Royal Holloway eBook Seri

Making security awareness programmes more effective

Mention security awareness to most professionals and their eyes start to glaze over.

They will tell you users are a problem, but few apply any real effort to communicate the security message out to their users in a way that is likely to be well accepted and properly adopted. We need some new thinking on the subject.

More from Royal Holloway

Have a look at the rest of the 2009 theses from MSc graduates of Royal Holloway, University of London (RHUL).
Two people who have been looking at the problem are Geordie Stewart and John Austen, who believe we could learn a great deal by looking at two other disciplines – marketing and psychology – when setting up a security awareness programme.

These ideas are outlined in a major article published on SearchSecurity.co.uk called Maximising the Effectiveness of Information Awareness (see below for .pdf).

"Not only is the promotion of awareness a costly and difficult venture, but the link between awareness and change in behaviour has been shown to be weak," the authors say. "At a personal level we are bombarded on a daily basis to give up smoking, stop speeding and lose weight—if these messages are routinely ignored why should information security messages be any different?"

They argue that research in psychology shows that an over-reliance on fear and punishment can be counter-productive when trying to alter user behaviour. On the contrary, if users are nervous they tend to make mistakes.

They also recommend a more targeted approach to getting messages across, tailoring the message to the individual using many of the techniques of a direct marketing campaign.

The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).

The article provides some original insight into the problem, as well as practical guidance on how to implement a successful awareness programme and how to measure its effectiveness.

As the authors point out, solid metrics are essential in order to make a good business case.

Read Maximising the Effectiveness of Information Security Awareness (.pdf) by Geordie Stewart and John Austen.

SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in June 2009

 

COMMENTS powered by Disqus  //  Commenting policy

Back to top