CyberStreetWise

February 01, 2015  |   Blog   |     |   0 Comment
CyberStreetWise

Other than educational initiatives for schools, governments haven’t traditionally run large-scale security awareness campaigns directly to the public. This has changed in the United Kingdom with the introduction of the CyberStreetWise campaign. CyberStreetWise is a cross-government campaign funded by the National Cyber Security Programme using a variety of creative, digital, and communications agencies. The campaign website features interactive security advice and educational videos for home users and small businesses. The objective is to help reduce the susceptibility of home users and small businesses to on-line threats. The campaign is innovative not just because of the broad coalition of partners that have been brought together, but also because of the channels being used to deliver the content. To find out more about the campaign ...

Keeping IT Simple

January 01, 2015  |   Blog,Safety,Security Economics   |     |   0 Comment
Keeping IT Simple

The landing gear light indicated a problem. The captain, first officer and flight engineer of Eastern Air Lines Flight 401 tried to figure out what was wrong. They removed the light assembly and the flight engineer left his position to go to the avionics bay and investigate. They were so preoccupied with a burnt out light bulb that they didn’t notice the altitude alarm which started sounding at the flight engineer’s workstation. The autopilot had been accidentally disengaged and the Lockheed Tristar hit the ground at 229 miles an hour near Miami International Airport. The crash in December 1972 was ...

Leveraging Existing Audience Beliefs

December 01, 2014  |   Blog,Mental Models   |     |   0 Comment
Leveraging Existing Audience Beliefs

When it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes. A good example of the mental connections people make between concepts is found in word association. For example, you say email, someone else thinks of spam. You say security awareness training, they think of ...

Saying What You Mean

November 01, 2014  |   Blog,Risk Psychology   |     |   0 Comment
Saying What You Mean

It’s been a bad month for marketing claims. Red Bull have agreed to pay $13 million to settle a lawsuit and “avoid the cost and distraction of litigation”. Apparently, while drinking Red Bull might make you feel like you’re flying it doesn’t actually give you wings. Privacy provider Whisper advertised itself as “a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings”. Despite claiming that it doesn’t track IP addresses or geolocation data, it’s alleged that Whisper actually tracks both…and…wait for it…shares it ...

Comprehensive verses Comprehension

October 01, 2014  |   Blog,Risk Compensation,Security Metrics   |     |   0 Comment
Comprehensive verses Comprehension

I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. ...

Making fun of Security

August 01, 2014  |   Blog,Risk Psychology   |     |   0 Comment
Making fun of Security

Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people's perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in 'selling' behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can ...

The Power of Stories

July 01, 2014  |   Blog,Risk Psychology   |     |   0 Comment
The Power of Stories

Some of the greatest advances of human civilization are normalized over time and are eventually seen as ordinary. Fire, electricity and the combustion engine all revolutionized human existence but are no longer seen as exceptional. Another significant advance which is largely taken for granted is language. That is, our ability to communicate and share experiences outside of our immediate existence. The ability to communicate has meant that we don’t have to personally suffer from a hazard to be wary of it. It’s also mean that we can pre-equip people with ...

Where NIST SP800-50 Went Wrong

May 01, 2014  |   Blog   |     |   0 Comment
Where NIST SP800-50 Went Wrong

The National Institute of Standards and Technology (NIST) is updating 800-16 (A Role-Based Model for Federal Information Technology/Cybersecurity Training). Many will be familiar with NIST 800-50 (Building an Information Technology Security Awareness and Training Program) which was published in 2003 and has aged badly. In many regards, the problems with 800-50 stem from how the security awareness problem was framed. For example, the term ‘awareness’ is not actually defined in 800-50. How to raise security awareness is discussed over 70 pages but we don’t actually decide if it’s ...

Information Security Policies

April 01, 2014  |   Blog   |     |   0 Comment
Information Security Policies

A good information security policy is normally the starting point when promoting security awareness. However, organizations often implement policies in very different ways. Surprisingly, despite security polices being common practice for decades, we still have trouble agreeing what a good security policy looks like. Too long, too short, too dictatorial, too polite. It’s a subject of much debate that won’t be resolved any time soon. Information security policies are a common way of managing information security behaviors. They set out the organization’s security objectives as well as the roles and responsibilities ...

The Ethics of Indiscriminate Surveillance

March 11, 2014  |   Blog,Surveillance,Trust   |     |   0 Comment
The Ethics of Indiscriminate Surveillance

Have security professionals helped make the privacy of citizens around the world ‘collateral damage’ in the hunt for terrorists? Due to Edward Snowden’s disclosures we are now aware that millions of people have been unwittingly monitored by systems of indiscriminate surveillance. Many of these systems, having been developed in secret, were only possible due to the support of a large number of security professionals. We can suppose that the creators and operators of these systems are attempting to achieve legitimate objectives on behalf of their respective societies. What is less clear is if these systems do more harm than good ...