Why security is in denial about awareness
Security awareness columnist Geordie Stewart explains why refusal to acknowledge legitimate criticisms of information security awareness puts users at risk
By Geordie Stewart
April 22, 2013 — CSO —
Denial has two meanings. It can refer to the refuting of an allegation or assertion. It can also refer to a psychological defense mechanism where criticisms are rejected because they are uncomfortable, despite evidence to the contrary. How a professional group responds to criticism tells you a lot about their ability to evolve and improve.
The awareness practitioner criticism of security awareness has been fascinating. In Why you shouldn't train employees for security awareness, Immunity Inc.'s Dave Aitel outlines reasons why he thinks money spent on security is money wasted. In response to that article, there have been rebuttals, such as Ira Winkler's Security awareness can be the most cost-effective security measure. There has also been an attempt to explain that bad security awareness techniques are all in the past. However, key points have been missed in the scramble to pick peripheral holes in awareness criticisms.
In his blog, Schneier on Security, Bruce Schneier states that security awareness is generally a waste of time. Since there's still a majority who think that awareness campaigns are about locking people in a room for an hour and putting up a few posters, Schneier is probably right.
At the heart of this debate is a fundamental question: While many would agree that information security awareness techniques need to improve, are we talking about a few tweaks or a complete overhaul? The problem is that if security awareness is all about changing behavior, then why don't security awareness tools and processes look anything like other, more mature industries that take behavioral change seriously?
Compared to other industries, the information security awareness approach to behavioral influence is an embarrassingly amateur affair. In fields such as public health and marketing, there are experts who have spent decades studying behavioral influence, testing their assumptions and making systematic improvements to their methods. The approach in these fields has led to a heavy emphasis on audience research. Why did you buy that particular product and not another? What thought processes were you following when you plugged that in? They go beyond the 'what' of behavior and seek to understand the 'why'. In contrast, information security professionals persist with the delusion that they can manage the what without understanding the why.
Many ways exist to systematically understand the why of an audience. Web designers commonly use personas. Safety risk communicators have mental models. Information security folk models have also been proposed. The reality is that people have rules of thumb that they use to make decisions, such as: Is it growling and showing its teeth? Then I'm not going to pat it. Folk models are just a way of encapsulating these decision-making processes.