Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  

Criminals and Moral Codes

Rumor Has IT – Fake News and Cyber Security

Five Minutes With Lance Spitzner

Security Awareness Tips From A Social Engineer

The Craziest Information Security Stories of 2016

7 Habits of Highly Successful Security Policies

Keeping IT Simple

Polluting The Privacy Debate

About this blog

Martin Luther King said ‘I have a dream’, not ‘I have a plan’

– Simon Sinek

Engaging end users using marketing, psychology and safety theory.

Popular posts

Getting Permission To Use HaveIBeenPwned From Your Legal Dept
4th April 2018
The Craziest Information Security Stories of 2017
4th January 2018
Rumor Has IT: How Fake News Damages Cyber Security
7th June 2017
The Craziest Information Security Stories Of 2016
11th February 2017

About Geordie Stewart

Geordie Stewart, MSc, CISSP, is an international speaker and keen innovator in the area of technology risk communication.

His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA he challenges conventional thinking on risk culture and communication.

In addition to senior security management roles in large UK organisations Geordie writes the security awareness column for the ISSA international journal.

FacebookTwitterPinterestGoogle+Instagram

Awareness Blog

View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Oct12015

What the TJ Hooper Case Means for Security Awareness

For those not familiar with the case, TJ Hooper was a landmark in tort law that established an important standard for negligence. The case was heard in 1932 to assign liability for a lost cargo. A tug towing the cargo on a barge had set to sea in good weather but later that night there…

Details
Leave a commentBlog, Security Awareness, Security EconomicsBy Geordie
Jun62015

Moral Hazard

In our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are…

Details
Leave a commentBlog, Risk Psychology, Security Awareness, Security EconomicsBy Geordie
Jan12014

Personas For Security Awareness

Large scale awareness programs can be challenging with so many topics to cover, so many different communication options and such varied audiences to consider. Also, your communication efforts will be competing with background noise. Every day, people are bombarded with advice. Exercise more, eat more greens and don’t click on dodgy links. The question is how you can make the most of the limited time and attention available. The Pareto Principle, also known at the 80/20 rule, proposes that 80% of consequences come from 20% of causes. If we apply this to security awareness it implies that 80% of the risk comes from 20% of topics. The problem is in knowing which 20% of users and content this applies to.

Details
Leave a commentBlog, Mental Models, Security Awareness, Security EconomicsBy Geordie
Dec162013

The Importance of Executive Support

Senior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.

Details
Leave a commentBlog, Risk Psychology, Security Awareness, Security Economics, Security MetricsBy Geordie
Aug162013

Where Do Security Awareness Topics Come From?

I’m amazed at how many people are offering advice on what information security topics I should be deploying. They seem to know what training is needed despite having never met me or my beautiful users and not knowing anything about my organisation or it’s goals. There are plenty of top ten lists of awareness topics. Numerous generic training packages are available on the internet. I’ve got nothing against generic awareness materials or topic lists as such. In fact some of it is very professional and far better than individual organisations could create. While it might be easy to use someone else’s training package or use their list of recommended training topics that doesn’t necessarily make it a good idea. I worry that we haven’t properly defined the problem that we’re trying to solve. If training material X is the solution, what was the problem?

Details
Leave a commentBlog, Security Awareness, Security EconomicsBy Geordie
Mar112013

ISSA Security Awareness Column March 2013 – Lowering Security Awareness

We spend a lot of time talking about how to raise security awareness. We fill entire books, columns and conferences with it. However, anything that can go up must also go down. How about we turn the phrase on its head and ask what lowers security awareness? Just as there are behaviours that raise security awareness there are also some that lower security awareness. But what can we do about it? Name and shame was an important step in getting software vendors to deal with security vulnerabilities in their products. We should be equally critical when human vulnerabilities are created through the promotion of unsafe attitudes and behaviours. In this column I’m going to name and shame particularly egregious examples which I think reduces security awareness.

Details
Leave a commentBlog, Risk Compensation, Risk Psychology, Security Awareness, Security EconomicsBy Geordie
12
Next page
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer