Welcome to the SecAware blog

I spy with my beady eye ...

20 Apr 2006

The value of security awareness

A new item at Silicon.com included the following quote: "'Companies must make strong and effective security practices part of their culture through awareness, education and accountability,' says Jan Babiak, head of the information security practice at Ernst & Young. 'This needs to be enforced by the CEO and the board, with organisations aspiring to implement well designed controls and fostering a security-conscious culture led from above. Without this top-down endorsement, employees will often ignore controls or worse avoid them, placing the entire enterprise at great risk.'" We'd certainly support the need for senior management's proactive support but there's rather more to the issue than that.
Take security policies for example. Policies without a management mandate are practically worthless. Policies with a clear mandate are fine, but are not in themselves effective. Policies with a clear mandate, a communications program to make sure people are aware of and understand their obligations towards the policies are an improvement ... but even that is not enough. People need to be led the extra mile to commit to the policies and, in time, adapt their behaviors to fall into line with the policies. Compliance activities can help but (yes, you guessed it) are not necessarily The Answer either - "comply or else" expletives from management can cause enormous damage to the changes necessary to achieve positive cultural shifts.
In a truly security-aware culture, people comply with security policies not so much because someone tells them to do so, but because they genuinely appreciate the need, just like an experienced driver instinctively uses mirror-signal-manouver whereas a learner driver consciously mutters the reminder under their breath. Get the security habit through awareness, training and education - but make sure your management get in the habit too. Awareness really does start at the top.
White paper on the value of security awareness


  1. I must say that overall you have a very impressive site, and your white paper on the value of security awareness and posting are quite worthwhile. However, awareness through education and policies may reduce incidents due to negligence and error, but not deliberate internal theft of trade secrets triggered by some event in the guise of vengefulness. Policies, even 2 million of them, are useless if they can not be enforced. If you are not 100% sure of which employees are trustworthy, then one must protect systems and data from all authorized users inside the network.

    This is when security must be baked in at the DNA level as the white paper discusses, using technology such as trusted operating systems and multi-level security.

  2. Hello RU.

    Thanks for your kind comments. You have a fair point about awareness not being enough to stop all information security incidents - it is most certainly not the total solution but, in my opinion, is a chronically undervalued element of a well-rounded and effective information security controls framework. In many ways, it is the glue that knits other parts of security together into a whole. Policies without awareness are shelfware, and have no practical impact on users. Systems built without an awareness and understanding of relevant policies and standards are inconsistent and generally insecure. Security requirements specifications developed by people who do not have a reasonable understanding of security are unlikely to cover all aspects of security to an adequate level. Managers who do not "get it" are unlikely to fund information security sufficiently. I'm sure you get my drift.

    The galling part for me is that security awareness is a real cheap option - I'm not (just!) talking about our services and those of our competitors or the marvellous home-grown awareness programs that some organizations develop, rather I mean the whole approach is both less expensive and more effective than "let's just buy another appliance". The problem, though, is that cheap does not equate to easy. Badly planned and implemented security awareness programs are all around us and do a tremendous disservice, discrediting the entire concept through rotten delivery. Imagine an incompetent network administrator taking a shiny new firewall out of the box having read the glossy sales blurb, messing up the settings, finding that it fails to prevent attacks, and thus concluding that "firewalls are rubbish" - this is pretty much what happens with security awareness.

    All the best, NB