Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  
View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Date Name
DescAsc
May92014

Where NIST SP800-50 Went Wrong

The National Institute of Standards and Technology (NIST) is updating 800-16 (A Role-Based Model for Federal Information Technology/Cybersecurity Training). Many will be familiar with NIST 800-50 (Building an Information Technology Security Awareness and Training Program) which was published in 2003 and has aged badly. In many regards, the problems with 800-50 stem from how the security…

Details
9th May 20141 CommentBlog, Security Awareness, Security MetricsBy Geordie
Aug162013

Where Do Security Awareness Topics Come From?

I’m amazed at how many people are offering advice on what information security topics I should be deploying. They seem to know what training is needed despite having never met me or my beautiful users and not knowing anything about my organisation or it’s goals. There are plenty of top ten lists of awareness topics. Numerous generic training packages are available on the internet. I’ve got nothing against generic awareness materials or topic lists as such. In fact some of it is very professional and far better than individual organisations could create. While it might be easy to use someone else’s training package or use their list of recommended training topics that doesn’t necessarily make it a good idea. I worry that we haven’t properly defined the problem that we’re trying to solve. If training material X is the solution, what was the problem?

Details
16th August 2013Leave a commentBlog, Security Awareness, Security EconomicsBy Geordie
Oct12015

What the TJ Hooper Case Means for Security Awareness

For those not familiar with the case, TJ Hooper was a landmark in tort law that established an important standard for negligence. The case was heard in 1932 to assign liability for a lost cargo. A tug towing the cargo on a barge had set to sea in good weather but later that night there…

Details
1st October 2015Leave a commentBlog, Security Awareness, Security EconomicsBy Geordie
Feb32014

Warning: Don’t Read This

Why do people ignore security warnings? Why do they pay attention to some advice but ignore others? Why are spammers and phishers apparently so good at getting people’s attention? Over the course of each day, we often receive dozens of warnings. We’re told that web sites are using untrusted certificates, that downloads might harm our computers and that scripts may be unsafe. We’re so used to these warnings that we hardly even notice them anymore. But what makes an effective warning message? Why do people stop and consider some messages but happily ignore others?

Details
3rd February 2014Leave a commentBlog, Risk Psychology, Security AwarenessBy Geordie

Upcoming Articles / Presentations

We’re currently working on a research project to understand more about why people share passwords and how often it happens.

26th May 2011Leave a commentBlog, ConferencesBy rskadmin
Oct162013

Uncle Sam Needs Your Trust

Trust is an incredibly important concept in information security and a vital component of influencing an audience. We know from safety risk communication research that it’s not enough to be an expert in your field. It’s not enough to be correct. You also need to be trusted by your audience. Otherwise your level of influence will be reduced and people may decide to act in ways that challenge your mission objectives.

When I wrote the July column as satire imagining what a GCHQ letter to a supportive member of the public might look like I was poking fun at the unrealistic expectations about our intelligence services that were being perpetuated. That as ‘big brother’ they knew better and were always looking out for our best interests. I recognize now that what I was also doing was challenging the notion that intelligence services innately deserved a high level of trust.

Details
16th October 2013Leave a commentBlog, Privacy, Security Awareness, Surveillance, TrustBy Geordie
Mar22016

The Slippery Slope

Liu Tienan didn’t start out taking millions of dollars in bribes. His first bribe in 2002 was for three thousand dollars. Over time the bribes escalated. When he was caught in 2013 it’s estimated that he accepted nearly six million dollars for abusing his position as Deputy Head of China’s National Development and Reform Commission (NDRC). The…

Details
2nd March 2016Leave a commentBlogBy Geordie
May12015

The Security Culture Framework

Long suffering readers of this column will be familiar with the importance of security culture in driving behavioural change. This month I caught up with Kai Roer, founder of the Roer Group and author of Build a Security Culture. Kai has created a free resource called the Security Culture Framework and runs a blog at…

Details
1st May 2015Leave a commentBlog, Organisational Culture, Security AwarenessBy Geordie
Jan32016

The Security Advice Magic Quadrant

The challenge of how we structure, analyse and select the security advice we deliver to end users has been a reoccurring topic in this column. We can’t provide unlimited advice to unlimited people so we need to prioritise. Costs need to be understood. We need to consider not just the displacement of productive activities for…

Details
3rd January 2016Leave a commentBlog, Security AwarenessBy Geordie
Jul12014

The Power of Stories

Some of the greatest advances of human civilization are normalized over time and are eventually seen as ordinary. Fire, electricity and the combustion engine all revolutionized human existence but are no longer seen as exceptional. Another significant advance which is largely taken for granted is language. That is, our ability to communicate and share experiences outside of our immediate existence. The ability to communicate has meant that we don’t have to personally suffer from a hazard to be wary of it. It’s also mean that we can pre-equip people with expectations of social norms without having to personally violate each social norm in turn in order to understand it. One of us was impacted from a threat or transgressed a social norm and then shared the experience either through oral traditions or through writing. A good example of this is the traditional fairy tales which are told to children from a young age. Through these stories, children learn about dangers such as strangers and moral lessons to help them understand right and wrong. For example, children learn that going into someone else’s house and testing the temperature of breakfast dishes and the softness of chairs without permission is likely to result in an unpleasant confrontation. What better way to get a child’s attention than a story about a confrontation with household occupants who are both angry and bears?

Details
1st July 2014Leave a commentBlog, Security AwarenessBy Geordie
12345…
6
7
Next page
Recent Posts
  • Getting Permission To Use HaveIBeenPwned From Your Legal Dept
    4th April 2018
  • The Craziest Information Security Stories of 2017
    4th January 2018
  • Rumor Has IT: How Fake News Damages Cyber Security
    7th June 2017
  • The Craziest Information Security Stories Of 2016
    11th February 2017
Categories
  • Blog(61)
  • Conferences(2)
  • Featured(1)
  • Mental Models(9)
  • Organisational Culture(8)
  • Privacy(8)
  • Risk Compensation(2)
  • Risk Psychology(19)
  • Safety(4)
  • Security Awareness(38)
  • Security Economics(11)
  • Security Metrics(8)
  • Surveillance(8)
  • Trust(6)
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer