contact and, still worse, simply reading out what’s on the slides! That we are in a room with other people promises a ‘live’ situation, but there is little more liveness here than sitting in front of our computer terminal.

The slides processing from one to the next have a hypnotic effect. There is no time or space for a deeper level of thought and engagement. There is no room for debate or shades of grey. It makes security a straightforward, linear process, when we know that it’s a deeper, more tangled affair. The use of large print next to bullet points makes a complex subject – like human behaviour in relation to security – simple and lightweight. It makes no demands of the audience to think for themselves, nor take responsibility for their learning. Information received will not be internalised, notes made will be quickly forgotten, and the chances of it translating into better security habits and behaviours will be slim. Nobody ‘owns’ the information on the slides, it exists in luminescent tablets of stone. It’s impersonal and messages will not stick.

Isn’t PowerPoint ‘Good Enough’?

That’s quite a litany of objections to PowerPoint! Am I being fair? After all, whatever I have to say about it, it’s very convenient. A company can deliver the same PowerPoint on security repeatedly and say to themselves, “We’ve ticked that box. We’ve done awareness.” That company must ask whether they want to fool themselves for the sake of expedience and keep going with methods that have a limited effect, or look for something that has genuine and lasting impact in an ongoing process of change.

We Can’t Dodge the ‘Human Factor’

Human problems need human solutions, and PowerPoint dehumanises security. For awareness to translate into behaviour, people must embody principles and consistently take responsibility for their learning and actions. This can only flourish within a strong culture of security, and the problems that many organisations face, they acknowledge to be cultural. Developing a proactive security culture can never be achieved by a PowerPoint presentation – in fact, PowerPoint is part of the cultural problem. The solutions require face-to-face collaboration and ongoing conversations – they need to be human.

At Layer 8, we don’t use PowerPoint. Instead we create opportunities for dialogue in our interactive training, to engage participants, make security personal and change behaviours and culture.

Leave a Reply

Your email address will not be published. Required fields are marked *