Well trained users can be one of the best defences against security breaches. But instilling good security practices among computer users who have other higher priorities – such as their main job – is often difficult to achieve.
A new article published in SearchSecurity.co.uk argues that many security awareness programmes fail because they rely on a top-down approach, telling users what they cannot do, rather than encouraging them to behave in a responsible way.
The article, written by Carlos Orozco Corona and John Austen (see below for .pdf), is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).
Entitled 'Social and Behavioural Techniques to Boost Awareness' (see below for full .pdf), the article argues for a much more inclusive and co-operative approach to the development of awareness programmes.
Drawing heavily on research into social interaction and behaviour, the authors suggest that awareness programmes work best by first identifying those individuals within departments who are the main opinion leaders and best communicators.
Any new awareness campaign is then directed initially just at those people, who can be relied upon to discuss it with their colleagues and generally lay the foundations for a later message that goes out to all staff who, by this time, have been well primed to be more receptive.
The article provides detailed advice on how to go about an awareness campaign, and would be a useful guide for anyone charged with raising security awareness in an organisation.
Read Social and
Behavioural
Techniques to
Boost Awareness (.pdf) by Carlos Orozco Corona and John Austen.
SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.
