In January 2021, Rachel Tobac came up with a silly take on a serious topic: A sea shanty-like video in which she sang a tale about the importance of password security and multi-factor authentication. It came complete with a hauntingly harmonized chorus that includes the words, “Soon may a criminal come to steal your pictures and data and run.”
Tobac, the CEO and cofounder of SocialProof Security, spends a lot of time thinking about how to educate people about the importance of protecting their digital data. At the time, she said, sea shanties were trending on TikTok, so the genre felt appropriate; she tweeted her video thinking it would be fun (and possibly helpful) to others.
She soon realized she had tapped into something bigger: Corporate training sessions — whether done in person or via video — are often boring and hard to remember. And dozens of companies reached out to her in the wake of her tweet, asking if they could use it as part of their security awareness training. She said sure, offering it for free, and about half of those who used it later told her the song made it easier to get employees to sign up for password managers and enforce the use of multi-factor authentication. They asked her to make more music.
Now, what started as a fun side project is a real product that SocialProof Security, which trains companies’ employees on information-security topics via workshops, trainings, and hacking demonstrations, is selling to its customers. The company is making slickly packaged music videos, such as a country western tune about how to spot a phishing scam.
Tobac posted a trailer introducing the music videos on Twitter in early August, including a ditty called “Don’t Get Hacked,” which has an ’80s pop vibe. Within two days, 140 companies reached out asking for demos of her company’s music-video approach to information security, and a number have already signed up as customers. (Tobac wouldn’t name specific companies that signed up for the music video product, but in general SocialProof Security’s customers include a wide range of large companies such as Google, Meta, Lululemon, and Prudential, as well as the US Air Force and some universities.)
“I think it really shows that many different companies, not just in tech, are looking for something that’s a lot less boring,” she said.
To make the videos, Tobac came up with a list of topics to cover — ranging from social-media safety and password management to malware and ransomware — and gave songwriters a list of details each song should include, as well as ideas for lyrics.
Tobac said she explained to songwriters, “This is the type of content I’m trying to make: like ‘Schoolhouse Rock!’ but a little more modern and in different genres.”
Watching SocialProof’s music video about how to avoid phishing attempts shows the results: It’s cheesy, with its country-western tune, cowboy-hat-and-boots-wearing singer, and choreographed line dances in an office. But it’s also toe-tappingly fun and, occasionally, catchy (and yes, it includes some basic facts about avoiding falling for a phishing scam).
Johnathan Yerby, an associate professor at Mercer University who studies cybersecurity, thinks it’s a great idea to use music videos to communicate about information security. He cautioned that it may not be possible to include (or for viewers to absorb) all the relevant information in a single video, however, particularly if it goes by quickly while people are line dancing.
The biggest challenge with training employees on this particular topic, he said, is simply getting them to care. He hopes music videos can make it more approachable.
And while many people may find information security music videos fun (or at least more fun than watching a typical corporate training video or listening to a presentation), Tobac knows they’re not for everyone. She conducted research before creating the videos and found that about 20% of people are really not interested in learning about digital security issues via singing and dancing. For that audience she has a more staid solution in spoken-word videos that cover the same subjects.
Tobac, who in 2019 used her social engineering skills to hack CNN’s Donie O’Sullivan’s data, said the company has completed the “Don’t Get Hacked” and phishing music videos so far. It plans to film a video for a song about password security (the audio for which sounds like a ’90s alternative-style track) and a track about the perils of over-sharing on social media (a contemporary pop confection) in the coming weeks. Her company plans to release more songs quarterly, and eventually she hopes to have a collection of 12 videos representing various genres of music and information-security topics.
“There’s just so many more topics that we can cover,” she said.