Security awareness is not enough to stop people taking risks

Employees persistently do things they have been taught not to. Is there a better way?

Share

“You mustn’t drive faster than the speed limit for the type of road and your type of vehicle. The speed limit is the absolute maximum.”

This is a line I read recently on the UK government website. Yet I wonder how many people exceed the 70 mph speed limit on a UK motorway or 30 mile per hour on a main urban road every day. Why do they do it?  After all, they know what the speed limit is and why it is in place.

There is something analogous between the above and the challenge of security leaders to get employees to comply with policy and take security threats seriously.

Employees, like learner drivers, are asked to invest considerable time in training. The training can be at times costly to plan, deliver and participate in. On top of this, assess awareness, knowledge and competency, requires a series of tests at the end. This is not dissimilar to an employee’s security awareness training and the results are not too dissimilar either.

People who have completed security training and passed the tests, still regularly do not comply with company policy or security practises in the same way that a number of qualified drivers exceed the speed limit.  Awareness does not guarantee a change in behaviour.  

Making Choices

Whilst good security can be embedded through the use of technology, it still remains a matter of choice by an employee in many situations. However, it is apparent that everything is not as it seems when it comes to how people make choices regarding positive security behaviour.

Many people assume that employees will exercise logic when confronted with a situation where good security practices need to be applied. However, people’s choices are routinely based on their values, emotions and experiences, especially when confronted by unfamiliar scenarios, or placed under pressure or conflicts of interest which is often the case in information security. Employees aren’t Spocks.

Analogies provide a great means of placing information security in a context that audiences have experience of, or values, around. This familiarity makes them more engaging, and easy to understand and recall. Their widespread use in day to day encounters is evidence that they work and add value. In recognition of this, The Analogies Project, a not for profit venture, is building an online library of information security analogies for the security community to use free of charge.

There are currently over 80 contributors, contributing in six languages, from four continents. The contributors work within and outside of the security industry and are at all stages of their careers. There are CISOs, CEOs and CIOs of multi-national organisations through to system administrators, and BAFTA nominated comedians through to film producers and students. There is even ex US President Bill Clinton’s speechwriter and ISC2’s very own Adrian Davis.

We’re always looking for new contributors with an analogy to share and welcome enquiries which can be made via the website

Bruce Hallas, (ISC)2 member and Founder at The Analogies Project and Director at Marmalade Box Ltd.

Find your next job with computerworld UK jobs