Is Cybersecurity Awareness Month Worth the Money?
How can we measure the ROI on an awareness month?
As we wrap up another cybersecurity awareness month, I’d like to ask: Is it worth the money and effort? If it is, we should be able to see evidence of that in reductions of successful attacks in October/November, slowly rising over time as the effect of the awareness campaign drips evaporates, and then renewing the next year. The shifts should be bigger than the variance the data shows.
I am quite serious about this. Cybersecurity awareness month was invented by Microsoft’s marketing department, and it now absorbs a huge amount of time and energy:
- Time from corporate cybersecurity teams to create and execute marketing campaigns. For example, the version I got for my role at the University of Washington involved approval from two Chief Information Security Officers.
- Time from people to engage with content that leads with “Cybersecurity Awareness month,” rather that something useful.
- Having speakers like me come and speak for your events. (I don’t mind the money, but ...)
For medical awareness months, we can measure things like a shift in the number of people getting a screening, and we can tie screening to reductions in deaths due to that cause. (One of the reasons that recommendations about some cancer screens are so controversial is that the reduction in death is small, but the costs of screening and followups are large.)
If there’s no evidence that this investment is working, shouldn’t we either stop it, or at least increase the ways in which we’re trying to detect it?
But I’m going to go further. There’s few reasons to think that people are unaware of cybersecurity. It seems much more plausible that they’re unaware of what to do (stop clicking links?) or that there’s no clear tie between the things they worry about and the advice they’re getting. Either of those leads to them ignoring advice, or getting annoyed that we’re wasting their time.
Beyond that, we have scarce resources. Without evidence that an awareness month is working, and with good reason to think that it’s not...isn’t it time we stopped and tried something else?