They will tell you users are a problem, but few apply any real effort to communicate the security message out to their users in a way that is likely to be well accepted and properly adopted. We need some new thinking on the subject.
These ideas are outlined in a major article published on SearchSecurity.co.uk called Maximising the Effectiveness of Information Awareness (see below for .pdf).
"Not only is the promotion of awareness a costly and difficult venture, but the link between awareness and change in behaviour has been shown to be weak," the authors say. "At a personal level we are bombarded on a daily basis to give up smoking, stop speeding and lose weight—if these messages are routinely ignored why should information security messages be any different?"
They argue that research in psychology shows that an over-reliance on fear and punishment can be counter-productive when trying to alter user behaviour. On the contrary, if users are nervous they tend to make mistakes.
They also recommend a more targeted approach to getting messages across, tailoring the message to the individual using many of the techniques of a direct marketing campaign.
The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).
The article provides some original insight into the problem, as well as practical guidance on how to implement a successful awareness programme and how to measure its effectiveness.
As the authors point out, solid metrics are essential in order to make a good business case.
Read Maximising the Effectiveness of Information Security Awareness (.pdf) by Geordie Stewart and John Austen.
SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.