Security awareness in different cultures

I’ve been off the air for several weeks, enjoying a seasonal break, and also working in the excellent Sultanate of Oman. (I have to admit that Muscat is one of my favourite locations, whether for business and pleasure.) 

I find it interesting to compare and contrast the differences in information security emphasise and skills across the world. In the USA, for example, it’s clear that technology rules. In the UK, process is King. (Our legacy to the world is ISO 27000). In the rest of the World, however, it’s generally people and culture that top the agenda.

Oman is especially interesting as it has a good vision of the importance of security education, and a surprising level of sophistication in its awareness initiatives. Not only does it aim to educate its citizens in information security, it also thinks very carefully about the images and the presentation of material. Talking to InfoShield, their top information security consultancy, I was impressed with their understanding of psychology and communications in the design of their awareness materials.          

When it comes to marketing communications, every country is different. Americans, for example, who are more used to loud, brash advertising, might find the Omani material a little understated. But that’s what works best in the region. The real skill in security awareness lies in understanding how best to engage with the target audience.

In an ideal world, security awareness materials would be extensively tailored to specific types of person in different regions. This is not always practical for international campaigns, so a certain degree of compromise is needed. Unfortunately, it’s rare to find good examples of this. When I worked for Shell, we conducted extensive research to identify images that were both familiar and popular in all geographic regions. One image we came up with was a porcupine, an animal that is popular in every region, and which defends itself with multiple points of security.

Looking at the security awareness materials available on the Internet, I have to say that they are generally poor, lacking in imagination and with little thought given to psychology and perception. Given that the future of information security lies largely in the hands of users, we should all be aiming to raise our game in our capability to communicate across networks. It’s arguably the most important skill in information security management, yet one that is rarely taught, or sought after.