As the concept of "security awareness" makes an awkward shift from relegated compliance cost to front and center discussion on how to influence behavior change in organizations, it's important to consider what "awareness" is in order to improve our outcomes.
One of the principal challenges is how the term "security awareness" is used and what people expect from security awareness.
In the security industry, this concept is poorly defined, goes by many misleading terms, and creates confusion by working against recognized concepts of awareness in other fields.
Whether called "security awareness," "cyber awareness," "security awareness training," or the clever "security awareness and training," the nomenclature causes confusion. Some seek to sidestep the confusion by focusing on education. I think that's a good idea, but I have a different suggestion (more on that in a future post).
One of the things I've experienced in the last two decades of information security is that when something is not understood, it has no value. Things that are obligated, but misunderstood with little value are unfunded. As a result, people don't care.
When it comes to "security awareness," somehow the centuries-old concept of "awareness" was hijacked from it's meaning to signify something different. A few month ago, I started practicing yoga. Awareness is a key concept in yoga.
Here's the thing: awareness in yoga, especially for someone new (like me), means only that I realize something. First and foremost, it doesn't mean I understand. Initially, it is a realization. Further, awareness -- with or without understanding -- doesn't mean that I know what to do about it, or even if I should do anything about it.
Awareness is awareness. Awareness is the realization. Nothing more.
It's the same in security as it is in yoga or any other pursuit. What changes is the focus. By adding the word security to the front, the focus is on gaining awareness of security-related activities. Largely on a personal basis.
As explained before (Security Awareness Roundtable and Why the definition of security awareness matters), I see it as the individual realization of the impact of an action (or decision). I used to focus on consequences, but now consider impact to be more potent and direct. Impact can be positive, negative, or neutral. It's not always bad.
When it comes to security awareness, then, it's the realization of the security impact of an action or decision. If it's positive, we hope to reinforce it. And if not, then perhaps we can work with a series of "modifications" to change it (process, technology, and/or behavioral).
It's why I wrinkle my face when someone talks about "security awareness training." I see little utility in training someone how to be aware with a sole focus on security. I realize a large portion of the industry considers "security awareness" to signify action.
But it doesn't. It's nuanced, but not complicated.
When we're clear on what awareness is, we can start to use it as the trigger to change behaviors. More on that here.