Dominic Vogel says that it's wrong to give up on instilling security awareness in users, but skipping the jargon and getting back to simple common sense is the key.
Over the past several months, since notable security professional Dave Aitel proclaimed that security awareness was a complete waste of time, much has been written both for and against his arguments. I am not going to bother to add to the litany of articles. Regardless of your opinion about security awareness as a risk mitigating control, all information security professionals should be capable of at least describing, at a high-level, the concept of security awareness. Picture this scenario: you are tasked with talking about security awareness with your business colleagues. One stipulation - you have only five minutes to deliver your message. So other than constructing a machine to slow down time, how would you attempt to effectively describe security awareness in 300 seconds? My approach: take out all the techno-babble and appeal to people's common sense.
Security mindset: Common sense decisions
To most people, computer (or online) security, doesn't extend past the practice of remembering countless usernames and passwords. However, security is a mindset that everyone needs to form in an increasingly interconnected world. As Bruce Schneier points out, "computer security IS security." Security needs to become instilled in our minds as a common-sense mentality: lock your doors, look both ways before crossing the street, and change the channel when the Jersey Shore airs. The sticky wicket is getting security awareness to become common sense within the majority of the population. Nearly, two decades since the dawn of the online era, this common sense is alas, not very common. Why? The reason may lie in our inherent difficulty in assessing risk.
Improving risk perceptions
We take risks everyday without realizing it. We take a risk when we get up in the morning, when we shower, when we commute to work, and when we tell our manager what we really think of them. Humans are not very good at assessing risk. Our perception of risk is greatly affected by our personal point-of-view. We tend to overestimate the highly visual (terrorist attack) or when we are not in control (flying a plane). Conversely, we underestimate things that happen slowly (heart disease) or when we are in control (driving a car). One of the highly perceived risks when at the beach is being attacked by a shark (thanks, Steven Spielberg) with odds at 1 in 255 million. People overestimate this risk as it is highly visual; however, they are more likely to be killed by the vending machine that swallowed their quarters and didn't spit out the Diet Fresca they so desperately wanted, so they rocked the machine and caused it to crush them (likelihood about 1 in 112 million).
From the human perspective, we are quick to point-out that animals must be stupid or intellectually inferior when succumbing to baited traps since they seem so obvious to us. So how the heck does this relate to online security awareness? When we surf the web or use our mobile device, we are oblivious to the risks that the online realm poses. It is our perspective that shapes how we evaluate risk. The disconnect between the actions we take in the online world and their consequences, have left the majority of people with a naive sense of security.
Risks and information security
As a society, we tend to underestimate the risk of how we interact with information online, while simultaneously, overestimating the hyped threats of Chinese espionage spies and various doomsday scenarios. The truth is that an overwhelming majority of modern malware requires some form of human interaction for initial infection to occur. By forming a security mindset, we collectively improve our security awareness, subsequently lowering the risk that online threats pose to society as a whole. It boils down to thinking critically and creating good security habits. There was a time when putting on your seatbelt eluded common sense -- now most people perform it as a subconscious habit. By making people more aware of how they perceive and evaluate risk, we can greatly improve their odds of constituting a security mindset. My advice: buckle up -- get people thinking differently about security.