Recently I co-authored a paper “Death by a Thousand Facts” with David Lacey for the HAISA conference where we explored the nature of how technical experts choose what content is included in risk communications. A copy of the proceedings is available here.
Basically, mainstream information security awareness techniques are failing to evolve at the same rate as automated technical security controls. Humans are increasingly seen as the weak link in information security defences and attackers are starting to prefer exploiting human factors such as greed, curiosity and respect for authority.
Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness therefore is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient.
To improve the effectiveness and efficiency of security awareness techniques we need to look at safety risk communications which is a mature discipline with common objectives. A critical feature of safety risk communications which is missing from the information security approach is a set of methodologies to systematically evaluate audience requirements. Future posts will be exploring how safety science can be leveraged to improve information security awareness.