Inspiration unlocked: 50 Cybersecurity Awareness Month ideas for CAM 2024

Every year, a dizzying high number of people face the consequences of cyberattacks. These attacks not only cost organizations billions. They also leave a devastating impact on individuals.

We know, if you’re reading this, you get it. You already understand the importance of safeguarding your organization and people from cyber threats.

Still, we’ve got to get this off our chest: Simply having technical security measures in place isn’t enough. 

Being 500% sure that everyone in your organization understands the risk—and knows how to behave securely—is crucial.

2023 was a landmark year, when CAM turned 20 years old. Since its inception by the National Cyber Security Alliance (NCSA), this global event has grown exponentially. 

Today, millions participate—and 2024’s set to be the biggest and best yet.

Part 1: “Securing our world”

The 2024 CAM theme shares its name with CISA’s newly launched cybersecurity awareness program. This theme, says CISA, “recognizes the importance of taking daily action to reduce risks when online and connected to devices.” 

The campaign outlines four simple actions everyone should take, not just in October, but throughout the year to stay safe in the workplace.

These four actions are:

• • Recognizing and reporting phishing
  • Using strong passwords
  • Turning on MFA
  • Updating software

If you’re measuring and tracking these actions as security behaviors, here’s the list you’ll need:

• • [SB003] Uses strong passwords
  • [BS209] Uses a password manager
  • [SB001] Turns on multi-factor authentication
  • [SB088] Checks emails for signs of phishing
  • [SB161] Reports phishing
  • [SB013] Reports known or suspect security incidents
  • [SB208] Ensures work devices and software are regularly updated

Is this the most human-friendly theme yet?

Maybe. Allow us to preach to the choir for a sec.

Human nature, are we right? It’s a tricky beast. Knowledge does not bring about behavior change. Being lectured doesn’t work. Being tricked doesn’t work. Campaigns that clash with natural human behavior don’t get far.

But CAM’s theme is human-friendly, because it’s all about simplicity, small steps, and routine. 

Let’s explain further:

It swerves security fatigue: Constant vigilance is overwhelming. By focusing on daily actions and manageable tasks, this theme makes it easier for people to maintain good security habits.

It highlights the positive: It focuses on the benefits of taking action. Science shows this can be more motivating than waving the scary consequences in our faces. It creates an opportunity to show people how good security practices can help protect their privacy and give peace of mind.

It’s about increments, not overhauls: Small, daily changes add up. Over time, people can achieve a significant improvement in security posture, almost without noticing.

It draws on social influence: The more universal a behavior seems, the more likely we are to do it ourselves. When people see others taking steps to improve their cybersecurity, they are more likely to follow suit. By promoting the idea that daily cybersecurity actions are a normal part of online life, we develop a social ‘consciousness’ of security awareness.

All the more reason for this wonderful community to jump on this theme and make the most of it!

We already educate people on cybersecurity, so why should I bother with CAM?

CAM isn’t just about educating people. It’s about engaging. It’s about igniting excitement. It’s about making people feel they’re playing an active and important role in the solution.

We all know tackling cybersecurity can feel like an uphill battle. It may seem like cybercriminals are always one step ahead.

But the last thing you can afford to be is jaded. And why would you be, when security awareness can actually be, well, fun?

So, in this blog, we tackle the burning questions many cyber pros ask themselves as October 2024 approaches:

• Why is cybersecurity awareness month important?
• How can I make it impactful and drive meaningful change?
• How can I ensure awareness of cybersecurity risks and promote self-protection?
• What mistakes should I avoid for a successful cybersecurity awareness month?
• How can I engage and inspire others about cybersecurity?
• How does behavioral science apply to leading a successful CAM?
• How do I tailor messages to different audiences and knowledge levels?
• How can I use social influence to foster a strong security culture?
• How can I make the consequences of security breaches tangible and relevant?
• Does gamification, positive reinforcement, and autonomy actually boost engagement?

Cybersecurity Awareness Month is your chance to make a difference. And this guide is about to make it easy. Impactful. Fun. Memorable.

Why is Cybersecurity Awareness Month important?

There are tons of reasons why cybersecurity awareness is important. Here are some of the biggest ones:

• • Cyber attacks are on the rise. The number of cyber attacks has been increasing in recent years, and the cost of these attacks is also on the up. In 2021, IBM said the average cost of a data breach was $4.45 million.
  • The human factor is a major contributing factor. Even the most secure systems can be compromised by the wrong behavior.
  • Cybersecurity needs everyone’s support. It’s not just cybersecurity and IT professionals. Everyone has a role in protecting their organizations and themselves.

You and your team may have overall responsibility for protecting your organization.

But you can’t do it alone.

That’s why it’s important for everyone to be aware of cybersecurity risks and to take steps to protect themselves…and their organization.

Harnessing behavioral science for a stellar CAM campaign

CAM is your opportunity to enhance your people’s understanding of cyber threats and foster a security-conscious culture. 

To make CAM count, it pays to tap into the power of behavioral science. (Not to brag, but if anyone knows us, behavioral science is what we do, day in, day out.) 

By understanding how people think, make decisions, and respond, you can design strategies for meaningful change.

So, here’s a rundown of some little nuggets of psychology. And how they can help you make the most of CAM within your organization.

1) Call out human uniqueness

People are susceptible to cognitive biases and social engineering tactics. 

For example, the availability heuristic leads us to overestimate the likelihood of events that are easily recalled. This can make us more likely to fall for phishing emails that reference recent news events. 

The bandwagon effect also leads us to conform to the behavior of others. This can make us more likely to click on a link in an email if we see that other people have already clicked on it.

To address these vulnerabilities, CAM campaigns should tailor messages to address specific biases and highlight common tactics. 

For example, a campaign could remind people to be wary of emails that reference recent news events. Or it could explain how the bandwagon effect can lead us to make poor decisions.

2) Tailor messages to different audiences

Not everybody has the same level of knowledge or engagement with cybersecurity. (You may have noticed.)

CAM campaigns that segment people and tailor messages accordingly are demonstrably more effective.

Don’t let perfect be the enemy of good. Some segmentation is better than no segmentation. Start where you can, and build your segments gradually. Use them to tell compelling “data stories” to your senior stakeholders.

3) Harness the power of social influence

Human behavior is significantly influenced by social norms and peer pressure. 

CAM campaigns should encourage people to share their experiences. Give them opportunities to discuss best practices and recognize positive behavior. This helps to create a culture of cybersecurity awareness and responsibility.

4) Highlight short-term consequences

People tend to prioritize short-term outcomes over long-term consequences. 

So, CAM campaigns may highlight the short-term consequences of a security breach. For example, a campaign could emphasize the fallout of a phishing attack, from financial loss, to reputational damage, to personal data exposure.

5) Bake in gamification & positive reinforcement

Incorporating elements of gamification and positive reinforcement can boost people’s engagement. 

Interactive quizzes, challenges, leaderboards, and reward systems improve the learning process and increase engagement.

6) Permit autonomy & ownership

People have a fundamental need for autonomy and a sense of ownership. 

CAM campaigns that inspire, rather than finger wag, empower people to take ownership of their own cybersecurity. It makes them far more likely to engage and behave securely, like reporting suspicious activity.

7) Reinforce (positively)

Psychology tells us information is forgotten over time if not reinforced. 

Provide ongoing reinforcement and refreshers throughout the year. Keep on top of regular reminders via newsletters, blogs, nudges, alerts, and continuous learning opportunities. It all helps keep cybersecurity top of mind.

Part 2: Planning for value, impact, and proof

Every year during Cybersecurity Awareness Month, amazing work is done by the community; to support, guide, & educate people, to highlight new threats, to reinforce best practice, and to strengthen relationships within organizations.

But…

One of the biggest differences between Human Risk Management and Security Awareness & Training, is planning the impact of your activities—beyond ticking the compliance box—before you start!

What is it you’re trying to achieve?

Which security behaviors do you want to influence?

Which business risks are you going to reduce?

Taking the time to understand this before you start your Cybersecurity Awareness Month planning will make it easier to demonstrate the value of your activities when you’re done.

The Security Awareness Planning Tool

Identifying key business risks, in order to link them to people’s behavior, in order to improve the behavior through targeted training and other interventions is one of the first steps on the road to Human Risk Management.

By the end of Cybersecurity Awareness Month we want you to be able to show the specific security behaviors your activities have influenced, and the risks that were impacted as a result.

We’ve built a simple, lightweight planning tool based on the Security Behavior Database, or SebDB.

CybSafe’s Security Awareness Planning Tool lets you map your activities, initiatives, and awareness efforts to the 8 SebDB risk-outcomes, as well as a range of risk factors defined by your organization.

The tool will show you the risk coverage your activities have.

Using the Planning Tool is easy. Simply select the activity you’ll be undertaking, link it to a behavior, and let the tool show you the risks your activity covers.

Part 3: Free Cybersecurity Awareness Month resources

50 activity ideas for Cybersecurity Awareness Month 2024

With your planning tool setup, you’re ready to start the creative process!

Your brain’s probably already bursting with ideas, but it’d be remiss of us not to spill some of our favorite ideas. So here are a 50 activity ideas to ignite your CAM campaign:

27. Organize a game where participants test their wits against a hypothetical hacking challenge.

28. Share daily cybersecurity tips throughout the month.

29. Set up a live attack simulation game, where participants learn about security vulnerabilities.

30. Extend awareness to people’s families by hosting a drop-in day for loved ones to stop by and set up their personal devices securely.

31. According to CISA, a child between 8 and 18 years old will spend 7 hours and 38 minutes online per day, so why not share some ‘cybersecurity for kids’ resources (like this CISA booklet) for people to look at with their families. 

32. Tailored presentations hosted by senior leaders, given to their respective teams, emphasizing key messages and risks.

33. Interactive sessions showcasing real risks, like password cracking or love-themed examples, to demonstrate potential vulnerabilities.

34. Suggest on-topic movies like The Net (1995) and encourage people to identify security issues while watching.

35. Introduce the security team through a video to make them more approachable for questions and concerns.

36. Invite guest speakers to share insights on cyber threats and prevention.

37. Organize a dedicated whole day for security awareness, featuring workshops, sessions, and presentations focused on different aspects of cybersecurity.

38. Host an open-source intelligence (OSINT) workshop to educate people about the risks of oversharing personal information online.

39. Myth-busting sessions to squash common cybersecurity misconceptions.

40. Encourage people to customize their video call backgrounds with cybersecurity messages and images.

41. Swag like t-shirts, mugs, or stickers to create a sense of belonging and enthusiasm.

42. Appoint cybersecurity ambassadors from different departments to help promote awareness and to answer questions.

43. Recognize people’s participation with badges, certificates, or email signature badges.

44. Incorporate a range of themes into your activities, from tech-centric topics to those focusing on the wellbeing aspect of cybersecurity.

45. Activities that encourage people to “think like a hacker”.

46. Start a book club focused on cybersecurity literature to encourage continuous learning.

47. Create a promotional video featuring staff members highlighting that cybersecurity is everyone’s responsibility.

48. Develop games that simulate phishing scenarios to help people recognize phishing attacks.

49. Use a storytelling approach, with daily themes like physical security, phishing, ransomware, and business continuity.

50. Viral campaign: Leave cryptic clues in key places, in both digital and physical work spaces. Let natural human curiosity do the rest!

You know best what will work in your organization. And you’re more than capable of choosing activities that fit your organization’s needs, while engaging your people. You have the power!

The security awareness toolkit: must-have resources to boost your campaign

Here at CybSafe, we take pride in our science-based, expert-led approach to cybersecurity. It’s been proven to be highly effective in helping organizations reduce their risk of cyberattacks. 

And, frankly, this is stuff that’s too good not to share. So, we’re dropping the link here…!

Security Awareness Engagement Taxonomy

Our audacious scientific pioneers, supported by the SebDB Community, have researched and categorized 30+ approaches to boost security awareness engagement.

Organized by cost, tactic type, and effort, this framework helps prioritize where to deploy your (often limited) resources.

Security awareness blogs

Exclusive to the toolkit, access to EIGHT story-style blogs:

• • Are you really a target? guides people through how to assess their risk and take steps to protect themselves.
  • Security incidents: Your role helps people understand their role in responding to security incidents.
  • Passphrases helps people to use and remember strong, unique passphrases.
  • Working remotely looks at safe practices for working outside of the workplace.
  • Spotting fake emails, featuring James Linton will transform people into laser-eyed fake-email-spotting pros.
  • Sophisticated attacks shows people how to identify and defend against the latest, social engineering attacks.
  • Protecting your devices helps people keep their devices safe from malware and other threats.
  • Preventing identity theft explores how people can protect their personal information.

30+ proven ways to increase security awareness engagement webinar

Human-related security incidents continue to plague organizations of all kinds.

But ask yourself, how many tactics are you using to drive engagement? If you can count them on one hand, it’s time to put aside an hour to listen to this.

In this on-demand webinar, we asked leading industry voices from Meta, New York Life and Raytheon Technologies to help us identify how to create a culture of security awareness in your organization.

Part 4: Tips, tricks, & things to avoid 

There have been many inventive CAM campaigns over the years, but here are a few of CybSafe’s favorites…

Creative CAM campaigns that made a splash

The University of California, Berkeley created a Cybersecurity Scavenger Hunt that challenged students to find hidden security vulnerabilities on campus. We love how they used gamification to make it fun and engaging for students to learn about cybersecurity risks. This taps into the psychology of motivation, as people are more likely to learn and retain information when they’re having fun.

The City of San Francisco created a cybersecurity comic book that told the story of a group of hackers who try to steal the city’s data. This was a creative way to reach out to a younger audience and teach them about cybersecurity risks. This uses narrative persuasion, which is a powerful way to communicate information because it appeals to our emotions and helps us to understand complex concepts.

The National Cybersecurity Alliance created a cybersecurity selfie challenge that encouraged people to take selfies with cybersecurity messages. This was a fun and social way to raise awareness of cybersecurity risks. This uses social proof, which is the tendency for people to follow the lead of others. When we see that other people are taking selfies with cybersecurity messages, we’re more likely to do the same.

The University of Texas at Austin created a cybersecurity escape room that challenged students to solve puzzles and find clues in order to escape from a locked room. This was a fun and interactive way to teach students about cybersecurity risks. This uses experiential learning, which is a type of learning that occurs when we actively participate in an activity. This type of learning is often more effective than traditional forms of learning, such as reading or listening to lectures.

 

The Seattle Public Library created a cybersecurity trivia night that challenged people to answer questions about cybersecurity. This was a fun and social way to raise awareness of cybersecurity risks. This uses gamification, which is the use of game-like elements in non-game contexts. Gamification can be a great way to make learning more fun and engaging.

 

Capital One created a cybersecurity training arcade that allowed employees to learn about cybersecurity risks in a fun and interactive way. This was a great way to engage employees and teach them about phishing, malware, and other cybersecurity threats. This uses operant conditioning, which is a type of learning that occurs when we’re rewarded for our behavior. When employees are rewarded for learning about cybersecurity, they’re more likely to continue learning and practicing safe behaviors.

 

Visa created a cybersecurity theater that put on a series of plays about cybersecurity risks. This was a creative way to reach out to a wider audience and teach them about cybersecurity risks. Like the comic book, this used narrative persuasion to great effect.

 

The “This is Personal” campaign by the UK government is a powerful campaign that highlights the human cost of cyberattacks. This campaign features real-life stories of people who have been affected by cyberattacks. It’s been praised for its emotional impact. This uses emotional appeals, which are a powerful way to persuade people.

These are just a few of the many inventive CAM campaigns that have tickled our fancy. They demonstrate the power of creativity and innovation in raising awareness of cybersecurity risks.

Cybersecurity Awareness Month mistakes (to avoid)

Let’s be real: Heaps of options doesn’t mean you can’t get it wrong. While we applaud experimental and innovative approaches, we can learn plenty from the experiences of others. Our incredible SebDB community put their heads together, and they came up with a list of lessons learned from past CAMs.

Mistake #1: Procrastination on the prep: Delaying getting started can lead to rushed plans and missed opportunities for impact. Start working on your plan early, ideally around January.

Mistake #2: Overcomplicating the approach: It’s natural to want to build on past years’ content and cover lots of ground. But if you make it too complex you’ll lose people. Don’t be afraid to reuse content from the past. Quality, not quantity.

Mistake #3: Assuming people already know a lot: Just because people have been taught how to stay safe, it doesn’t mean they remember and are doing it. Start from the beginning. Be thorough. Avoid gaps in understanding.

Mistake #4: Underestimating the importance of budget: It’s so easy to neglect proper budget planning for your CAM. But having enough money makes sure you can amplify the impact of your activities and help you deliver an engaging experience. Money matters.

Mistake #5: Not making it fun! Yes, cybersecurity’s a serious issue. But talking about it doesn’t have to be. An enjoyable learning experience is a memorable learning experience.

If you sidestep these hurdles and sprinkle some behavioral science, creativity, and innovation into your cybersecurity awareness campaigns, you’ll be galloping your way to success.

Tips from the pros!

We also asked our panel of pros to explain what has worked well for them in past years. Here’s what they hit us with…

Junell Felsburg, Sr. Director of Cyber Security and Infrastructure, The Columbus Foundation

“While it is easy to assume everyone shares the same foundational understanding of cybersecuritycyber security, the truth is each individual brings their unique perspective and experiences to the table. As cybersecuritycyber security professionals, we must recognize this diversity as the strength it is, and tailor our messaging accordingly.

 

Using storytelling, we can transform complex concepts like threat and risk management into captivating tales that resonate with our audience. For instance, we might liken the challenges of defending against cyber threats to the heroic struggles of knights protecting an ancient castle, or use a narrative of cunning assassins to illustrate the dangers of phishing attacks.

 

But storytelling isn’t just about entertainment—it’s about engagement and empowerment. By sparking curiosity and fostering a deeper understanding of cybersecurity issues, we can encourage our communities to ask questions, seek further knowledge, and take proactive steps to enhance their digital safety.”

Stu Walton, Deputy Director of Digital & IT Services, Newman University

“While we’d love all our staff to have the intrinsic motivation to behave safely and engage in activities over Cyber Awareness Month, we know sometimes they need a little recognition for the additional engagement they give throughout the month.

 

When it came to running my first Cyber Awareness Month, I gave out certificates to participants for the events we had on. All staff who had engaged with us over the month got a signed certificate, hand-delivered.

 

Admittedly, we are a single-site campus where nowhere is more than five minutes’ walk, but it was amazingly effective. Walking into shared offices with a sheaf of certificates and handing them to staff was great for me and them, because I got to see the joy on their faces for recognizing their contribution. Not to mention their colleagues who didn’t get one asking why, and I could then point them to additional resources or any activities we had coming up.

 

The personal touch was really in keeping with our organizational culture and made a big impression. So much of our work and communication is digital; I think people really liked having something tangible to show for it. I’ve since discovered that they love pin badges, too!”

James Mountford, Security Awareness & Culture Lead, AVEVA

“Running an inclusive and engaging security awareness month encourages autonomy and ownership within our workforce. We had a variety of activities for colleagues to participate in.

 

By offering a range of options and training opportunities, employees are empowered to take ownership of their own security journey. Participation in these initiatives not only equips employees with the necessary knowledge and resources, but also instils a culture where reporting suspicious activities is encouraged and celebrated. This multifaceted approach helps colleagues feel in control of their own security, which makes them more likely to report suspicious activity and create a safer digital and physical space.”

Nick Allen, Information Security Specialist, Just Eat Takeaway

“After using SebDB to target our key behaviors, we were able to implement nudges as a form of light reinforcement for colleagues, and saw an enormous change in behavior as a result.”

Louise Cockburn, Information Security Awareness and Culture Manager

Last year as part of our CAM events, we put together a series of videos and a panel talk from some of our security operations team. They talked about their experiences with common security attacks, like account takeovers and social engineering, and the habits they formed to combat these threats. Kind of a, “I work in Security and this is one thing I ALWAYS/NEVER do!”

 

Stories and storytelling are really effective ways to impart messages – especially around topics that can feel dull, technical, scary, or abstract. We found that hearing what our team of very technical and skilled security pros have witnessed or even experienced themselves was really impactful, creating a lot of engagement and discussion in both the video comments and during the panel talk (the themes of which were great qualitative metrics for us to note!).

 

Not only that, but it helped ‘humanize’ security as a function – which can often be perceived as a bit intimidating and unapproachable.

 

From a social proof point of view, if someone who works full time in security has been sufficiently moved to make a habit change and says a certain habit or behavior is a MUST, it lands with clout, and harnesses that persuasive “appeal-to-ethos” effect (we’ve seen a similar effect with talks and webinars we hosted featuring subject matter experts from a variety of fields).

 

As an event, this was a very simple case of having some of the team do a very informal video which we then edited and published internally over the course of the month. The panel we hosted through Teams, and used the corporate calendar, email, and comms channels to publicize.

 

Metrics & measurements of success:

 

• Attendance (conversion of ‘accept’s to actual attendance on the webinar)

• Video analytics (views, like, comments, dwell time)

• Trackable link to the recording

• And, a more manual note of the discussion throughout the panel talk – themes, questions, concerns, and questions in the chat

Before we go…

Let us say it again: You have the power to make a real difference here. By being smart about your CAM game, you can upgrade your organization’s security posture and inspire people to take steps to protect themselves and your organization.

We believe that people are the key to iron-clad cybersecurity. That’s why our solutions are engaging, educational, and effective. (And frankly, if you haven’t booked a demo yet, what are you even doing with your life?)

Chances are your brain is bursting with ideas by now and you’re entering planning mode. We’d love to know how your CAM went down and what you got up to, so feel free to tag us in your socials so we can live vicariously through you.

Here’s to securing our world, and making #CAM2024 count.