Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  
View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Date Name
DescAsc
Jun72017

Rumor Has IT: How Fake News Damages Cyber Security

We’re struggling to manage cyber security risk. Partly it’s because attackers are more agile than defenders. But it’s also because we struggle to get accurate information to make good risk management decisions. To make good risk management decisions we need to understand who the threat actors are, their capabilities, how likely it is that we…

Details
7th June 2017Leave a commentBlog, Risk Psychology, Security Awareness, TrustBy Geordie
Jul12015

Criminals and Moral Codes

Should we try to reason with criminals? Is the threat of punishment the only influence that criminals will respond to? What should we do when we suspect people are taking data with them when they leave a company, leaking to the competition or stealing equipment from the office but can’t prove it? As well as…

Details
1st July 2015Leave a commentBlog, Mental Models, Risk Psychology, Security AwarenessBy Geordie
Jun62015

Moral Hazard

In our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are…

Details
6th June 2015Leave a commentBlog, Risk Psychology, Security Awareness, Security EconomicsBy Geordie
Apr62015
small fish

Surveillance, Security Professionals and Small Fish Thinking

Most people have no idea of the dozens of ways that their information could be used to cause them harm. As security professionals, we try to raise awareness that all information and computers have an intrinsic value. That no matter how small or trivial, someone out there would like to steal it, leak it or…

Details
6th April 2015Leave a commentBlog, Risk Psychology, SurveillanceBy Geordie
Mar62015

The ABC’s of Security Behavioral Influence

So you’re an IT geek and you’ve just been put in charge of your organisation’s security awareness? If only there was a manual or a white paper about how to program those tricky humans to be more reliable. Unfortunately, there’s no such batch job as fix_humans. The next best thing is to build your understanding…

Details
6th March 2015Leave a commentBlog, Risk Psychology, Security AwarenessBy Geordie
Dec42014

Leveraging Existing Audience Beliefs

When it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes.…

Details
4th December 2014Leave a commentBlog, Mental Models, Risk Psychology, Safety, Security AwarenessBy Geordie
Feb32014

Warning: Don’t Read This

Why do people ignore security warnings? Why do they pay attention to some advice but ignore others? Why are spammers and phishers apparently so good at getting people’s attention? Over the course of each day, we often receive dozens of warnings. We’re told that web sites are using untrusted certificates, that downloads might harm our computers and that scripts may be unsafe. We’re so used to these warnings that we hardly even notice them anymore. But what makes an effective warning message? Why do people stop and consider some messages but happily ignore others?

Details
3rd February 2014Leave a commentBlog, Risk Psychology, Security AwarenessBy Geordie
Dec162013

The Importance of Executive Support

Senior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.

Details
16th December 2013Leave a commentBlog, Risk Psychology, Security Awareness, Security Economics, Security MetricsBy Geordie
Nov162013

If You See Something, NSA Something

A common objective of information security awareness is to encourage whistleblowers to use internal mechanisms to report their concerns. External whistleblowing and the airing of concerns in public view risks brand damage and exposure of sensitive information. The Snowden affair has shown how divided we are on the ethics of external whistleblowing. To date, much of the debate has been speculation about Snowden’s character flaws. Sometimes when trying to understand a controversial decision such as Snowden’s it helps to understand the chain of events leading up to the decision since failures in complex systems can rarely be given justice in a single newsbyte. In this case there are a series of failures that occurred prior to the employee of a subcontractor deciding to flee the country and leak sensitive information to foreign journalists:

Details
16th November 2013Leave a commentBlog, Privacy, Risk Psychology, Security Awareness, Surveillance, TrustBy Geordie
Jul52013

Information Security Culture

As I escorted him to his desk I became conscious that everyone was looking at me. I did all the usual self-checks of fly, food on face and freaky hair but came up negative on all counts. When someone had tailgated me through a secure door I had challenged them. Rather than leave them outside when they didn’t have their pass with them I offered to walk them to their desk. I found his manager who told me with an expression more serious than a budget facelift: ‘Yes, of course he works here – he’s hardly here for the view’. What had encountered amongst the engineers at this small satellite office was a very different security culture than what I was used to with my head office, ivory tower view of the world. The culture that I had encountered worked on high levels of trust. They all trusted Dave so couldn’t understand why I didn’t (even thought I’d never met him). I less than a block from the head office of this organisation and yet the security culture was completely different. For me, the experience was an eye opener that effort is needed to understand not just if people are following security policy but the extent to which policy is reflected in security culture.

Details
5th July 20131 CommentBlog, Organisational Culture, Risk Psychology, Security AwarenessBy Geordie
12
Next page
Recent Posts
  • Getting Permission To Use HaveIBeenPwned From Your Legal Dept
    4th April 2018
  • The Craziest Information Security Stories of 2017
    4th January 2018
  • Rumor Has IT: How Fake News Damages Cyber Security
    7th June 2017
  • The Craziest Information Security Stories Of 2016
    11th February 2017
Categories
  • Blog(61)
  • Conferences(2)
  • Featured(1)
  • Mental Models(9)
  • Organisational Culture(8)
  • Privacy(8)
  • Risk Compensation(2)
  • Risk Psychology(19)
  • Safety(4)
  • Security Awareness(38)
  • Security Economics(11)
  • Security Metrics(8)
  • Surveillance(8)
  • Trust(6)
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer