Geordie Stewart (2009) Maximising the Effectiveness of Information Security Awareness.
Full text access: Open
Over the last twenty years, technical controls for information security have advanced and matured considerably. Despite these technical advances, information security breaches still occur on a regular basis. It appears that technical security controls have evolved faster than management controls. Despite efforts at promoting information security awareness there is evidence that human behaviour remains a potential vulnerability in any information security system. This thesis presents an alternate perspective of the “human problem” and assesses information security awareness as a management control by applying principles of Psychology and Marketing. Psychology and Marketing principles show significant opportunities for a more holistic approach to information security awareness. The methodology identified for Mental Models shows significant promise in mapping existing audience beliefs and attitudes. The use of punishment sanctions is reviewed and reveals an unintended consequence that people have an incentive not to report an information security breach. A case study is presented for an organisation that has used rewards to motivate compliance behaviour instead of relying on fear sanctions. An analysis of relevant Marketing principles identifies Direct Marketing as a methodology closely aligned with the goals of information security awareness. The importance of audience research, measuring existing attitudes and beliefs and finding quantifiable metrics all have important implications for information security awareness. Two models were created as part of this thesis. The first one in Chapter Two illustrates the steps involved in achieving a behavioural change and demonstrates the number of potential barriers that need to be considered. The second model in Chapter Five is a scorecard that information security professionals can use to evaluate the extent to which an information security awareness campaign takes into account Psychology and Marketing principles. While both models offer significant opportunities to help refine approaches to information security awareness it will be difficult to quantify the benefit until improvements are made to the way that organisations measure the success of information security awareness.
This is a Published version This version's date is: 16/02/2009 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/d16cb4ac-bfcd-d06a-0abd-2d441131abd5/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[BA-00] Andrew Bradbury: Develop Your NLP Skills.Kogan Page Limited 2000
[BBC-A] BBC: Wearing Helmets 'More Dangerous'http://news.bbc.co.uk/1/hi/england/somerset/5334208.stm2006
[BBC-B] BBC: How Personal Data Was Put at Riskhttp://news.bbc.co.uk/1/hi/uk/6287504.stm 2008
[BBJ-04] Jeff Bock-Brown: Human Aspects of Information Assurance.Royal Holloway ISG MSc 2004
[BC-07] Christopher Booker and Richard North: Scared to Death, FromBSE to Global Warming: Why Scares Are Costing Us the Earth.Continuum UK 2007
[BP-08] Paul Baines, Chris Fill and Kelly Page: Marketing.Oxford University Press 2008
[CE-04] Esther Cameron and Mike Green: Making Sense of ChangeManagement. Kogan Page Limited 2004
[DEL-05] Deloitte: 2005 Global Security Surveyhttp://www.deloitte.com/dtt/cda/doc/content/dtt_financialservices_2005GlobalSecuritySurvey_2005-07-21.pdf 2005
[DEL-07] Deloitte: 2007 Global Security Surveyhttp://www.deloitte.com/dtt/press_release/0,1014,sid%253D1018%2526cid%253D171269,00.html 2007
[DFT-A] Department For Transport: Think! Road Safety.http://www.dft.gov.uk/think/
[DS-08] Sam Dekay: Does Security Awareness Work?http://www.bloginfosec.com/2008/04/22/does-securityawareness-work-pt-2-it-all-depends-on-what-you-mean-by-work/
[DTI-06] DTI: How to Write an Information Security Policyhttp://www.berr.gov.uk/files/file34331.pdf 2006
[EM-05] Michael W Eysenck and Mark T Keane: Cognitive Psychology, aStudent’s Handbook. Psychology Press 2005
[FD-93] Dennis Ford and Mark Zaid: Eyewitness Testimony, Memory,and Assassination Research.http://mcadams.posc.mu.edu/zaid.htm 1993
[GIZ-A] Gizmodo: TSA Confiscates Homemade Battery and WaterBottle, Declares Victory Over Terrorhttp://gizmodo.com/5031144/tsa-confiscates-homemade-batteryand-water-bottle-declares-victory-over-terror
[GP-07] Paul Gillin: The New Influencers. Quill Driver Books 2007
[GR-05] Richard Gross: Psychology, The Science of Mind and Behaviour.Hodder Arnold 2005
[HR-05] Rebecca Herold: Managing an Information Security and PrivacyAwareness Training Program. Auerbach Publications 2005
[HM-08] Monique Hogervorst: Information Security Training andAwareness, The Way to Overcome Aversion Against InformationSecurity. Royal Holloway ISG MSc 2008
[KTN-07] Cyber Security Knowledge Transfer Network HumanVulnerabilities Special Interest Group: Human Vulnerabilities inSecurity Systems http://www.ktn.qinetiqtim.net/groups.php?page=gr_humanvuln 2007
[LS-06] Steven D Levitt and Stephen J Dubner: Freakonomics.Penguin Group 2006
[LT-05] Timothy P. Layton Sr: Information Security Awareness, thePsychology Behind the Technology. AuthorHouse 2005
[MA-06] Angus McIlwraith: Information Security and Employee Behaviour,How to Reduce Risk Through Employee Education, Training andAwareness. Gower Publishing 2006
[MM-02] M. Granger Morgan, Baruch Fischhoff, Ann Bostrom and CynthiaJ Atman: Risk Communication: A Mental Models Approach.Cambridge University Press 2002
[MP-04] Peter Makin and Charles Cox: Changing Behavior at Work, APractical Guide. Routledge 2004
[NT-07] Tim Newbury: Criminology. Willan Publishing 2007
[NIST-A] National Institute for Standards and Technology: Building anInformation Technology Security Awareness and TrainingProgram http://csrc.nist.gov/publications/nistpubs/800-50/NISTSP800-50.pdf 2003
[NIST-B] National Institute for Standards and Technology: ComputerSecurity Training Guidelineshttp://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
[NR-A] Network Rail: Accident Frequency Rateshttp://www.networkrail.co.uk/aspx/4815.aspx
[OJ-02] Joseph O’Connor and John Seymour: Introducing NLP.HarperCollins 2002
[PS-04] Purser, Steve: A Practical Guide to Managing InformationSecurity. Artech House 2004
[PS-07] Seppo Pahnaila, Mikko Siponen and Adam Mahmood:Employees Behaviour Towards IS Security Policy Compliance.Proceedings of the 40th Hawaii International Conference onSystem Sciences 2007
[PT-04] Thomas R. Peltier: Information Security Policies and Procedures,A Practitioner’s Reference. Auerbach Publications 2004
[RC-06] Carl A. Roper, Joseph A. Grau and Dr. Lynn F. Fischer: SecurityEducation, Awareness and Training.Elsevier Butterworth-Heinemann 2006
[SA-01] Adrian Sargeant and Douglas C. West: Direct and InteractiveMarketing. Oxford University Press 2001
[SA-01b] Angela Sasse, Sacha Brostoff and Dirk Weirich: Transformingthe “Weakest Link” – a Human/Computer Interaction Approach toUsable and Effective Security. BT Technical Journal Vol 19 No32001
[SB-04] Bruce Schneier: Secrets and Lies, Digital Security in aNetworked World. Wiley Publishing 2004
[SB-06] Bruce Schneier: Beyond Fear, Thinking Sensibly About Securityin an Uncertain World. Copernicus Books 2006
[SB-08] Bruce Schneier: The Psychology of Security. BritishTelecommunications PLC 2008
[SB-A] Bruce Schneier: August 8th 2008 Crypto-Gramhttp://www.schneier.com/crypto-gram-0808.html
[SB-B] Bruce Schneier: Crypto-Gram Home Pagehttp://www.schneier.com/crypto-gram.html
[SE-04] Edgar H. Schein: Organizational Culture and Leadership.John Wiley & Sons 2004
[SJ-08] Jan Schlueter and Stephanie Teufel: Secalyser – A System toPlan Training for Employees. Human Aspects of InformationSecurity and Assurance 2008
[SP-97] Stephen Pinker: How the Mind Works.Penguin Books Ltd 1997
[SP-00] Paul Slovic: The Perception of Risk.Earthscan Publications 2000
[SP-02] Steve Purser: A Practical Guide to Managing InformationSecurity. Artech House Inc 2004
[TSA-A] Transportation Security Administration: Explosive-Like ItemIntercepted at Checkpointhttp://www.tsa.gov/press/happenings/scot_peele.shtm