Awareness, security or otherwise, is an individual realization of impact (see proper understanding of awareness). Awareness does not require nor imply understanding. Awareness is the connection between an action/event and the impact, in context. That’s it.
As an industry, we get into trouble when suggesting security awareness is when people know and do the right things. It skips over important steps and creates false expectations. That leads to a whole host of challenges.
However, awareness can lead to behavior change. In fact, it’s the first part of the chain.
For example, as my awareness grows in my own yoga practice, my experience allows me to draw better and quicker connections to the impacts I feel. But even with my increased awareness and a general desire to push and challenge myself, I don’t always try new poses or progressions. Some things take a while before I try them. Further, even when I know the right action is to rest or modify, I don't always do it.
Awareness, by itself, isn’t enough.
Before I’m ready to trying something new, I naturally seek a better understanding. I also need a certain level of comfort -- the space, myself, the teacher, or some combination of factors -- before I’m ready to seek help, try something new, or learn a new pose/skill.
Whether learning a modification, a new pose, or asking deeper, broader questions to help me understand and advance my practice, awareness is the trigger that leads me to questions and learning.
How this works in Security Awareness
What people do as a result of awareness is often the expectation of security awareness programs. Falsely equating awareness with action entirely skips over understanding, experience, comfort, and ability. It creates unrealistic expectations of people and sets the stage for frustration and failure.
People trained and immersed in security and technology tend to possess a higher level of comfort and understanding of the actions required. They know what to do, and are more inclined to take action when aware of potential risks. This also tends to create an experience bias that others should understand and take similar action.
The reality is that people with other skills and experiences may not know what to do. They may be perfectly aware, but lack the understanding, comfort, or experience to take action in the context of the situation. Perhaps they’ve been conditioned that the security team will act. Maybe it seems safer to do nothing.
When a person fails to act, it doesn’t mean they aren’t aware or don’t care.
In fact, a common theme with my clients is the consensus among employees that security is important. They get that security matters, and they want to “do the right thing.”
The challenge is they don’t know what “doing the right thing” means.
Further, they express frustration at the lack of understanding. Security just doesn’t make sense. They have no clarity on what they are supposed to do. They seek better -- and more consistent -- guidance. And not just from the security team, but from their managers. Naturally, managers and executives feel the same frustrations and seek the same guidance.
It’s a cycle we have to break.
While awareness is essential to the process, it is not the sole answer.
Security awareness is the realization of impact on an individual level. It might not lead to any action. It entirely depends on if the person understands -- and feels comfortable -- taking the action in context.
Security awareness, done right, sets the stage for individuals to want to learn more. With the right program in place, that ultimately leads to behavior change.
While security awareness doesn’t mean what many people think it means, done properly, it sets the stage to change behaviors. That’s important. It just means setting proper expectations for what awareness can do.
It also means designing a different approach for awareness, putting program in place to guide awareness to understanding, and leading understanding to action. Done right, this not only changes behaviors, but improves the organization. More on that soon.