I’ve studied it for years, I’ve delivered it and I’ve even sat through it but I’m still not really sure what “it” is.
We talk about raising “security awareness” but what does that actually mean? The dictionary definitions I’ve seen commonly refer to awareness as a state of knowledge about risk. Thousands of articles and books have been written on increasing security awareness but very little time has been spent trying to define it.
The ISF Standard of Good Practice defines security awareness as “the extent to which staff understand the importance of information security, the level of security required by the organisation and their individual security responsibilities.” This seems like a reasonable definition but note that there is no behavioural component. People can (and do!) continue with unsafe behaviour despite their knowledge of the risks. Empirical evidence from outside of information security tells us that just knowing about a risk isn’t enough. Consider smokers and people who drive without using a seat belt. They’re surely all “aware” of the risks but somehow their behaviour continues.
When catching flights from London Heathrow I use a local taxi company and each time I’m amazed that the drivers never wear their seatbelts. Apparently taxi drivers are exempt from legislation governing seatbelts. Last time I took a trip I quizzed the driver. How many accidents had he been in? “Three bad ones”. How many had he seen? “Too many, too many to count” How many kids did he have? “Four”. And he wasn’t tempted to use his seatbelt? “No, because it’s not compulsory”.
Our definitions of security awareness seem to be limiting our ability to influence people. Some people need to know the facts, others need something more in order to adopt safe behaviour. If anyone’s got a better definition of security awareness which takes into account behavioural and cultural elements I’d love to hear it. We seem to agree that training is the way to increase security awareness. If it can be increased does that also mean it can be decreased? If so, what would those mechanisms be?
I should note that the ISF definition of security awareness then goes on to refer to security culture which is great because it implies group norms which can encourage secure behaviour. However, its first suggestion on how to create security culture is “compulsory attendance at security awareness training”. Seriously, the human race is doomed.