Criminals and Moral Codes

July 01, 2015  |   Blog,Organisational Culture,Risk Psychology   |     |   0 Comment
Criminals and Moral Codes

Should we try to reason with criminals? Is the threat of punishment the only influence that criminals will respond to? What should we do when we suspect people are taking data with them when they leave a company, leaking to the competition or stealing equipment from the office but can’t prove it? As well as trying to manage criminal behaviour with appropriate detection and punishment mechanisms, we should also appeal to people’s moral codes. Moral codes are intrinsically linked to people’s sense of self worth. People’s sense of self worth is ...

Moral Hazard

June 01, 2015  |   Blog,Safety,Security Economics   |     |   0 Comment
Moral Hazard

In our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are the shareholders, data subjects or senior management. Employees and contractors don’t necessarily have the same level of care. Sometimes there are circumstances where the person managing the risk is the same person that would suffer, ...

The Security Culture Framework

May 01, 2015  |   Blog,Organisational Culture,Risk Psychology   |     |   0 Comment
The Security Culture Framework

Long suffering readers of this column will be familiar with the importance of security culture in driving behavioural change. This month I caught up with Kai Roer, founder of the Roer Group and author of Build a Security Culture. Kai has created a free resource called the Security Culture Framework and runs a blog at Roer.com. What is security culture? Security culture is security awareness that actually works. Culture can be defined as the ideas, thoughts and behaviours of a particular group or people, meaning it is the ...

Surveillance, Security Professionals and Small Fish Thinking

April 01, 2015  |   Blog,Surveillance,Trust   |     |   0 Comment
Surveillance, Security Professionals and Small Fish Thinking

Most people have no idea of the dozens of ways that their information could be used to cause them harm. As security professionals, we try to raise awareness that all information and computers have an intrinsic value. That no matter how small or trivial, someone out there would like to steal it, leak it or hack it. Many people have a ‘small fish’ mentality and can’t imagine anyone in the great internet ocean would be interested in a boring barnacle or a minnow with hardly any money. Well, everything in the ocean has a predator. While a degree of naivety can ...

The ABCs of Security Behavioural Influence

March 01, 2015  |   Blog,Risk Psychology,Security Economics   |     |   0 Comment
The ABCs of Security Behavioural Influence

So you’re an IT geek and you’ve just been put in charge of your organisation’s security awareness? If only there was a manual or a white paper about how to program those tricky humans to be more reliable. Unfortunately, there’s no such batch job as fix_humans. The next best thing is to build your understanding of workplace psychology and behavioural influence. Managing human behaviour in the workplace can be challenging, but for those interested in a structured approach to influencing user risk taking ...

CyberStreetWise

February 01, 2015  |   Blog   |     |   0 Comment
CyberStreetWise

Other than educational initiatives for schools, governments haven’t traditionally run large-scale security awareness campaigns directly to the public. This has changed in the United Kingdom with the introduction of the CyberStreetWise campaign. CyberStreetWise is a cross-government campaign funded by the National Cyber Security Programme using a variety of creative, digital, and communications agencies. The campaign website features interactive security advice and educational videos for home users and small businesses. The objective is to help reduce the susceptibility of home users and small businesses to on-line threats. The campaign is innovative not just because of the broad coalition of partners that have been brought together, but also because of the channels being used to deliver the content. To find out more about the campaign ...

Keeping IT Simple

January 01, 2015  |   Blog,Safety,Security Economics   |     |   0 Comment
Keeping IT Simple

The landing gear light indicated a problem. The captain, first officer and flight engineer of Eastern Air Lines Flight 401 tried to figure out what was wrong. They removed the light assembly and the flight engineer left his position to go to the avionics bay and investigate. They were so preoccupied with a burnt out light bulb that they didn’t notice the altitude alarm which started sounding at the flight engineer’s workstation. The autopilot had been accidentally disengaged and the Lockheed Tristar hit the ground at 229 miles an hour near Miami International Airport. The crash in December 1972 was ...

Leveraging Existing Audience Beliefs

December 01, 2014  |   Blog,Mental Models   |     |   0 Comment
Leveraging Existing Audience Beliefs

When it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes. A good example of the mental connections people make between concepts is found in word association. For example, you say email, someone else thinks of spam. You say security awareness training, they think of ...

Saying What You Mean

November 01, 2014  |   Blog,Risk Psychology   |     |   0 Comment
Saying What You Mean

It’s been a bad month for marketing claims. Red Bull have agreed to pay $13 million to settle a lawsuit and “avoid the cost and distraction of litigation”. Apparently, while drinking Red Bull might make you feel like you’re flying it doesn’t actually give you wings. Privacy provider Whisper advertised itself as “a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings”. Despite claiming that it doesn’t track IP addresses or geolocation data, it’s alleged that Whisper actually tracks both…and…wait for it…shares it ...

Comprehensive verses Comprehension

October 01, 2014  |   Blog,Risk Compensation,Security Metrics   |     |   0 Comment
Comprehensive verses Comprehension

I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. ...