Making security awareness programmes more effective

They will tell you users are a problem, but few apply any real effort to communicate the security message out to their users in a way that is likely to be well accepted and properly adopted. We need some new thinking on the subject.

Two people who have been looking at the problem are Geordie Stewart and John Austen, who believe we could learn a great deal by looking at two other disciplines – marketing and psychology – when setting up a security awareness programme.

These ideas are outlined in a major article published on SearchSecurity.co.uk called Maximising the Effectiveness of Information Awareness (see below for .pdf).

"Not only is the promotion of awareness a costly and difficult venture, but the link between awareness and change in behaviour has been shown to be weak," the authors say. "At a personal level we are bombarded on a daily basis to give up smoking, stop sp...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

eeding and lose weight—if these messages are routinely ignored why should information security messages be any different?"

They argue that research in psychology shows that an over-reliance on fear and punishment can be counter-productive when trying to alter user behaviour. On the contrary, if users are nervous they tend to make mistakes.

They also recommend a more targeted approach to getting messages across, tailoring the message to the individual using many of the techniques of a direct marketing campaign.

The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).

The article provides some original insight into the problem, as well as practical guidance on how to implement a successful awareness programme and how to measure its effectiveness.

As the authors point out, solid metrics are essential in order to make a good business case.

Read Maximising the Effectiveness of Information Security Awareness (.pdf) by Geordie Stewart and John Austen.

SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.