What is security awareness? It’s the ability to directly know and perceive, to feel, or to be cognisant of events. More broadly, it is the state of being conscious of something. Does that mean that security awareness is the consciousness of security threats and how to address them?
We often see organisations implementing Security Awareness programs to raise the awareness of their staff of the threats and how to address them. More often than not, these programs are implemented to address a compliance requirement. I hear customers comment that they are just doing Security Awareness to comply with ISO27001 or NIST.
This concerns me greatly as just doing security awareness to achieve a compliance tick doesn’t have real results. The results achieved by staff and management are usually minimal and hence doesn’t actually change their behaviour.
Ultimately, behavioural change is what is required.
Behaviour, as it pertains to Security Behaviour, is a complex matter. How people react to security threats, how they protect themselves, how they acknowledge the threats and undertake an active role within the community or workplace to protect themselves and the organisation.
What are the contributing factors to behaviour? Most people seem to believe that behaviour is controlled by raising awareness. Undertaking an awareness program to teach people what to look for and how to address it.
This probably won’t change the desired behaviour. It only assists the people who may have forgotten about what to do and reminds them. It doesn’t change behaviour for people with attitudinal issues.
Historically, we have seen more issues with attitude than with awareness.
Just because people know what to do, or have been made aware, it doesn’t necessarily mean that their behaviour will reflect this.
The attitudinal issues that will impact Security behaviour are:
- Aggressive – I don’t have time for this rubbish.
- Arrogant – I know what to do, you can’t tell me.
- Dishonest – Malicious intent – I want to cause damage!
- Distant – I am too busy.
- Hostile – I don’t want someone telling me what to do.
- Ignorance – It’s just a job to me.
- Indifferent – I just don’t care.
- Intolerant – Nothing seems to make a difference.
- Irresponsible – It’s not my problem.
- Pessimistic – What difference will it make?
- Prejudiced – We employ idiots, they can’t do anything right.
- Prideful – I already know better than they do.
- Salary – I’m not payed enough to care.
- Selfish – What’s in it for me?
- Skeptical – This won’t have any impact on my life.
- Suspicious – Why do they want me to do this?
- Thoughtless – It’s not my problem.
- Untrusting – I don’t trust the company to keep me safe.
How many times have you heard people respond with one of the above excuses?
The problem is not knowledge, but attitude. Understanding a person’s attitudinal issues and reluctance to actively participate in a security program can open up the success rate of these programs and subsequently reduce the risk of human error.