Making security awareness programmes more effective

Geordie Stewart and John Austen believe we could learn a great deal by looking at marketing and psychology disciplines when setting up a security awareness programme.

Mention security awareness to most professionals and their eyes start to glaze over.

They will tell you users are a problem, but few apply any real effort to communicate the security message out to their users in a way that is likely to be well accepted and properly adopted. We need some new thinking on the subject.

More from Royal Holloway

Have a look at the rest of the 2009 theses from MSc graduates of Royal Holloway, University of London (RHUL).
Two people who have been looking at the problem are Geordie Stewart and John Austen, who believe we could learn a great deal by looking at two other disciplines – marketing and psychology – when setting up a security awareness programme.

These ideas are outlined in a major article published on called Maximising the Effectiveness of Information Awareness (see below for .pdf).

"Not only is the promotion of awareness a costly and difficult venture, but the link between awareness and change in behaviour has been shown to be weak," the authors say. "At a personal level we are bombarded on a daily basis to give up smoking, stop speeding and lose weight—if these messages are routinely ignored why should information security messages be any different?"

They argue that research in psychology shows that an over-reliance on fear and punishment can be counter-productive when trying to alter user behaviour. On the contrary, if users are nervous they tend to make mistakes.

They also recommend a more targeted approach to getting messages across, tailoring the message to the individual using many of the techniques of a direct marketing campaign.

The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).

The article provides some original insight into the problem, as well as practical guidance on how to implement a successful awareness programme and how to measure its effectiveness.

As the authors point out, solid metrics are essential in order to make a good business case.

Read Maximising the Effectiveness of Information Security Awareness (.pdf) by Geordie Stewart and John Austen.

SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.

Read more on Security policy and user awareness

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.