Home to Geordie Stewart's blog on information security awareness, risk communication and security ethics.

Risk IntelligenceRisk Intelligence
Risk Intelligence
Information Security Awareness
  • Home
  • About us
  • Services
  • Awareness Blog
  • Follow Us
  • Contact us
Menu back  

Criminals and Moral Codes

Rumor Has IT – Fake News and Cyber Security

Five Minutes With Lance Spitzner

Security Awareness Tips From A Social Engineer

The Craziest Information Security Stories of 2016

7 Habits of Highly Successful Security Policies

Keeping IT Simple

Polluting The Privacy Debate

About this blog

Martin Luther King said ‘I have a dream’, not ‘I have a plan’

– Simon Sinek

Engaging end users using marketing, psychology and safety theory.

Popular posts

Getting Permission To Use HaveIBeenPwned From Your Legal Dept
4th April 2018
The Craziest Information Security Stories of 2017
4th January 2018
Rumor Has IT: How Fake News Damages Cyber Security
7th June 2017
The Craziest Information Security Stories Of 2016
11th February 2017

About Geordie Stewart

Geordie Stewart, MSc, CISSP, is an international speaker and keen innovator in the area of technology risk communication.

His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA he challenges conventional thinking on risk culture and communication.

In addition to senior security management roles in large UK organisations Geordie writes the security awareness column for the ISSA international journal.

FacebookTwitterPinterestGoogle+Instagram

Awareness Blog

View allBlogConferencesFeaturedMental ModelsOrganisational CulturePrivacyRisk CompensationRisk PsychologySafetySecurity AwarenessSecurity EconomicsSecurity MetricsSurveillanceTrust
Mar112014

The Ethics of Indiscriminate Surveillance

Have security professionals helped make the privacy of citizens around the world ‘collateral damage’ in the hunt for terrorists?

Due to Edward Snowden’s disclosures we are now aware that millions of people have been unwittingly monitored by systems of indiscriminate surveillance. Many of these systems, having been developed in secret, were only possible due to the support of a large number of security professionals. We can suppose that the creators and operators of these systems are attempting to achieve legitimate objectives on behalf of their respective societies. What is less clear is if these systems do more harm than good or if the costs and risks of these activities have been fully understood, let alone accepted by the societies that bear the costs. Do the costs and potential harms of indiscriminate systems outweigh the benefits? Has privacy been compromised without due cause? If so, is it ethical for security professionals to support such systems?

Details
Leave a commentBlog, Privacy, Surveillance, TrustBy Geordie
Feb32014

Warning: Don’t Read This

Why do people ignore security warnings? Why do they pay attention to some advice but ignore others? Why are spammers and phishers apparently so good at getting people’s attention? Over the course of each day, we often receive dozens of warnings. We’re told that web sites are using untrusted certificates, that downloads might harm our computers and that scripts may be unsafe. We’re so used to these warnings that we hardly even notice them anymore. But what makes an effective warning message? Why do people stop and consider some messages but happily ignore others?

Details
Leave a commentBlog, Risk Psychology, Security AwarenessBy Geordie
Jan12014

Personas For Security Awareness

Large scale awareness programs can be challenging with so many topics to cover, so many different communication options and such varied audiences to consider. Also, your communication efforts will be competing with background noise. Every day, people are bombarded with advice. Exercise more, eat more greens and don’t click on dodgy links. The question is how you can make the most of the limited time and attention available. The Pareto Principle, also known at the 80/20 rule, proposes that 80% of consequences come from 20% of causes. If we apply this to security awareness it implies that 80% of the risk comes from 20% of topics. The problem is in knowing which 20% of users and content this applies to.

Details
Leave a commentBlog, Mental Models, Security Awareness, Security EconomicsBy Geordie
Dec162013

The Importance of Executive Support

Senior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.

Details
Leave a commentBlog, Risk Psychology, Security Awareness, Security Economics, Security MetricsBy Geordie
Nov162013

If You See Something, NSA Something

A common objective of information security awareness is to encourage whistleblowers to use internal mechanisms to report their concerns. External whistleblowing and the airing of concerns in public view risks brand damage and exposure of sensitive information. The Snowden affair has shown how divided we are on the ethics of external whistleblowing. To date, much of the debate has been speculation about Snowden’s character flaws. Sometimes when trying to understand a controversial decision such as Snowden’s it helps to understand the chain of events leading up to the decision since failures in complex systems can rarely be given justice in a single newsbyte. In this case there are a series of failures that occurred prior to the employee of a subcontractor deciding to flee the country and leak sensitive information to foreign journalists:

Details
Leave a commentBlog, Privacy, Risk Psychology, Security Awareness, Surveillance, TrustBy Geordie
Oct162013

Uncle Sam Needs Your Trust

Trust is an incredibly important concept in information security and a vital component of influencing an audience. We know from safety risk communication research that it’s not enough to be an expert in your field. It’s not enough to be correct. You also need to be trusted by your audience. Otherwise your level of influence will be reduced and people may decide to act in ways that challenge your mission objectives.

When I wrote the July column as satire imagining what a GCHQ letter to a supportive member of the public might look like I was poking fun at the unrealistic expectations about our intelligence services that were being perpetuated. That as ‘big brother’ they knew better and were always looking out for our best interests. I recognize now that what I was also doing was challenging the notion that intelligence services innately deserved a high level of trust.

Details
Leave a commentBlog, Privacy, Security Awareness, Surveillance, TrustBy Geordie
1
23
…45678…
910
11
Prev pageNext page
Risk Intelligence
Copyright © 2015 Risk Intelligence Ltd.
  • Home
  • About us
  • Follow Us
  • Contact us
Footer