78

I've observed that several of our users are ignoring messages sent from IT Security managers, and also the system generated "You just sent a virus" notifications.

The problem seems to be among people who are not computer savvy, who are in no way hostile to IT SEC. They are simply not "computer" people.

What guidance is there to ensure that the IT Managers and System Notifications are understood, and acted upon? I'd like to craft a single message for the entire user base, and not take on responsibility for hand-holding the "special" folks.

My hope is that I can develop a set of email best practices that are used when communicating with all end users, for the purpose of sending IT Security user notifications through email.

  • How should I lay out the thoughts behind the message?
  • Are HTML messages more effective? How so?
  • Are there any cut-and-paste samples?
  • Does the "From" address matter?
  • What should the subject say?

Examples of notifications include (but not limited to):

  • Automatic Email Messages from Antigen or Forefront AV systems
  • Revisions to IT security policy
  • General notifications that are simply informative
    • "Maintenance will be performed at 11pm-6am. Expect a disruption in service"
  • General notifications that are meant to be read and acted upon. They do apply to the end user.
    • "Close all applications and log off for patching"
  • Other notifications that may or may not apply to the end user.
    • SPAM Quarantine Summary Emails: "Enclosed is a list of quarantined messages..."
    • "A security patch for an old version of software that might not be installed"

This question was IT Security Question of the Week.
Read the Aug 26, 2011 blog entry for more details or submit your own Question of the Week.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 13
    E-mail is easy to ignore. A phone call is less easy to ignore. And an in-person visit very difficult to ignore. If e-mail fails, try phone or in-person. If there are too many users who need a phone call or in-person visit for your staff to handle, then you have a larger problem. – this.josh Aug 03 '11 at 19:36
  • 1
    Please, be **VERY** careful with "you just sent a virus" notifications. Having been on the receiving end as an innocent, I can say for certain that it's not fun at all getting a few hundreds of those in a short period of time! – user Aug 04 '11 at 09:06
  • 1
    Use 802.1x. Disable LAN access for people who've gotten the email until they answer a short quiz demonstrating knowledge of the information in the email. – user502 Aug 04 '11 at 12:00
  • 1
    how often are those message sent? I know that if a sender send, say 10 times more emails than another one, I'll give 10 times less attention to each of its emails. – BiAiB Aug 04 '11 at 12:36
  • 1
    You should also realize that not everyone shares your view of what's important. They have their own jobs, with their own responsibilities, with their own things that are important. And looking through your list of sample notifications: none of them i would care about. "Revision to IT security policy." Really? – Ian Boyd Aug 05 '11 at 03:09
  • hmm, Lifehacker is including interesting images, (including some animals) in this article. Perhaps we can learn something from thier content http://lifehacker.com/what-to-do-if-your-social-security-number-has-been-stol-1684690096?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow – makerofthings7 Feb 09 '15 at 22:14

15 Answers15

106

A small trick I learned years ago - lay your email out like this:

Short Version

  • Small number of very short succinct points
  • If X, then you need to do this
  • Else, then you need to do that (or don't need to do anything)

Long Version or Full Details

...and here you lay out whatever full version you want.

97% of your users will never read the long version, so make the short version count. However, the key here is that most users will read the short version if they're given a choice between that and the long version. When you put that "Short Version" section header in, you're enticing them to read that because they feel like they can "get away" with just reading the short version. It's, like, psychology or something.

Many of your users still won't read messages no matter what you do. I've gotten better hit rates with this method than not, though.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 47
    +1 for "It's, like, psychology or something." – Mannimarco Aug 03 '11 at 23:44
  • 8
    You want the short version for the same reason you want to go to the bar with your friend who is slightly uglier than you- by comparison, it seems like a great deal. – crazy2be Aug 04 '11 at 01:35
  • 4
    It's called an inverted pyramid. http://en.wikipedia.org/wiki/Inverted_pyramid – surfasb Aug 05 '11 at 05:34
  • 2
    It is slightly different than an inverted period, where the article is organized such that the reader doesn't lose as much if they stop early or if the editor truncates the article for space (ever do layout on a newspaper? Articles are trimmed geometrically rather than on content!) What I am describing is to literally set aside the high points as a *visually distinct alternative*. When presented with this "choice", many readers will choose to read the short version. By contrast, if they see a 5 paragraph note, they view it as a large block, and often won't even start. – gowenfawr Aug 05 '11 at 14:29
  • @gowenfawr, How did you arrive at "better hit rates"? Are they measured? – Pacerier Feb 17 '15 at 04:03
  • @Pacerier, it's an informal measurement consisting of active feedback (people coming up to me and saying "Good message" and "Thanks for the update") and passive feedback (lack of people complaining about not being warned after happened, which they didn't know about because they didn't read the email). It's not a _statistical_ measurement, but I think it's indicative. – gowenfawr Mar 10 '15 at 19:09
  • @gowenfawr, I think it's indicative that we are looking at a case of [confirmation bias](https://en.wikipedia.org/wiki/List_of_cognitive_biases#Decision-making.2C_belief.2C_and_behavioral_biases). – Pacerier Mar 11 '15 at 10:52
  • @Pacerier That is one distinct possibility of many. In the real world, however, there are many situations which must be evaluated based on results rather than on statistical evaluation of objective measurements. I would say that these "better hit rates" are of [practical significance rather than statistical significance](http://en.wikipedia.org/wiki/Misuse_of_statistics#Confusing_statistical_significance_with_practical_significance). – gowenfawr Mar 11 '15 at 12:18
  • @gowenfawr, I'm saying your results are skewed due to confirmation bias. – Pacerier Mar 13 '15 at 14:50
19

As @gowenfawr says many users will not read messages no matter what you do.

So, in cases when you need to guarantee that the message was delivered to the brain and not only inbox, or acted upon, what you need is a feedback mechanism.

This can be simple, using social approach - for example asking users an essentially fake question while providing information. For example if you are providing several methods to handle a certain problem you might ask them to tell you which one is best suited for their work or ask them to order them according to convenience and insist on the reply. People that do not reply probably did not read it and you can follow up with them.

You can go one step further and actually create a quick test they need to complete to prove that they "got the message" (this will cause complaints, but is effective and in case you get the green light from management this approach can really turn some things around).

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
Unreason
  • 291
  • 1
  • 4
  • 7
    One step further than your "one step further" could be linking the comprehension test into the ADP Payroll system. Only release the paycheck when they get a passing score. I'm sure that would cause lots of complaints – makerofthings7 Aug 03 '11 at 16:21
  • 1
    @makerofthings And this could cost your job... :) – woliveirajr Aug 03 '11 at 18:30
  • 2
    @woliveirajr - ... or save it (depending on how important the information / desired end user action is) ;) – makerofthings7 Aug 03 '11 at 21:12
  • 2
    @makerofthings - I present the options to management - they choose the method, they change the method. multiwin! :D – Unreason Aug 04 '11 at 00:19
15

I consider myself to have high technical skills, and usually find myself skimming or simply ignoring these kind of messages myself. However, I was installing a Google product recently that had the following header:

Please read this carefully - It's not just the usual yada yada.

Because of the light hearted nature of this, I found myself to read the docs thoroughly, and have started using this technique in my job.

I've found that users generally read administrative messages when a physical/psychological connection is made between the sysadmin and user. This, in Google's case, was a jokey remark.

Another method that has proven successful is adding interactivity to your message with a very clear reward for interacting. Something simple like "Would you agree with this YES | NO" or thumbs up/down for certain policies, and a reward of print credit, for example.

Greg
  • 253
  • 1
  • 6
11

Some points that come to my mind:

  • Be concise and precise. Too long messages are usually dropped.

  • Categorise message using the topic : maintenance, notice, important. And make the topic clear (but short).

  • If possible, configure the email client to colourise email headers by default. With a consistent set of rules you can get more attention. Make important thing in red, but don't abuse it.

  • At last, train your user. Organise awareness sessions to teach them how to react. Is the maintenance important message? What should I do when I receive an important notice? Who sends me notice?

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • I like many ideas here and the idea to use colors to indicate action the user must take. I suppose the actions could be Act Now; Act when possible; Review; Ignore if past such and such date. Whether the email client adds colors, or it's a function of the body of the email may just be a technical decision. – makerofthings7 Aug 03 '11 at 21:06
11

One point is to only send out emails when it is important and critical that they be read - don't use them for normal newsletters or boring info - users will learn to ignore them very quickly.

For general security awareness, use different mechanisms every time, and make it interesting, worth their while or if those fail: mandatory, along with annual signoff of the corporate acceptable use policy for example.

As @RobertDavidGraham said - don't send them maintenance emails - these should come from ops or change management anyway.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Would be very interested in other types of email messages you send out. I know maintenance is a bad example, but I wanted something to illustrate information that expires after a certain date. – makerofthings7 Aug 03 '11 at 21:08
  • 1
    This was the answer i was looking to up-vote. If you want people to read your stuff, then make that stuff ***very*** rare. If you send a message more than once every 2 or 3 months: it is too frequently. And it can't be automated. – Ian Boyd Aug 05 '11 at 03:06
  • 3
    "it can't be automated" Fortunatly or not, users are percept about the amount of effort you put into the e-mail. They have learned to ignore automated messages. If the e-mail comes from security@corporate.com they may not even open it. If it comes from Jane.Professional@corporate.com you stand a chance. – this.josh Aug 05 '11 at 04:20
7

I think you can't look at just one mail message. Having watched our IT and ITSEC groups evolve over the years, I've noticed that the common perception of them has to do with the overall body of emails they put out, nothing gets fixed with just a few great emails.

Here's some overall thoughts:

  • don't use just one communication medium - I know you want to solve this with 1 succinct email, but that may not be feasible. When something's important - mail it multiple times and make users aware of the repeats. Whenever a piece of information is out there in email, also have an archive on the internal corporate site that users can go to easily, and have it on the top of the pile for the guys doing phone support. When it's absolutely, bleedingly critical, consider posting signs at major exits.

  • help users prioritize - you've already listed a nice collection of typical types of messages. Some of these are drop dead must-know-on-a-deadline (ie, we are updating your computer, if you don't do what we tell you, it will take you 3 days to recover to a workable system), some are minor changes that may not affect them. For the big stuff, hit 'em hard. For the minor stuff - give them the tools, up front, to determine if they fit in an impacted group. This means you'll have to know enough about your users and how they define themselves to give your audience some baseline.

  • be aware, overall, of your noise to volume ratio - daily messages, no matter how well meaning, are going to get ignored. Users just won't care that much about security. Bundle big impact changes together, find a way of showing low priority FYI stuff as low priority, and be aware, overall, of how much information your department puts out as a whole.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • I like the signs suggestion, I had forgotten about that. Of course signs loos their effectivenss over time. – this.josh Aug 05 '11 at 06:09
  • Yeah, they are good for rare use. My favorites were always the VIRUS Alert!!! ones - since they were an immediate, urgent problem and it cut down greatly on the "what the heck is that??" rumor mill when people started spreading the virus to each other. – bethlakshmi Aug 08 '11 at 14:24
6

Lol.

The first thing is to realize that users will generally ignore all your emails. Stop imagining that this problem can be solved.

Certainly, there are things you can do in order to make your emails read by MORE users.

No, HTML messages are not better. Studies have shown that users pay more attention to text messages and HTML pages.

The shorter the email, the better. The longer the email, the more likely to the user is to ignore it. Or, if the user reads it, s/he will only read the first two sentences. Consider the reverse-pyramid of newspaper articles: the most import bit is in the first sentence, the first paragraph, the first section. The further you go down the article, the less important the information becomes, partly because readers are likely to get bored and bail before finishing the article.

Stop telling them what to do. "Close all applications and log off for patching" is a stupid email. A better one is "You system will be restarted for patching; if you have open applications, you may lose data".

Stop sending them useless emails like "Maintenance will be performed at 11pm-6am. Expect a disruption in service". It doesn't apply to 99% of the users anyway, so why bother everyone with something that applies to 1% of the users? Those people working at late hours know that disruptions are likely due to maintenance anyway.

The more emails you send, the more likely they are to be ignored. Send as few as possible -- or even fewer.

Stop phishing your users, for example, by telling them they need to install a patch. When you send them such emails legitimately, they are more likely to fall victim to phishing attacks that look identical to the emails you sent, but which point to a false patch.

Yes, the FROM address is important. Yes, the subject is important. You can assume they read the subject line -- and that it's usually the only thing they read. Of course, if you try to put the entire email in the subject line, OR MAKE IT ALL CAPS, it's likely to be ignored.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
  • The example of a security patch is definitively suspect; but I do want a legitimate example of something that the user must take action upon with urgency. Other examples are welcome, and thank you for the additional points you added. – makerofthings7 Aug 03 '11 at 21:10
  • 3
    "The more emails you send, the more likely they are to be ignored". How true! – George Aug 04 '11 at 08:11
  • 1
    Do you have any references for the studies? – this.josh Aug 05 '11 at 04:23
6

Observations:

Some users may understand that your message is important but still "leave it for later", or think that it's a good reference but put it aside for a time that "something bad happens" (it happens a lot with our awareness messages).

I also had to face the insistence of middle level managers that all messages addressed internally to the organization should follow a certain official style, a sure turn off for any user that would start reading them.

So, my 2 suggestions:

  1. Think about your audience. What makes them interested, what catches their attention, how they would best receive your message. They are your colleagues after all.

  2. Concentrate on the important messages, them being Awareness Training or Automatic Notifications. If they are really important then compose them in a style that will make them "irresistible".

Some hints (mostly useful for awareness messages):

  • Drop official organization parlance, drop the legalese, be personal.

  • Try to think like your users, ask hypothetical questions that will make them think the "what ifs". Make your security talk exciting! And how about also making them a bit concerned of the safety of their own personal data? An exploited system could be used to steal personal as well as corporate data. Added bonus: they take the lesson home.

  • Use (color) text boxes that summarize your message. Their eyes will get them there.

  • Leave hints about their responsibilities in the organization.

George
  • 2,813
  • 2
  • 23
  • 39
  • I liked what you were saying right up till "scaring them a bit". In my opinion you need to establish trust with users. Never lie. Never be deceptive. Remember that a security role is about much more than just notification. You want then to come to you when they get a suspicious phone call asking for IP addresses. And when they accidently download a virus. If they percieve you as playing a scary security role, you'll wind up reading IDS logs and wonder how the intruder picked the right IP and port on the first try. – this.josh Aug 05 '11 at 04:34
  • Thanks for the comment, I replaced "scaring them" with "making them a bit concerned of the safety of their own personal data". I didn't aim to deceive users or hide the truth but rather make them think that the consequences of "lax" security practices reach to a personal level. – George Aug 05 '11 at 08:20
4

One trick I've used with some success for things that require user actions is to send it out a meeting request. Trick works for a few reasons:

  • People tend to respond to meeting requests.
  • Lets you create reminders before events requiring user actions.
  • Actually puts things like scheduled downtime in people's calendars.

I wouldn't do it for everything as it might get self-defeating, but for important enough stuff it makes sense.

Wyatt Barnett
  • 297
  • 1
  • 5
  • 1
    Nice trick, but actually have a meeting. You can have attendance be optional (noone will come), don't don't send out a meeting request if you are not having a meeting. Noone (even users) likes being tricked. – this.josh Aug 05 '11 at 06:11
  • We were always careful to stipulate there isn't a meeting -- ie put the location as "office-wide" and stated "this is to help mark this period of downtime in your calendar". – Wyatt Barnett Aug 05 '11 at 21:01
2

Depending on the hierarchy of your organization, I have found a few things to be quite effective.

I email the manager or supervisors of the rest of the users, when they forward it along with a short "read this if you still need your job" type one liner (usually not that crude but you get the point) I'd say close to 70% of the users try to read the important bulletin that was sent out.

Second, I use a subject line that grabs attention, below are a few examples and with a brief explanation of the technical side.

Subj: Bad News email will contain something in nature that we might consider bad news but the user might not even notice, however we must document "what we do" in case lesser individuals who have a hard time comprehending "what we get paid to do" in their own eyes challenge whatever issue that we "warned them about"

Subj: Compliance Issue or Compliance Audit This usually gets my phone ringing since PEOPLE DON'T READ the body of the message but it's usually something along the lines of renewing encryption services, but if my subject said that, then it would go ignored until the service is shut off due to lack of timely payment; then I have to work outside of regular business hours without additional compensation/overtime.

Subj: URGENT! (X Issues) When using this, it's as a last resort. For example URGENT! Client system WILL BE DOWN until the license is renewed. (you can probably tell that my company likes to pay everything LAST SECOND and of course the work falls on me to "fix it" At least with this subject and information in the email when attacked by management on "why are we paying employees in branch offices who can't work in our system?! It's down/broken" I simply respond with, if it is as urgent as you claim it is then pay the renewal(s) on time to avoid the situation to begin with. Magically they have credit cards to re-purchase the licenses once this happens (every 6-12 months) YAY!

Subj: System Down I use this to notify that a particular system will be scheduled to be down for a certain time period for maintenance or updates/upgrades.

Lastly, and I guess I should have said this first is to not email more than you have to, and pictures seem to grab attention (provided that their email clients are configured to display them.). Since I email most management only a few times a week, unless answering a question; my emails carry more weight than the other admin that I used to work with. Unfortunately unless something is broken, most users still DON'T READ as long as you have documented proof that someone was notified your ground should be pretty solid. I always say, "If first they don't understand what you are trying to say, lower your expectations." ;-)

Brad
  • 849
  • 4
  • 7
2

The thing is that users who don't know much about computers don't care very much about email they don't understand. And also, second point, people just get used to similar email coming often and start not reading them.

Can you do something against that...probably not so much.

I would recommend making some category in your email as a title. I would recommend making a COLOR CODE for each category. I would recommend to write a short statement in the start of the body, and a long detail information right after the short statement.

Also, take care of the words that you will use and try to understand that some people aren't familiar with computer technical terms. Avoid using them or if they are used then define them.

Consider what non-technical people think when you warn them about a virus? They think they have a beast in the machine...and nothing else.

Be pedagogical with them. Use words that they know. Be clear on what they should do.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Xenus98
  • 21
  • 1
2

For virus alert mails, in addition to changing the message content, ensure that the message From: header indicates it's from the user's line manager. CC that person too. Isn't that cheating? No. It's the line manager's responsibility to ensure that policies are disseminated and followed by their reports, so you're sending the message on their behalf.

For downtime and maintenance notifications, there are two factors: the first is to avoid disrupting users to do maintenance. The second is that you should consider notifying users via broadcast or message-of-the-day systems, because as you've found e-mail isn't a good medium.

  • 1
    I don't like being deceptive. I feel that you need to have user's trust to get their cooperation. I think sending the e-mail on the manager's behalf is fine if you get the manager's permission ahead of time. – this.josh Aug 05 '11 at 06:15
2

If you really have something to say (not the “expect disruption” type of email), you can put the recipient name in subject. Yes, this is what spammers usually do.

Subject like Richard, please take a look immediately takes attention and you gives you about 10 seconds to express the problem in short (i.e. explain the policies changed, the software is updated, etc).

Please never use this for any autogenerated messages.
And make sure the From address is whitelisted on all computers.

Community
  • 1
Dan
  • 121
  • 3
  • 1
    +1 on the custom subject, but it may be seen as Spam if Richard prefers to be called Dick. – makerofthings7 Aug 04 '11 at 15:02
  • 5
    @makerofthings whereas very little spam mentions Dick. –  Aug 04 '11 at 19:32
  • @Graham O.T. I used to have an [English teacher named Gay](http://en.wikipedia.org/wiki/Bob_Saget). I pity the IT Admin who needs to manage these 'character building' names in any Anti Spam deployment. – makerofthings7 Aug 04 '11 at 19:47
2

Many excellent answers here, only thing worth adding is, for the RARE case that you really require users' attention and/or response, many email clients (e.g. Outlook) allow the sender to designate a reminder date/time, at which time the client would actually popup a reminder messagebox.
Please do use this sparingly, though, as it is quite intrusive - though it's very helpful, if you need it. (If you overuse it, it will be overridden/ignored).

AviD
  • 72,138
  • 22
  • 136
  • 218
0

Only way to really get things done via email alone:

  • ACTION REQUIRED in the subject
  • Some way to indicate they read it or did the requested action.
  • Escalation to manager if they don't.
  • Escalation to manager's manager if they still don't.

Because no matter what you do in your email, a good percentage won't even open it.

Scott McIntyre
  • 101
  • 2