Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  
View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Date Name
DescAsc
Sep12015

7 Habits of Highly Successful Security Policies

Security policies are a great opportunity to influence behaviour. Unfortunately, for a variety of reasons they’re not usually as effective as they could be. Despite our efforts to sell the value of information security, actually reading a policy is less popular than a fart on a plane. There’s a reason that a security policy has…

Details
1st September 2015Leave a commentBlog, Security Awareness, Security MetricsBy Geordie
Jul32016

Angela’s Ashes: Exploding the Myth of Usable Security

This month I caught up with Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. She has had a huge impact on the field of usable security having worked in this field since 1996. Her background in psychology has enabled her to look at human security problems…

Details
3rd July 2016Leave a commentBlogBy Geordie
Feb12016

Baby Steps

There’s great news in the quest for improving security awareness. Help is at hand from a new joint publication from the Research Institute in Science of Cyber Security (RISCS), Hewlett Packard Enterprise (HPE) and CESG – the UK government’s National Technical Authority for Information Assurance. Awareness Is Only The First Step is a superb précis of best…

Details
1st February 20161 CommentBlog, Security AwarenessBy Geordie

Bounded Rationality

Are humans rational? When we see computer users to silly things which place themselves or their information at risk its easy to take a view that people are illogical. The problem is that logic can’t be examined separately from perception.

There is significant debate within psychology literature as to the extent to which humans can be described as rational. Rationality is sometimes described as the ability for individuals to select the “best” option when confronted with a set of choices. The best option is also referred to as a “value maximising” option when the most benefit is obtained for the least expenditure of resources or exposure to risk.

The problem is that people routinely fail to select a “value maximising” option and exhibit apparently illogical behaviour. Commonly, an option mathematically modelled as the best choice by the technical experts isn’t the choice chosen by information system users when responding to risk.  

Details
9th April 2011Leave a commentBlog, Risk Psychology, Security EconomicsBy rskadmin
Oct12014

Comprehensive verses Comprehension

I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. The majority of employees probably only skim their security policies and even if they did read them in full, would they understand them? Information security can be difficult to understand at the best of times without adding the additional complexity of overly formal and legalese phrasing. The Paretto Principle, or 80/20 rule, suggests that only a small percentage of content really matters but comprehensive approach usually means hiding it

Details
1st October 2014Leave a commentBlog, Mental Models, Privacy, Security AwarenessBy Geordie
Jul12015

Criminals and Moral Codes

Should we try to reason with criminals? Is the threat of punishment the only influence that criminals will respond to? What should we do when we suspect people are taking data with them when they leave a company, leaking to the competition or stealing equipment from the office but can’t prove it? As well as…

Details
1st July 2015Leave a commentBlog, Mental Models, Risk Psychology, Security AwarenessBy Geordie
Feb42015

CyberStreetwise

Other than educational initiatives for schools, governments haven’t traditionally run large scale security awareness campaigns directly to the public. This has changed the United Kingdom with the introduction of the CyberStreetWise Campaign. CyberStreetWise is a cross-government campaign funded by the National Cyber Security Programme using the agency M&C Saatchi. The website features interactive security advice…

Details
4th February 2015Leave a commentBlog, Security AwarenessBy Geordie

Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness

Recently I co-authored a paper “Death by a Thousand Facts” with David Lacey for the HAISA conference where we explored the nature of how technical experts choose what content is included in risk communications. A copy of the proceedings is available here. Basically, mainstream information security awareness techniques are failing to evolve at the same…

Details
1st June 2011Leave a commentBlog, Mental Models, Organisational Culture, Security EconomicsBy rskadmin
Mar52012

Definition of Security Awareness

I’ve studied it for years, I’ve delivered it and I’ve even sat through it but I’m still not really sure what “it” is.

We talk about raising “security awareness” but what does that actually mean? The dictionary definitions I’ve seen commonly refer to awareness as a state of knowledge about risk. Thousands of articles and books have been written on increasing security awareness but very little time has been spent trying to define it.

The ISF Standard of Good Practice defines security awareness as “the extent to which staff understand the importance of information security, the level of security required by the organisation and their individual security responsibilities.” This seems like a reasonable definition but note that there is no behavioural component. People can (and do!) continue with unsafe behaviour despite their knowledge of the risks. Empirical evidence from outside of information security tells us that just knowing about a risk isn’t enough. Consider smokers and people who drive without using a seat belt. They’re surely all “aware” of the risks but somehow their behaviour continues.

Details
5th March 2012Leave a commentBlog, Risk PsychologyBy rskadmin
Aug22015

Dramatic Communications

I’m always genuinely excited to find someone doing something new in the field of security awareness. This month I caught up with Sarah Janes, Managing Director at Layer 8 Ltd. Sarah started her career running security awareness at British Telecom (BT) and has delivered award winning behavioural change programmes to FTSE 100 companies. Her team…

Details
2nd August 2015Leave a commentBlog, Organisational Culture, Security AwarenessBy Geordie
12345…
6
7
Next page
Recent Posts
  • Getting Permission To Use HaveIBeenPwned From Your Legal Dept
    4th April 2018
  • The Craziest Information Security Stories of 2017
    4th January 2018
  • Rumor Has IT: How Fake News Damages Cyber Security
    7th June 2017
  • The Craziest Information Security Stories Of 2016
    11th February 2017
Categories
  • Blog(61)
  • Conferences(2)
  • Featured(1)
  • Mental Models(9)
  • Organisational Culture(8)
  • Privacy(8)
  • Risk Compensation(2)
  • Risk Psychology(19)
  • Safety(4)
  • Security Awareness(38)
  • Security Economics(11)
  • Security Metrics(8)
  • Surveillance(8)
  • Trust(6)
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer