IGF 2016 - Day 3 - Room 3 - WS113: What makes Cybersecurity Awareness Campaigns effective?


The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 


>> MODERATOR: Welcome to our workshop.  Good afternoon, I hope you all had coffee to be awake and aware.  So the question for this workshop, or the title is what makes cybersecurity awareness campaigns effective.  We have brought together my colleague, Maria Bada, Michael Kaiser from national cyber security alliance, and Liina and Kerry‑Ann. 

And then we start trying to arrange this session format by like interviewing each other on specific issues about cybersecurity, comparing what makes them effective, what are the challenges.  What stakeholders should we involve and are there any other metrics that can be used?  Slides?  Okay.  If you see on the slide behind me, there are some examples from around the world that we think are good cases.  Those from Canada, cyber aware from the UK.  Awareness and the Australia cyber safety campaign.  These are some examples that we would like to present.  Beyond that the panelists often will introduce their best cases and approaches.  I'm going to start now the interview chain.  I will ask my colleague, Maria Bada from the global cyber security capacity centre.  Maybe tell a bit about your research and what do you think are the most critical sectors. 

>> Dr. MARIA BADA: Carolin's question puts me on the path of discussing exactly why campaigns fail.  They didn't always fail.  But let me say a few words about my work.  It's one of my subjects that are very interesting for me.  So around the world, there are many national cybersecurity awareness campaigns.  I have seen through my work at the center, we review cybersecurity capacity at the national level, so we look at this issue as well.  From my experience, visiting countries in many regions, actually in Latin America, Caribbean, eastern Europe and Asia and in Africa, I always looked at this issue.  And the discussion always goes to that behaviors are not really intended.  So campaigns don't have the intended outcomes. 

So why do they fail?  There are many reasons.  One of the main reasons is because they're not coordinated and maybe they...  they don't have target groups targeted.  One of these issues as well is not only the message, but also the messenger.  Also many countries have problems when it comes to resources, so many countries are not long‑term sustainable initiatives.  We know that in order to change behavior, we need to change attitudes and intentions, and that takes time.  So an effective campaign should be a long term process. 

Another issue is the fact that campaigns usually are not aligned to a national goal.  So I will talk about it when discussing about the best practices, but especially in the UK, and let's take that as an example.  So the national awareness campaign, Cyber Aware, it's linked to the national cybersecurity strategy.  It links to the policies and goals of the country.  The targeted groups, sustainability, and that is an issue that I could say that makes it good practice. 

I could talk about this for hours.  I don't know how much time I have. 

[ Laughter ]

>> CAROLIN WEISSER: I think we can go further on the chain and Maria, ask your most urgent question to one of the other experts. 

>> Dr. MARIA BADA: So when we talk about the national level campaign, and let's take, as an example, many countries adopt best practice.  What is the process of adopting the campaign if you are a country, and which stakeholders should be engaged in the process of such campaign? 

>> MICHAEL KAISER: We were founded in 2001 in the United States with the sole purpose of providing education and awareness.  Our targets are very broad.  They're general population, small and medium‑sized businesses, reaching into schools, educators, and basically every American.  330 million plus people.  That's a challenge.  We realized we couldn't do it on our own.  We give a lot of thought to who is the messenger.  If you think about behavior change, cybersecurity can be about both behavior change or adopting good behaviors to start out with, which is our preferred model but hasn't worked out so well.  You have to think about who do people listen to.  You have government.  Government is definitely a stakeholder.  It is a place where many people, most countries can turn to for certain kinds of advice around safety and security.  United States, we have a lot of campaigns, you know, whether it's about forest fire prevention, traffic safety.  The message is expected to come from the government, right?  In cybersecurity, I think the messengers are varied.  You have to have the very robust representation of the private sector.  In the U.S. you ask people where do you expect to get information about how to stay safe and secure online, they will say my ISP or my security software provider.  They will say my bank or the social networks.  They're going to say the large websites that they maybe visit.  They are stakeholders, right?  If you're looking to carry a message and looking to change people's behaviors, you've got to look to people that they trust to deliver the message.  The key and what lies under the core of our campaign is harmonizing the message with all the stakeholders.  So whenever I decide to go to get my message, whoever I want to pick, I pick the messenger, right?  I don't get the messenger picked for me, they send the same message.  And that's really the underlying fabric of the way we do our work.  We had Facebook and AT&T and Verizon and visa and security software providers like Trend Micro, Semantic, McAfee, everybody coming together to create a message that they felt comfortable delivering to their customers.  We can talk more about message delivery in a bit.  It's really simple.  There's a free license, obviously we want to create our IP.  Everything is free.  You can sign a license and you can stop and connect and use it.  Or you can take everything that we have recreated for you.  We're interested in translation.  We would love to talk to you if you're interested in translating it into a different language.  And just so you know, these are the other campaigns we run.  Stop think connect is the global message but we created the national cyber security awareness month back in 2004.  Data privacy day, we imported from the EU where they have had data protection day for a long time.  And we've been doing that in the U.S. since 2011, focusing on privacy and security.  That's just the beginning of what we do in a nutshell.  I have a question over here for Barbara.  Because, it's only fair that we all get asked a question, right?  I'm not going to let you off the hook on that one. 

So you know, I know that OES has really been a great provider of assistance to countries as they start to develop education awareness campaigns and you actually created a tool kit.  What kind of things do they need to take into consideration that allows them to create a campaign that allows them to meet the needs of their citizens? 

>> BARBARA MARCHIORI DE ASSIS: Interesting at OES, we have intra-American comprehensive strategies.  It has in the title, creating a cyber security culture.  I think it's interesting to what Maria mentioned at the beginning of how do you raise awareness and then you can actually change behavior.  But what is common practice is when you actually change the culture.  The first step is go through the entire process under acquiring skills, getting the knowledge, learning about this, applying this, and turning it into culture is raising awareness about it.  As an international organization, we are an organization...  in our case, regional trends in Latin America and the Caribbean.  Throughout our research and actually with sites with the global cyber security capacity center, we developed a portal called cyber security observatory, and we have five areas where we try to understand cyber security, and one of them is culture. 

When you are developing, gathering information, understanding what is the situation of the region, very few countries have a national cyber security awareness campaign.  How do we do this?  And first it was interesting.  We thought let's try to develop a cyber security awareness campaign itself, and we said it's not really the issue.  It's not about us developing the campaign.  It's teaching them, providing tools of how they could structure their campaign.  That's why we call it the tool kit.  It's more of a policy tool kit that provides what are the different things you need to take into consideration in developing a cyber security awareness campaign. 

It is already taken into consideration that we have different countries, different socio‑economic situations and we try to generate a policy structure.  When we present this to countries, we also try to present alternatives.  For instance, one of the first things you have to do as multiple stakeholders is going to be a target and think, oh, a lot of resources so it is something that is really interesting how they can convene different stakeholders.  It is how can they form late a cyber security awareness campaign since the beginning, and also to take into consideration, I have to include metrics.  But how are we going to reveal this and bring in the right groups? 

We are developing it.  We were concerned that it wouldn't be for just one specific country.  It's so everyone can use it.  And not only governments, actually.  Any stakeholder can use this as a reference.  Enough about OES.  Let's move to or next panelist.  And I'm really glad to have Jorge here.  And a national cyber security awareness campaign.  We have been discussing the challenges, Michael mentioned different stakeholders, and I was mentioning how difficult it is for some countries.  So if you could explain some of the lessons that we learned when implementing in Colombia? 

>> JORGE: Yes, in Colombia, we have two words in Spanish. 

This initiative started in 2012.  We have had some impressive achievements.  For instance, we achieved more than 6,700 websites with child pornography contents.  In fact, this is important because we need to talk with, you know with the national police, with the ICT ministry.  So we need to work together with a lot of also...  this was promoted comes from this. 

The lesson here is that we need to work together.  The government can't work on this alone.  We need to work together with NGOs and the sector.  The next part is very important for Colombia.  This is another lesson that we need to have.  We need to have like focus on several populations for this kind of campaigns.  So with this campaign, we focused on young people, but also we wanted to give young people to enable and protect them from insecure use of ICTs.  So now, that's because it's very important to have a population.  We see 2 million people in Colombia with attending the workshops.  They need to have the contact with other people.  And but also we have a portal.  We have multichannel strategy to help these people connect.  We have courses with more than 9,000 people. 

And another lesson learned here is the people want to know about this with the right people.  What does that mean?  That young people don't want to hear advice from old people.  They want to hear information from people like them.  So we hired very young people to bring these kind of courses and to lead the workshops.  The other thing is that the people want to help like not only that but also the recognition.  We have certifications.  So when they achieve a course, they got a certification.  It is not like a sign of achievement, yes?  It's a very important way to engage them.  One or two years ago we made a contest.  In this contest, we wanted the schools to beat the others, to fight with the others in providing new content.  This is very, very hectic in the social networks because they started to move the contents.  And we have a hashtag called a digital poll.  And using that kind of hashtag, they got crazy.  Because they want to show their products of each school, and we have made some alliances with companies to have some gift for the people, for the team over at the school that got the most...  the best campaign of them. 

So I think that...  those are the main important things we are doing in Colombia.  We just joined a stop think connect initiative.  We are working hard in Colombia, not only to have stop think connect to help improve our security, but also we can share our contents and our material to the world.  So I think that's very, very important.  So thank you so much. 

>> CAROLIN WEISSER: Maria, what are the challenges on how to measure success?  And what metrics exist and which are good ones and where it doesn't work at all? 

>> MARIA BADA: Usually metrics being used quantitative or qualitative.  It would be data gathered on how many people visited the campaign, how much time they spent on the website.  Issues like that.  But the challenge is when you actually look at the qualitative part of the measures, so when you actually try to measure attitudes.  One of those is that people denned to be more positive when it comes to their behavior.  So how do you actually measure the actual behavior?  I don't know.  Who wants to take it? 

>> MICHAEL KAISER: We have been doing this for a while now, so I'll take a stab at it.  Metrics tell you what you're trying to do and how you're trying to achieve it.  When we started the stop think connect campaign back in 2010, we thought about what would be the first measure of success.  So the first measure was could anybody identify that that's the message?  Forget behavior change, that comes down the road.  Can they identify the message?  Can they identify it like what else the message might be telling you to do?  Think about the consequences of your actions online.  If I do this or post this, what might happen to me.  And the connect part is less about the connection to the internet and more about how the internet connection to the real world.  The better the security, the more you can do online.  Right?  The worse the security, the less you can do online.  So we look at that message as a positive, enabling message.  First they have to be able to recognize that and then recognize the advice.  Keep a clean machine, own your online presence.  Lock down your log‑in.  The things that if you do them, make you safer and more security.  So you have to do that.  So we do that in a couple of different ways.  Our campaign strategy since we're in the United States, with e...  we're in a huge country and we have a coalition of the willing for the campaign.  We track a lot of stuff, right?  We have extensive media monitoring where any time somebody uses stop think connect in the media, we see it.  Any time somebody uses "keep a clean machine," we track it.  This is a sophisticated tool, and we know how many millions of impressions that we're generating of the message.  So that's number one.  Then we've done that and then we've gone back and looked.  We have asked people, have you heard any of this advice in the last year?  50% of adults in America had heard the advice.  So there's awareness of the advice.  Now you come and then we had teens were even higher, like 72% this is the most difficult part.  That's not that complicated to do.  There are so many tools out there that you can do that, right?  You can do it on social, too.  You can do hashtag tracking and all kinds of different things on social. 

So how do you get behavior change?  I think this is really hard.  When you have a diversified campaign and people are changing their behavior, there is no way to tell whether it was actually me that influenced your behavior.  Give up on that.  I don't care where they got it, I just want them to do it.  Maybe you can look at how many BOT nets are happening in your country.  Maybe you can look at some other many measures.  When you look at real data you will find out that people haven't changed their password for five years.  We're looking at doing more control.  Doing a pre‑test.  Look at a college campus.  Where we might be able to track infections and other kinds of things.  They will know whether people changed their passwords.  And see if the campaign led to that change.  It's a really hard question, and I think it's one that this community out here, this community has to work on with us together.  There is no mire cull cure here.  But I'm curious what other people will say. 

>> JORGE BEJARANO: The two indicators?  Obviously in our programs, because we need to have numbers about how many people are with us in the workshops.  How many courses we have active.  How many people have reached the certifications.  But it's something like something that refers to so I just learned about some tools to look if you follow stuff like that, we need to move to that kind of tools.  We need to have more instruments helping our students.  We need to do more work in focus groups in which we can do like a light survey about how they do things in cyber space.  And try to have some numbers of that kind of workshops to know and have the same several groups and trying to have like a baseline and they need to do it in a systematic way to know if things are really changing. 

>> BARBARA MARCHIORI DE ASSIS: You have to keep in mind, try to develop ways of measuring it.  We were discussing complicated planning.  I don't know.  But some specific discussions with the groups, but it's important to have this idea in the long term and try to come up with this.  Also to the outcomes in terms of how do you do this?  And have this process.  Some people when you're working how to develop a campaign, get frustrated at the beginning because we don't have any structure.  So let's target the general structure and then start at the beginning.  As you implement your campaign, you see other things.  I think Mike is a great example.  He's been working for 15 years, I think he mentioned?  How he was adapting and creating.  Okay.  So we see the problem.  At the end, forget about behavior, but you need to be sure.  We're adapting.  I liked his idea of having a feeling of don't be frustrating.  Start with the indicators.  Every time, review it.  Think about what are you doing, how you can change, how you can improve this. 

>> MICHAEL KAISER: Can I ask a question?  So I mean, it's good for everyone.  To Maria, you mentioned that one of the reasons they fail is the message.  I would like to hear more about that.  I think in security, you know, this is Michael's view of the world right?  A lot of the messaging is, Tell me what you think.  I have lots of ideas and I'll hold off.  I want to hear your notion of why the messages fail. 

>> Dr. MARIA BADA: So it's one of the fundamental issues when you want to develop a campaign, what will the message be?  There's a lot of research around it.  There are issues you already mentioned.  The cultural differences.  There are issues that you have to take into consideration.  Is this culture actually more of a collectivist culture?  And also, the fundamental mistake is that messages tend to be kind of complicated and too difficult for people to understand.  And I think that currently we expect citizens and users to become experts.  Like we advise them to actually show certain behaviors, but we're not sure that we understand what we ask them to do, or whether they perceive risks and they understand what they should avoid, how they should behave.  I think that's one of the main issues when it comes to messages. 

>> MICHAEL KAISER: Go ahead. 

>> BARBARA MARCHIORI DE ASSIS: We are still struggling with penetration.  If we want people to be connected, but you're telling them, oh, it's dangerous.  Do this and don't do this and that, how can you make sure that people will be conducting their business online?  Because we want them and it helps for productivity.  It definitely affects a country.  It is important to also be aware that we wanted to make sure that people are conducting their business online, for example.  Especially many countries in Latin America we have with SMEs.  Encourage them.  We have to be sure to have a language that is encouraging them to be online, but of course, safe.  I would love to hear both of your experiences with this. 

>> MICHAEL KAISER: So there's a couple of things that are really important.  Frequently, there are too many messages.  When we started stop think connect, I sent people to harvest off how many messages there were to stay safe online and she came back with 240 messages.  Right there you have a problem.  No one can follow 240 rules.  You don't have that many rules for driving and that's a lot more complicated than what we do online. 

The other is that we've failed in the message, right?  I will give you what I think is the most horrendous example of messaging, and that is about passwords.  First off, we've changed it 15 times in the last five years, right?  Secondly, we've given them too technical.  How many of you...  anybody here security professionals?  Cybersecurity professionals?

How many of you have your own method of creating a secure password?  How many of you have tried to teach that to somebody else?  How many people have adopted your method?  I rest my case. 

So what you see here is that like just because I know how to make myself safe and I think I have a good way to do it doesn't mean that it's adaptable by anybody else.  So there's a problem with that, okay? 

Second problem with passwords, we've been telling people how to make secure passwords for years.  It's one of the most primary pieces of cybersecurity advice we've had since the dawn of the internet age.  Guess what?  Nobody follows the advice, and we keep giving the same advice.  If you give a message that they don't follow, why would you expect them to follow any of your other messages?  This is why messages fail, right?  I'm supposed to have a secure password, I haven't been hacked, they must be wrong about the other thing, too.  The message is so important.  We can talk later about crafting messages, but I think this is a real problem area. 

>> JORGE BEJARANO: I want to add something but I don't know if I will be able to explain it.  It is very Colombia specific.  We have a fruit that we call Papaya.  Does somebody here know what that is?  Good.  It is a delicious fruit.  Even once the Papaya is cut, we eat it.  Because it needs to be delicious.  So we use it to explain to people that please don't give...  we use it to say don't give Papaya to the bad guys.  Yes?  Are you following me?  Yes?  Don't give Papaya is like not do the things, don't bring the treats to the bad guys.  So we have only very small message.  Don't give cyber Papaya.  That's all.  Everybody in Colombia understands that.  It is a very good message, and it goes for small and medium business, it goes for the students, it works for the old people, because everyone's...  everyone understands Papaya concept.  So I hope that I achieved that. 

>> MICHAEL KAISER: Great example. 

>> CAROLIN WEISSER: I have one last question for Michael.  You mentioned that you had marketing research to test the messages.  Do you think like classic marketing approach and advertising, commercial approach to develop messages is more effective than having like, doing more like educational messages from other fields? 

>> MICHAEL KAISER: I think it's a combination, actually, right?  So when we did our messaging on stop think connection, we went and asked consumers, American general consumers over 18 a lot of different things about cybersecurity.  We took a marketing approach.  To this messaging, right?  We want to tell people what was one of the classic messages that's still out there?  Don't click on any links in e‑mail.  There's another rule that people can't follow.  So we have to be more creative.  So we take the marketing approach because the marketing approach that we took, the firm that we used looks like how do you connect the emotional and feeling state that people have about being safe, right?  Back to the action that you want them to do?  Now not surprisingly, you know, I'll just give you a quick example of how they might have looked at that.  We went...  actually, this was back in 2010.  We went through and said okay, here are all the things that, you know, you've said...  we asked them in a survey, what are all the things that you can do to stay safe online.  They listed change my password.  Then we asked them what's the one thing that you're not doing that you should be doing?  And they would give that answer.  Let's say it was update my software.  Then we would ask them, okay, if you were to do that thing, right?  Update your software?  How would you feel?  Right?  What's the feeling state that you would have?  I would feel more secure?  My family would be protected?  Then we would go a step further and say what would be the ultimate benefit of doing that thing which you know you're not doing, which you know would make you safer?  Things that came out were things like peace of mind.  You reverse engineer from the message from the feeling state.  You want to feel better?  Update your software. 

You've got to...  here's the basic principle, right?  We could sit here and brainstorm ways that people could be safe online, but they're not going to receive it unless it's delivered in a message that makes sense to them.  The other really key finding in that, and we can talk about the messages themselves, but the other key thing we found, which I still use all the time is they were so clear.  They get it.  There is nation state hackers, there are cyber criminals, there is the kid next door trying to get into their computer.  There's all these people, and they feel kind of fatigued by all of this attacking that's going on.  But they said over and over and over again, give me common sense things that I can do that are in my control.  Right?  I expect the government to protect me from nation states.  That's not my job.  But what I can do?  Just get into that where they're at and giving a messaging that responds to the moment that they're in is great. 

>> CAROLIN WEISSER: I would like to ask if there are any questions in the audience?  I will start with the gentleman in the first row and the lady here.  Please introduce yourself shortly, and if you direct the question to someone specific. 

>> AUDIENCE MEMBER: It's general.  I want to know if you know focused campaign for a person of the usage system like a police officers, judges or prosecutors?

Because I think that it's important that they know the risk in the internet.  Because most of the times they don't understand cyber crime.  So that is the question.  Sorry for my English. 

>> MICHAEL KAISER: Is that a campaign for them to be safer online or a campaign for them to understand better the risks of the people that are coming through the system? 

>> AUDIENCE MEMBER: More about cyber crime. 

>> JORGE BEJARANO: In Colombia, we have very good cyber police in Colombia.  They have campaigns about using tutors and of course, their web page to let other people know about the cyber crimes.  Because, of course, this is a very technical...  we have a lot of technical words there and many people don't know what is that word?  We need to go back to the beginning and try to explain to people what kind of crimes we have.  What can you do if you are affected by an incident.  You need to know what kind of preventative actions you can do.  So the police have a specific campaign inside the police, and as I know, they have like communications plan in which they have like weeks where they want to talk more about one topic, because it is probably there are an interest on promoting that kind of topic.  So they want the people to talk about the topic, and they want to promote the kind of communication with the people. 

>> Dr. MARIA BADA: I want to add something, because I think it relates to your question.  Another important issue, and we discussed about it, is the reporting mechanisms, they usually report or relate to initiatives of the police.  And that's another issue when it comes to creating effective campaigns.  Linking law enforcement prosecutors to the national campaign end users.  To linking them all together.  I think that's very important. 

>> MICHAEL KAISER: I can add a little bit about the United States.  The United States has 14,000 local police departments, right?  That's a problem right there, you know?  Larger departments, I can't speak to prosecution or judicial end that much, I have cyber units, right?  Most of them started originating on child pornography issues.  I think they're coming to the awareness more that almost every crime has digital elements now.  You know, because everybody has a phone in their pocket or a computer at their home.  Maybe if they were a burglar, maybe they were doing a Google map search.  It's all out there.  So they're getting more aware of that, and I think they're doing a better job.  The other thing that's happened in the United States, and I'm not sure if this happened anywhere else, police departments have become targets of the cyber criminals.  So the departments themselves have had to harden their networks, right?  And these are small departments.  They're not huge.  There have been ransomware attacks, anonymous attacks on police departments when people are unhappy with the trajectory of an investigation, there's a pretty famous case in Steubenville, Ohio, there was a sexual assault, and someone went in and stole the video of the attack that was happening at the party and posted on the internet.  There's an awareness of needing to protect themselves.  How secure is your police department?  Right?  Let's start there.  And then let's move out.  Maybe that's an incentive? 

>> CAROLIN WEISSER: We have another question.  The gentleman?  And then in the row before.  Maybe collect those two questions? 

>> AUDIENCE MEMBER: Hello.  I came from Portugal.  I work with young people, so it's first of all, it's interesting to hear, and I totally agree about how important it is to use peer education in cybersecurity campaigns. 

Secondly, I would like to address the issue of the messages that mainly reflect on fear.  I think when I go to schools, sometimes kids aren't really aware of the consequences, but even then, when I tell them the consequences, it's like it's been said, sometimes the emotion or the feelings about doing the changes or accepting the security doesn't really help.  So my question is, is there a way of changing the parenting?  For instance, using the fun factor?  Since they are kids, they would be interested in doing it just for fun.  Thank you very much. 

>> CAROLIN WEISSER: And that gentleman?  Yeah. 

>> AUDIENCE MEMBER: Hello.  I'm an ISOC ambassador from Indonesia.  My question relates to cyber security awareness campaigns for all demographics, because I noticed that a lot of cybersecurity campaigns today focus on younger kids and the younger demographics.  Can you share best practices to get more adults?  I'm talking about 50 years of age and above...  to be more aware of issues and to be safer online.  I think they're much more susceptible.  A lot of them in Indonesia, they believe the phishing messages, e‑mails, and that kind of things. 

>> Dr. MARIA BADA: So related to the messages, you're absolutely correct.  Campaigns have been using actually fearful messages, which are proved not to be effective.  Actually, they have the negative effect.  They tend to create and cause stress, so that makes users just ignore the message.  So you're absolutely right.  When it comes to children and parents, we've seen...  I've done a lot of work in raising awareness for children in the school environment and talking to parents as well.  And again, when children don't really realize the risks.  And it's absolutely normal.  But parents don't either.  So also, there is actually a big gap between the communication, between children and parents.  So usually if a child has a negative experience online, they will not communicate that, necessarily, to their parents.  That's actually a very important issue.  How do you bridge that gap of communication? 

Mike, do you want to answer? 

>> MICHAEL KAISER: A couple things.  First of all, the senior issue the older folks, I think that's a really good issue.  Larry just issued a guide for senior citizens on how to stay safe online, trying to take some of the core messaging and making it more friendly to seniors.  It's connectsafely.org.  It's a great document.  Out of Canada, it's not only on security, but there's a phenomenal film called cyber seniors and it's hilarious and funny.  They teach them to use Facebook and Twitter.  There's a message in that about how the younger people can teach older folks how to use the internet.  By the way the senior citizens know a lot about judgment right?  We accuse them of clicking on things they shouldn't, but a lot of research shows that they have a lot of good judgment and can filter that stuff better.  Maybe there's an interchange. 

On the kids, I think there's a couple of things.  This is one of the problems in cybersecurity education.  People say have a mascot.  You have to have a movie star.  The truth is, those may be true and they all help.  I'm not saying they're bad.  You have to have something that's relevant to them.  You have to speak relevantly.  I totally agree with the fear‑base.  When we created the stop think connect, we have an exercise where if you have a message that's fear‑based, we'll never use it.  Which led us to the whole aspirational messaging.  Keep a clean machine, own your online presence, things that are empowering and make you feel that you can control it.  That's one.  We just did research with 13 to 17‑year‑olds and I want to go back to your point, but we asked them what's the most thing you're concerned about?  Unauthorized access to my accounts.

That is a straight‑up security issue.  So you need to know what their concerns are.  Often as adults are, we tell them what the concerns are.  Be concerned about sharing too much information, meeting a stranger, posting something that will keep you from getting a job in the future, right?  All real issues.  I'm not saying they are not real issues, but if they're not interested, they're not going to listen, right?  So that's one. 

On the parenting thing...  on the kids thing, this research that we did is on our website.  We also saw that 40% of the kids that we interviewed 13 to 17‑year‑olds said they would turn to peers for help with online problems.  So that's an avenue right?  If you say I'm going to go into schools and I'm going to teach you how to help your friends, as opposed to lecture them.  You're teaching them how to help their friends, right?  At the same time you're building their resistance and you're probably building their resilience at the same time, which is the core of all cybersecurity, resistance and resilience.  So maybe teaching them to help their friends is an avenue you want to look at? 

>> JORGE BEJARANO: Only regarding the first question, in Colombia, I answered that most of you knows sesame street?  No?  So we did that with sesame street, and we did a TV series called monsters...  monster in the net.  Focus on children between 3 and 7 years old, and we never use words like risk.  Never.  Because children doesn't understand the word, "risk."

So we were doing like positive reinforcement about good habits and behavior on the net with that kind of series.  And I think it was great.  We built a portal, we bring material for educators and material for their parents to work together after the TV series.  I think it was a very good project for that kind of age group. 

>> MICHAEL KAISER: See we all learn stuff when we come on those panels. 

>> CAROLIN WEISSER: It was very productive.  It was a capacity building exercise for the panelists itself.  I would like to raise awareness for one more thing.  If you could put on the slide.  A lot of information on our cyber security capacity portal.  A lot of information for best practice and knowledge and cybersecurity, a lot of information, etc.  And as I mentioned cybersecurity capacity building.  I also would like to flag that on our Twitter account @capacitycentre, you find a short online survey.  We would really appreciate if you would participate in the survey.  It would support our research.  It's in the very early stage, and I think as more people give their input, especially people who are here and experts, it would be beneficial for our research.  You can find a very successful paper that Maria published last year which got a lot of attention. 

Otherwise, I think our time is exactly out.  We have another...  we have time for one more question?  I'm sorry.  Okay.  Sorry. 

>> AUDIENCE MEMBER: I'm a consultant.  Looking at it from the outside, I'm not involved in these sort of actions, what I tend to see is that there's a canyon, a big ravine, and you are standing on one side shouting to the other side, you're unsafe, you're unsafe, beware, you're going to fall into the canyon.  And they're standing to you with their backs not listening, looking at the internet and how great it is.  But the people standing there...  so the first question is how do you envision to build a bridge over that canyon to reach them?  And the second one is people standing there with their backs to you will forever be standing there without any consequences.  You can be unsafe online without any consequences even when your bank account is emptied for you, the bank will put it that, that sort of thing.  So there's no consequence.  Is it time to impose a consequence about not being safe?  How could that be envisioned and realized in some way?  Thank you. 

>> MICHAEL KAISER: So you've asked a classic cybersecurity education and awareness question.  No, it really is.  I don't think there's...  I know other people might have thoughts about this.  But there's a couple of issues here.  I'm not sure that consequences would ultimately change behavior.  There are consequences if people drive improperly and people still do that.  There are consequences if you smoke cigarettes and people still do that.  You have to look at what level of eliminating the bad behavior is your target, because you will never get rid of it all.  And we know that people, and this is just people always think I think Maria's the one that will get hacked, not me.  So I don't have to worry about what I do, she has to worry.  That's a human nature issue.  These are all things.  But it partially brings me back to building on something that you said.  You can't look at sib security education and awareness and say I'm going to get this message in front of somebody and it's going to be done.  We look at making cybersecurity second nature.  That's really the goal.  Living in a traffic culture has become second nature to us.  Any country in the world, any of us could go out and cross the street and if there was no stoplight, we could do it safely, right?  Occasionally there might be an accident, but you know?  How did we get there?  How did we learn how to do that?  So I will ask you, think about this question in two ways.  How many of you have children who are young who you're teaching...  have young children?  Okay.  Not too many people.  How many of you were young children? 

[ Laughter ]

Should be a larger sample.  Okay.  How many times did your parents hold your hand at the corner and tell you to look both ways before crossing the street before they let you cross the street on your own?  Thousands of times.  This is about developing habits that eventually lead to your being able to negotiate the web by saying that e‑mail looks horrible.  I'm not going to that website.  I don't like the way they're asking me to access this website.  I'm not doing that, right?  I don't like the information that they're asking me here.  I'm making good choices because I've been trained to be...  to have good habits right?  Not because I'm following a set of rules.  Not because I'm following don't click on that link or my password has to be 97 characters.  We've done it with driving.  I don't know why we can't do it with this.  I think that's a great example.  Teaching kids from very young, instilling these concepts.  I think in the United States we think about teaching kids exercise is good, eating a balanced diet is good.  You learn about that over a lifetime and that there is a positive thing in there.  The only thing I would say about consequence is you would have to find the consequence that means something to people, right?  And if you could figure that out, then maybe there is something there.  Maybe that's worthy of research.  What is the negative outcome of online...  doing something online that get you to change. 

>> Dr. MARIA BADA: Can I provoke that?  You're going into the negativity.  Not mentioning the consequences, but the gains?  People tend to actually prefer convenience over security.  If it's complicated, I would ignore the security aspect and I will just... 

But yeah, I'm more in favor of positive messages. 

>> MICHAEL KAISER: Me, too.  We shouldn't assume that consequences work, and I don't know that fear...  fear‑based messages work for people that are already paranoid.  We don't know the answer to his question, though?  We don't know if there is a place where this could happen and like, yeah.  If you don't know how to cross the street, you could get killed.  That's a pretty severe consequence that everybody understands.  Whether that motivates a 4‑year‑old or motivates the parents to teach a 4‑year‑old...  don't get me wrong.  I am not for a fear‑based messaging.  I am for powerful, empowering messages. 

>> CAROLIN WEISSER: Are there any more questions?  Yes please? 

>> AUDIENCE MEMBER: Thank you.  My name is Alan DeWine.  We're a pre‑start up organization focused on privacy and security in the education market.  One observation I would like to hear your comment on, very good talking about working on increasing and improving awareness in cyber hygiene among children and adults.  In education, they are involved increasingly in different kinds of online academic efforts, games, etc., that are imposed on them, in effect, by the school.  They're agreeing to privacy policies that way that may or may not reflect functionality or good security practices that actually keep data security and the privacy policies actually reflecting what is actually done.  What's your observations in that area? 

>> JORGE BEJARANO: I have a huge concern about the privacy in the young people, connecting with that.  Younger people is less conscious about privacy, and probably they don't care about it.  So we need to work very hard not by only trying to force them to fulfill like, you know, this is the policy and you will fulfill this and this and this and this.  We need to raise the level of consciousness in young people.  And if you are getting things free, you are the business.  We need to know that nothing's free.  So we need to connect that and try to bring the message and raise the consciousness. 

>> Dr. MARIA BADA: Talking about young people, maybe we are older here, but maybe the idea for privacy for them is different.  It was interesting what Michael said.  It raised concern for them, people have authorized access.  So they don't want people to have access to what they don't want to.  But maybe other things they are willing to share.  It's interesting, because it's more about trying to teach them, okay, what you don't want them to have access?  Make sure to protect us. 

>> AUDIENCE MEMBER: The points are good and well taken but they miss the point I was trying to make.  Often in the school setting, the schools choose products for the students to interact with.  They don't have a choice to evaluate.  This is school. 

>> MICHAEL KAISER: Nice to see you again.  Haven't seen you in a while. 


>> MICHAEL KAISER: So I will say that first.  This is the kind of issue that can't be answered only through education and awareness.  Certainly, there needs to be much more transparency in the tools that schools are implementing for their students.  That transparency is probably as much for the parents as it is for the students.  As you say, if you're talking about a third grader, you can read them a privacy policy but they just want to press a button.  But the parents should be playing a role in understanding.  I think schools have an enormous responsibility to ensure the integrity of the data that's being collected about the children and the school.  Not only the integrity of what and how information is being used, but where is it going?  Is that cloud provider secure?  What would happen if they sold their business to somebody else?  Does that nullify...  there are so many complicated issues there.  And I think the student data privacy issue, which is very hot in the United States.  I don't know if it is in other parts of the world, but it is unresolved, and I haven't heard that many sessions here at IGF on that issue.  Maybe there have been and I didn't see them.  But to the IGF folks, this is a discussion that maybe should be happening globally, right, among all of you and all of us, maybe that's something to propose to get on this agenda.  Everybody sees the technology as aiding the classroom right?  There's a generally accepted principle, right?  Is that how you would say?  But they're not looking at the consequences or the other thing.  So I think you're raising an important point.  I don't have an answer for you, but I think it's the right question. 

>> CAROLIN WEISSER: Next please? 

>> AUDIENCE MEMBER: Hello from Austria.  I wanted to take more on the point that was made before, positive messaging versus creating fear.  The example of children crossing the street, you use fear.  In Austria, you have a big sign that says drive safely or you will die and your family will die and you will never see your kids again.  It is not our responsibility to make the user feel good.  It's our job to keep them safe.  So why not use fear? 

[ Laughter ]

>> MICHAEL KAISER: I think we went too far the other way in the fear messaging, so if you look at the history, it started out too fear‑based.  Are you saying that you think it is okay that some of it is fear‑based?  Yeah.  You know, so I would flip it over a little bit and say, when we did our stop think connect, we didn't look at fear messaging, but we looked at proof points.  What's the kind of information.  If I knew, for example, that 80% of the people who didn't have a long password, you know, were 10 times more susceptible to identity theft, that's not necessarily a fear message, that's a proof point where I can put myself into that environment and say okay.  I can reduce my risk, right?  The difference between traffic safety and the internet is you're probably not going to die on the internet.  It's not the same outcome that you're trying to prevent.  You're basically, there's zero tolerance for failure because one failure in crossing the street, whether it kills you or not will have serious consequences.  If the car's going more than 10 miles an hour, you're in trouble.  Proof points that are relevant?  You know, young people who posted things about being at a party were more likely to have difficulty getting a job?  Those are things that are quite clear.  Don't use the internet.  That's the kind of thing.  Don't use the internet, it will never be safe.  There are messages out there that we have to combat, because the internet is greatly beneficial.  You might have more on this. 

>> BARBARA MARCHIORI DE ASSIS: I want to...  also that...  the bigger part of the countries right now is expand broadband access.  If it comes to the message don't go to the internet, then I won't do anything related to cybersecurity.  We want people to be online, and especially for...  Colombia has SMEs, and it's important to be careful about the negative.  It's important to also make sure, go online in a safe way. 

>> Dr. MARIA BADA: Just to mention that I had that experience in schools when I was doing awareness raising.  When we were describing the possible risks online, children were mentioning that they had Facebook accounts.  So after the sessions, they were like okay, I'm going to delete my Facebook account.  So that's actually the outcome.  And I could see it.  It made me think of how we can change that.  Because again, it created fear.  And that would lead to not using social media, not using the internet, and that's not what we want.  I've heard actually throughout this week, many workshops were discussing about, you know, we want global internet access from all groups, all ages, all sexes not the safe one.  How do we do that?  We have to educate and educate people and make them aware of risks but in an effective way.  If you asked me to give you the answer of what, how that would be effective, I don't know.  It would be a challenge to answer. 

>> MICHAEL KAISER: Let me quickly say, if you want to know how to be effective, the best way to do it is to talk to the people you're trying to educate and find out for them what risks they would respond to, right?  Like what...  we know in the United States, the number one thing people are concerned about is identity theft.  There are many other things they're at risk of.  But they are concerned about that.  That's maybe their thing.  The risks are omnipresent.  They're everywhere.  Figure out what the people in your country are concerned about and then create a message that wraps around the risk they're already thinking about and build off of that, right?  That's how I would handle risk. 

>> CAROLIN WEISSER: Yes, please? 

>> AUDIENCE MEMBER: Hi.  I think I just quickly wanted to add to the conversation that fear messaging becomes tricky in a country where internet is already propagated as the root of all evil and immoral and puts at risk a lot of children and women and so on.  In a country like Pakistan, fear messaging would be extremely counterproductive. 

>> MICHAEL KAISER: That's a great point. 

>> CAROLIN WEISSER: The next question. 

>> AUDIENCE MEMBER: Louise Bennett.  Yesterday I came to a workshop on collaborative security, and I was very impressed by the woman from Cyber Green, and the key message that she was making, which I think was really important was you should think in your messaging, if I behave like this, what am I doing to someone else?  Actually most people don't want to help their friends, their neighbors, and so on.  And I thought that was a very powerful message that she gave, and I wanted to know what you thought about that. 

>> Dr. MARIA BADA: I think it relates to what I was describing before, looking at cultures before developing a message.  In the eastern world, we tend to be more individualistic, so we defined, I don't know, cyber security from our personal experiences.  But in the cultures such as in Africa, they tend to be more...  they tend to relate security in more of a group setting.  So, I think that the message such as, you know, if you are...  if you are safe, you can help others would work in certain cultures, but it might not work in others.  It goes back to looking at differences in different countries.

>> MICHAEL KAISER: I just add that when we did our Stop Think Connect research the first message was safer for me, more secure for all.  And we used that message not in a core way, like, you know, update your software.  But we use it when we talk a lot.  We use it in media.  We use it in writing.  We use it in a sub text message.  We have a lot of public service campaigns in the United States, and that personal responsibility equals...  like friends don't let friends drive drunk sort of message.  When you talk about sort of how do you incentivize people, knowing that not only am I making myself safer but I'm making my friends safer.  I think for a lot of people that's very appealing. 

>> JORGE BEJARANO: I want to add something very short.  I just remembered the hashtag we used in Colombia.  The power is yours.  You decide how to use that power in the digital environment.  If you make the right decisions, you will have a useful and very good result from the integration with that digital environment.  But if not, there will be consequences.  But you have the power.  That's one of the messages we used in our courses and also in the campaigns.  Because we wanted to highlight that. 

>> CAROLIN WEISSER: I would like to add something to that as well.  What I like about this approach, because it works on different levels, on an individual level and in like businesses.   Maybe it's as bad for the community around you.  And up to the national level.  I think it's a very interesting approach because it's like something which is maybe also...  I think it's very strong in Asian cultures in Japan.  Something that I want to benefit someone or I want to hurt someone is good. 

>> BARBARA MARCHIORI DE ASSIS: I thought it was interesting, within our projects at OES, we noticed how useful the technique is in our region.  When you train people and we want to encourage them to...  the trainer became like ambassador of this.  So please make sure to it really works in Latin America.  And we're trying to do this more now. 

>> MICHAEL KAISER: Having a good messenger. 

>> BARBARA MARCHIORI DE ASSIS: Creating more messengers. 

>> CAROLIN WEISSER: Anymore questions?  Yes, please? 

>> AUDIENCE MEMBER: Just listening reinforced that we share the responsibility making sure that we create awareness globally.  And that this forum has a unique opportunity to carry that cybersecurity awareness campaign to make sure that you educate those that are going to be connected in the future is not just about connecting the unconnected, but also making sure that they understand what the risks are and have a shared responsibility of the future security threats that we face.  Thank you. 

>> MICHAEL KAISER: That's a great point.  And a little disclaimer, DHS is our federal partner in the United States along with industry, so we're always happy to hear from our friends at DHS.  The unconnected have an opportunity well beyond the people that are already connected.  We didn't start doing cybersecurity education awareness until the mid 2000s right?  People already connected and had already established bad habits.  If you have the opportunity now to give people who are getting online now to give them good habits while they're getting the technology for the first time, you may feel like you're behind but on cybersecurity, you are ahead. 

>> BARBARA MARCHIORI DE ASSIS: We feel the same way.  Sometimes we hear we don't have so many people connected, so we have other priorities.  I say well, you are improving connectivity in your country.  Take it as an opportunity.  Everyone is already safe.  So we started working with this at the beginning, and that's exactly what I have been trying to encourage the member states to start invest in cybersecurity since the beginning. 

>> CAROLIN WEISSER: Anymore questions?  I saw a hand in the back?  It's gone?  Maybe just, to comment on your comment, those people who come online now are so vulnerable.  It stops them to get what we said before, like fear and security.  If they hear this is something which can harm you, someone who is already a victim and already a vulnerable and not feeling powerful, this has a huge impact and all the positive things we were talking about don't count anymore if someone doesn't trust that and you see how powerful the applications are for health and socio‑economic participation, empowerment, all of these things, I think it's crucial and key that all developments I mentioned have an awareness in the cybersecurity aspect, otherwise, yeah, the efforts are useless.  Not useless.  Now we're really at the end.  This morning I had a workshop that was one hour, so I was focused on that.  Thank you so much for the very interesting discussion.  We got a lot of expertise from different regions and from the research.  Again, if you would like to be engaged in this and contribute to the research, go to our Twitter account or the cyber security capacity portal for more information.  And thank you very much. 

[ Applause ]