Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  

Criminals and Moral Codes

Rumor Has IT – Fake News and Cyber Security

Five Minutes With Lance Spitzner

Security Awareness Tips From A Social Engineer

The Craziest Information Security Stories of 2016

7 Habits of Highly Successful Security Policies

Keeping IT Simple

Polluting The Privacy Debate

About this blog

Martin Luther King said ‘I have a dream’, not ‘I have a plan’

– Simon Sinek

Engaging end users using marketing, psychology and safety theory.

Popular posts

Getting Permission To Use HaveIBeenPwned From Your Legal Dept
4th April 2018
The Craziest Information Security Stories of 2017
4th January 2018
Rumor Has IT: How Fake News Damages Cyber Security
7th June 2017
The Craziest Information Security Stories Of 2016
11th February 2017

About Geordie Stewart

Geordie Stewart, MSc, CISSP, is an international speaker and keen innovator in the area of technology risk communication.

His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA he challenges conventional thinking on risk culture and communication.

In addition to senior security management roles in large UK organisations Geordie writes the security awareness column for the ISSA international journal.

FacebookTwitterPinterestGoogle+Instagram

Awareness Blog

View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Nov12014

Saying What You Mean

It’s been a bad month for marketing claims. Red Bull have agreed to pay $13 million to settle a lawsuit and “avoid the cost and distraction of litigation”. Apparently, while drinking Red Bull might make you feel like you’re flying it doesn’t actually give you wings. Privacy provider Whisper advertised itself as “a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings”. Despite claiming that it doesn’t track IP addresses or geolocation data, it’s alleged that Whisper actually tracks both…and…wait for it…shares it with the US Department of Defence. So your ‘innermost thoughts’ shared with your date from the Russian consulate are sure to be private. As long as you re-define the word private to include half a million contractors across five countries. Much of the controversy isn’t over the fact that internet communications will always be to attributable to some extent, it’s that Whisper claimed otherwise and in doing so appears to have misrepresented their product. Just like the Snowden revelations, we’re again squabbling over the meaning of words like identity, content and

Details
Leave a commentBlog, Security AwarenessBy Geordie
Oct12014

Comprehensive verses Comprehension

I had a very strange encounter with a PCI auditor recently. On viewing my client’s security awareness portfolio he refused to sign it off as meeting PCI requirements because it didn’t cover ‘everything’. It got me thinking. There are two schools of thought when it comes to communicating risk. The first is the comprehensive approach where all the facts are presented. As part of this mindset, most organisations require their staff to read and agree to a security policy which is usually long and written in formal, contractual language. The majority of employees probably only skim their security policies and even if they did read them in full, would they understand them? Information security can be difficult to understand at the best of times without adding the additional complexity of overly formal and legalese phrasing. The Paretto Principle, or 80/20 rule, suggests that only a small percentage of content really matters but comprehensive approach usually means hiding it

Details
Leave a commentBlog, Mental Models, Privacy, Security AwarenessBy Geordie
Aug12014

Making Fun of Security

Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people’s perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in ‘selling’ behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can make people laugh by showing a man in a gorilla suit playing the drums. Or, advertisements can make people feel guilty about children in Africa. Or envy by wanting to imitate the dress style of an idol. Usually though, it’s humour which has long been a stock standard way of attracting attention to a message. Most advertisement humour is on a level with awkward dad-dancing but somehow it works. Do you recall a marketing message that made you happy? Maybe you emailed a link to your friends because

Details
Leave a commentBlog, Security AwarenessBy Geordie
Jul12014

The Power of Stories

Some of the greatest advances of human civilization are normalized over time and are eventually seen as ordinary. Fire, electricity and the combustion engine all revolutionized human existence but are no longer seen as exceptional. Another significant advance which is largely taken for granted is language. That is, our ability to communicate and share experiences outside of our immediate existence. The ability to communicate has meant that we don’t have to personally suffer from a hazard to be wary of it. It’s also mean that we can pre-equip people with expectations of social norms without having to personally violate each social norm in turn in order to understand it. One of us was impacted from a threat or transgressed a social norm and then shared the experience either through oral traditions or through writing. A good example of this is the traditional fairy tales which are told to children from a young age. Through these stories, children learn about dangers such as strangers and moral lessons to help them understand right and wrong. For example, children learn that going into someone else’s house and testing the temperature of breakfast dishes and the softness of chairs without permission is likely to result in an unpleasant confrontation. What better way to get a child’s attention than a story about a confrontation with household occupants who are both angry and bears?

Details
Leave a commentBlog, Security AwarenessBy Geordie
May92014

Where NIST SP800-50 Went Wrong

The National Institute of Standards and Technology (NIST) is updating 800-16 (A Role-Based Model for Federal Information Technology/Cybersecurity Training). Many will be familiar with NIST 800-50 (Building an Information Technology Security Awareness and Training Program) which was published in 2003 and has aged badly. In many regards, the problems with 800-50 stem from how the security…

Details
1 CommentBlog, Security Awareness, Security MetricsBy Geordie
Apr92014

Information Security Policies

A good information security policy is normally the starting point when promoting security awareness. However, organizations often implement policies in very different ways. Surprisingly, despite security polices being common practice for decades, we still have trouble agreeing what a good security policy looks like. Too long, too short, too dictatorial, too polite. It’s a subject…

Details
Leave a commentBlog, Security AwarenessBy Geordie
1
2
…34567…
8910
11
Prev pageNext page
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer