We’re struggling to manage cyber security risk. Partly it’s because attackers are more agile than defenders. But it’s also because we struggle to get accurate information to make good risk management decisions. To make good risk management decisions we need to understand who the threat actors are, their capabilities, how likely it is that we…Details
I’m really looking forward to RSA Europe 2012 next week where I’ll be taking part in a debate about whether or not organisations should train their staff in security awareness. It is being organised by Acumin and the RANT community. Participating with me will be: Christian Toon, European Head of Information Risk, Iron Mountain Europe Thom Langford, Director Global Security…Details
It was a children’s birthday party. He cried and whinged and pleaded with tears streaming down his face. For about 2 minutes his mother said no but eventually she pulled a chocolate biscuit from her bag and gave it to him before turning to me and saying “I just don’t know why he cries so much”. Operant Conditioning is a phrase coined by BF Skinner that many security awareness professionals may not have heard before. Broadly, it means that ‘behaviour is a function of its consequences’. If the consequence of behaviour is positive then there is a chance to increase the magnitude or likelihood the behaviour. Alternately, negative consequences have the opposite effect.
My young friend at the birthday party had been trained to whinge and cry because he had been regularly rewarded with a treat for doing so. Just as rewards and punishments influence children’s behaviour, they are also an important factor in governance, risk and compliance. However, there are interesting quirks of rewards and punishments that need to be understood by anyone trying to influence behaviour.Details
Dear Michael Burgess of Tunbridge Wells in the UK, we in the GCHQ read with interest your recent letter to the Guardian Newspaper in which you state that you’re not bothered if the Government knows what web sites you’ve been visiting. It is refreshing sir, (and we know you are from the scanners at Heathrow airport) to find a true patriot who welcomes the state’s determination to know everything about everyone. Corporate security awareness programs have been advising for years that personal privacy is something that can’t be ‘fixed’ once lost so your willingness to permanently surrender your privacy (and the privacy of anyone you communicate with) is appreciated.Details
There’s an on-going battle to influence public opinion about the balance between privacy and surveillance. Law enforcement officials tell us we’re in danger. Security experts offer commentary. A movie is coming out about Snowden. Some participants in the debate are trying to help inform the public. Others are polluting the debate by cynically exploiting people’s…Details
Large scale awareness programs can be challenging with so many topics to cover, so many different communication options and such varied audiences to consider. Also, your communication efforts will be competing with background noise. Every day, people are bombarded with advice. Exercise more, eat more greens and don’t click on dodgy links. The question is how you can make the most of the limited time and attention available. The Pareto Principle, also known at the 80/20 rule, proposes that 80% of consequences come from 20% of causes. If we apply this to security awareness it implies that 80% of the risk comes from 20% of topics. The problem is in knowing which 20% of users and content this applies to.Details
Many of you will be familiar with the footage of Ian Tomlinson apparently being struck by a Metropolitan Police Officer in London on the day of the G20 protests. After the footage was aired, senior members of the Met Police were quick to promote the narrative of a “bad apple”. They pointed out that the Met Police is an organisation which includes some 50,000 people.
You have to have some sympathy for the police. They do a difficult job. The problem with the bad apple narrative is the video footage of the incident. Although the attack on Ian Tonlinson took place immediately in front of at least three other members of the Met Police, none of them appear concerned enough to go to the aid of Tomlinson. Neither are they seen to remonstrate with their colleague.Details
In our efforts to promote secure behaviour, our task is often made more difficult by the fact that often the people we need to influence are often not the same people who would suffer in the event of a security breach. Typically, the people who would suffer most in the event of a breach are…Details
One of the problems with the current approach to information security awareness is that methodologies such as ENISA are detailed about the logistics of planning security awareness but don’t have much to say about the content of security awareness.
So, how would you determine what information an audience needs to know so that they can manage the risks they face? Mental models offer a structured way of approaching risk communications rather than just “broadcasting facts”.
A mental model is a pattern of understanding held by an individual. It consists of what beliefs they hold, the strength of those beliefs and the connection between beliefs. Safety experts note that when risk communication takes place the audience will have some degree of pre-existing knowledge which forms their mental model:
“…for most risks, people have at least some relevant beliefs, which they will use in interpreting the communication. They may have heard some things about the risk in question. It may remind them of related phenomena.” (Morgan et al 2002)Details
Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people’s perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in ‘selling’ behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can make people laugh by showing a man in a gorilla suit playing the drums. Or, advertisements can make people feel guilty about children in Africa. Or envy by wanting to imitate the dress style of an idol. Usually though, it’s humour which has long been a stock standard way of attracting attention to a message. Most advertisement humour is on a level with awkward dad-dancing but somehow it works. Do you recall a marketing message that made you happy? Maybe you emailed a link to your friends becauseDetails