Martin Luther King said ‘I have a dream’, not ‘I have a plan’
– Simon Sinek
Engaging end users using marketing, psychology and safety theory.
About Geordie Stewart
His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA he challenges conventional thinking on risk culture and communication.
In addition to senior security management roles in large UK organisations Geordie writes the security awareness column for the ISSA international journal.
Information security awareness is about marketing a message in a way that has a positive impact on the audience. The message needs to either alter people’s perceptions of risk, help people understand cause and effect or motivate them to control risks. The marketing industry has been doing this for years and are arguably the experts in ‘selling’ behavioural change. The first rule of marketing is that you need to attract and hold the interest of your audience. To do this reliably, a message needs to have emotional affect. Advertisements can make people laugh by showing a man in a gorilla suit playing the drums. Or, advertisements can make people feel guilty about children in Africa. Or envy by wanting to imitate the dress style of an idol. Usually though, it’s humour which has long been a stock standard way of attracting attention to a message. Most advertisement humour is on a level with awkward dad-dancing but somehow it works. Do you recall a marketing message that made you happy? Maybe you emailed a link to your friends becauseDetails
Some of the greatest advances of human civilization are normalized over time and are eventually seen as ordinary. Fire, electricity and the combustion engine all revolutionized human existence but are no longer seen as exceptional. Another significant advance which is largely taken for granted is language. That is, our ability to communicate and share experiences outside of our immediate existence. The ability to communicate has meant that we don’t have to personally suffer from a hazard to be wary of it. It’s also mean that we can pre-equip people with expectations of social norms without having to personally violate each social norm in turn in order to understand it. One of us was impacted from a threat or transgressed a social norm and then shared the experience either through oral traditions or through writing. A good example of this is the traditional fairy tales which are told to children from a young age. Through these stories, children learn about dangers such as strangers and moral lessons to help them understand right and wrong. For example, children learn that going into someone else’s house and testing the temperature of breakfast dishes and the softness of chairs without permission is likely to result in an unpleasant confrontation. What better way to get a child’s attention than a story about a confrontation with household occupants who are both angry and bears?Details
The National Institute of Standards and Technology (NIST) is updating 800-16 (A Role-Based Model for Federal Information Technology/Cybersecurity Training). Many will be familiar with NIST 800-50 (Building an Information Technology Security Awareness and Training Program) which was published in 2003 and has aged badly. In many regards, the problems with 800-50 stem from how the security…Details
A good information security policy is normally the starting point when promoting security awareness. However, organizations often implement policies in very different ways. Surprisingly, despite security polices being common practice for decades, we still have trouble agreeing what a good security policy looks like. Too long, too short, too dictatorial, too polite. It’s a subject…Details
Have security professionals helped make the privacy of citizens around the world ‘collateral damage’ in the hunt for terrorists?
Due to Edward Snowden’s disclosures we are now aware that millions of people have been unwittingly monitored by systems of indiscriminate surveillance. Many of these systems, having been developed in secret, were only possible due to the support of a large number of security professionals. We can suppose that the creators and operators of these systems are attempting to achieve legitimate objectives on behalf of their respective societies. What is less clear is if these systems do more harm than good or if the costs and risks of these activities have been fully understood, let alone accepted by the societies that bear the costs. Do the costs and potential harms of indiscriminate systems outweigh the benefits? Has privacy been compromised without due cause? If so, is it ethical for security professionals to support such systems?Details
Why do people ignore security warnings? Why do they pay attention to some advice but ignore others? Why are spammers and phishers apparently so good at getting people’s attention? Over the course of each day, we often receive dozens of warnings. We’re told that web sites are using untrusted certificates, that downloads might harm our computers and that scripts may be unsafe. We’re so used to these warnings that we hardly even notice them anymore. But what makes an effective warning message? Why do people stop and consider some messages but happily ignore others?Details