Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It’s also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.
Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.
Progress with the human aspects is likely to be show more promise. At least the problem is recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)
On the bright side, however, more and more academic courses are including human factor considerations. It’s a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.
It also raises the obvious question of why we don’t have universally recognised warning signs for information security risks. Now that would be a good idea, though it’s unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.
Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.