Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  
View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Date Name
DescAsc

Bounded Rationality

Are humans rational? When we see computer users to silly things which place themselves or their information at risk its easy to take a view that people are illogical. The problem is that logic can’t be examined separately from perception.

There is significant debate within psychology literature as to the extent to which humans can be described as rational. Rationality is sometimes described as the ability for individuals to select the “best” option when confronted with a set of choices. The best option is also referred to as a “value maximising” option when the most benefit is obtained for the least expenditure of resources or exposure to risk.

The problem is that people routinely fail to select a “value maximising” option and exhibit apparently illogical behaviour. Commonly, an option mathematically modelled as the best choice by the technical experts isn’t the choice chosen by information system users when responding to risk.  

Details
9th April 2011Leave a commentBlog, Risk Psychology, Security EconomicsBy rskadmin

Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness

Recently I co-authored a paper “Death by a Thousand Facts” with David Lacey for the HAISA conference where we explored the nature of how technical experts choose what content is included in risk communications. A copy of the proceedings is available here. Basically, mainstream information security awareness techniques are failing to evolve at the same…

Details
1st June 2011Leave a commentBlog, Mental Models, Organisational Culture, Security EconomicsBy rskadmin

The Limits of Password Security Awareness

I’ve contributed a posting on password strengths as an engineering problem rather than an an awareness problem on the SANS Securing The Human Blog. There’s a great quote from “Evil Dave” that sums up the problem rather well: “Through 20 years of effort, we’ve sucesfully trained everyone to use passwords that are hard for humans to remember, but…

Details
30th July 2012Leave a commentBlog, Security EconomicsBy rskadmin
Sep62012

ISSA Security Awareness Column August 2012 – Security Satisficing

What if much of our security advice to users was a waste of their time? What if some of it actually made users worse off? These are bold words but stay with me and let’s see where this goes. There will be some maths on the journey but it will be worth it I promise. Let’s look at passwords as an example. Many thousands of pages of security policy have been generated on creating strong passwords. It’s one of the most common subjects for security awareness. More letters, more numbers, make it longer and put a special character in it. Actually, most passwords don’t need to be strong, they just need to be difficult to guess which isn’t the same thing. Cormac Herley points out that password strength no longer has the critical role in security that it used to. It’s largely irrelevant since most systems now control the rate of password guessing attempts. For example only allowing five attempts every 30 minutes. In this scenario, the difference between 7 character and 8 character passwords is negligible if the system limits a brute force attack to 240 attempts per day. Modern authentication systems are much more likely to be compromised by password database disclosures, password re-use and key-loggers. Complexity does not assist with managing any of these threats. For years we’ve been focused on complexity and as a result users come up with combinations like “Password1” which meet our complexity rules but don’t effectively mitigate their risks. We need to change. We need to stop talking about password complexity and start talking about password commonality. Potentially, we’re doing more harm than good by occupying valuable (and limited) attention spans with topics of marginal return. The risks have changed and our risk communication needs to reflect that.

Details
6th September 2012Leave a commentBlog, Security EconomicsBy rskadmin

RSA Europe 2012 Security Awareness Debate

I’m really looking forward to RSA Europe 2012 next week where I’ll be taking part in a debate about whether or not organisations should train their staff in security awareness. It is being organised by Acumin and the RANT community. Participating with me will be: Christian Toon, European Head of Information Risk, Iron Mountain Europe Thom Langford, Director Global Security…

Details
4th October 2012Leave a commentBlog, Security Economics, Security MetricsBy rskadmin
Mar112013

ISSA Security Awareness Column March 2013 – Lowering Security Awareness

We spend a lot of time talking about how to raise security awareness. We fill entire books, columns and conferences with it. However, anything that can go up must also go down. How about we turn the phrase on its head and ask what lowers security awareness? Just as there are behaviours that raise security awareness there are also some that lower security awareness. But what can we do about it? Name and shame was an important step in getting software vendors to deal with security vulnerabilities in their products. We should be equally critical when human vulnerabilities are created through the promotion of unsafe attitudes and behaviours. In this column I’m going to name and shame particularly egregious examples which I think reduces security awareness.

Details
11th March 2013Leave a commentBlog, Risk Compensation, Risk Psychology, Security Awareness, Security EconomicsBy Geordie
Aug162013

Where Do Security Awareness Topics Come From?

I’m amazed at how many people are offering advice on what information security topics I should be deploying. They seem to know what training is needed despite having never met me or my beautiful users and not knowing anything about my organisation or it’s goals. There are plenty of top ten lists of awareness topics. Numerous generic training packages are available on the internet. I’ve got nothing against generic awareness materials or topic lists as such. In fact some of it is very professional and far better than individual organisations could create. While it might be easy to use someone else’s training package or use their list of recommended training topics that doesn’t necessarily make it a good idea. I worry that we haven’t properly defined the problem that we’re trying to solve. If training material X is the solution, what was the problem?

Details
16th August 2013Leave a commentBlog, Security Awareness, Security EconomicsBy Geordie
Dec162013

The Importance of Executive Support

Senior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.

Details
16th December 2013Leave a commentBlog, Risk Psychology, Security Awareness, Security Economics, Security MetricsBy Geordie
Jan12014

Personas For Security Awareness

Large scale awareness programs can be challenging with so many topics to cover, so many different communication options and such varied audiences to consider. Also, your communication efforts will be competing with background noise. Every day, people are bombarded with advice. Exercise more, eat more greens and don’t click on dodgy links. The question is how you can make the most of the limited time and attention available. The Pareto Principle, also known at the 80/20 rule, proposes that 80% of consequences come from 20% of causes. If we apply this to security awareness it implies that 80% of the risk comes from 20% of topics. The problem is in knowing which 20% of users and content this applies to.

Details
1st January 2014Leave a commentBlog, Mental Models, Security Awareness, Security EconomicsBy Geordie
Jun62015

Moral Hazard

In our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are…

Details
6th June 2015Leave a commentBlog, Risk Psychology, Security Awareness, Security EconomicsBy Geordie
12
Next page
Recent Posts
  • Getting Permission To Use HaveIBeenPwned From Your Legal Dept
    4th April 2018
  • The Craziest Information Security Stories of 2017
    4th January 2018
  • Rumor Has IT: How Fake News Damages Cyber Security
    7th June 2017
  • The Craziest Information Security Stories Of 2016
    11th February 2017
Categories
  • Blog(61)
  • Conferences(2)
  • Featured(1)
  • Mental Models(9)
  • Organisational Culture(8)
  • Privacy(8)
  • Risk Compensation(2)
  • Risk Psychology(19)
  • Safety(4)
  • Security Awareness(38)
  • Security Economics(11)
  • Security Metrics(8)
  • Surveillance(8)
  • Trust(6)
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer