Getting to grips with the human factor

Yesterday I was in the Netherlands speaking at Endeavour Events’ excellent InfoPROTECT 2008 conference. This event attracts a very good crowd and it seems to get the balance right between lectures, workshops and networking. You don’t feel that you’re being excessively “lectured at” or “sold to”, yet there is constant interaction between users and vendors.

I was speaking on the subject of the growing importance of people in the information security problem and solution space. It’s a really hot subject and my talk seemes to go down very well. There’s a growing “resonance” whenever I speak on this subject. Information security practitioners are becoming increasingly conscious of the need to invest more in this area. But there is a serious lack of guidance of services in this space.

I’ve long said that security managers should devote at least 10% of their budget to security awareness. There’s no doubt in my mind that the benefits of reduced incident levels more than justify that. But the real problem is identifying what you should spend it on. There’s a complete vacuum on this subject. No education, standards or guidelines, and few products other than handful of specialist services, such as Martin Smith’s security awareness services.

The situation is slowly changing. University courses, such as Royal Holloway’s MSc course are increasing their coverage. Large companies are assigning full-time senior managers to address the subject. And, of course, my book, perhaps the first one devoted to the subject, will be published in January. But we need a lot more inter-disciplinary technology transfer. Today, security managers can learn more from psychologists than technologists. That speaks volumes.