Why Security Awareness Programs Fail

Organizations need to shift from promoting awareness of potential problems to embedding security habits that create a "stop and think" behavior—and affect risk positively.

Mobile phone, fail

So what is special about information security and where does it fit with people’s competing priorities? What will change the attitudes of "it won’t happen to me," "It’s not my problem" and "The technology will protect me" that remain front of mind for so many people? It’s far from certain that awareness activities will answer these questions, as they demand time from people for seemingly little return.

Beyond a certain threshold, it’s likely that increasing workplace demands will be ignored or met with attempts to circumvent them. Therefore, it is entirely rational for people to reject security advice from both an economic and workload perspective. The importance of getting things right and not using people’s time wastefully simply cannot be overstated.

In addition, many organizations treat information security awareness as a checkbox exercise undertaken primarily for compliance reasons. This typically receives a uniform response of "Thank goodness that’s over for another year." Even if the initiative is more than just a checkbox exercise, it has quite likely failed in its objective as people have not engaged with how and why the message is relevant to them. This often results in people feeling that information security is simply an obstacle that "stops the job getting done."

The Commercial Driver Should be Risk

Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people are imperfect. Many organizations recognize people as their biggest asset, yet they still fail to recognize the need to secure the human element of information security.

Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in "stop and think" behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of security awareness, the real commercial driver should be risk, and how new behaviors can reduce that risk.

The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CIO with the ammunition needed to provide positive answers to security awareness and training questions that are likely to be posed by the CEO and other members of the senior management team.

About the Author

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner. 

To read his previous 
CIO Insight article, "Security Strategies Must Be Integrated," click here.

This article was originally published on 07-09-2014
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.

Click for a full list of Newsletterssubmit