(CSO) Proper understanding of “awareness” is necessary to improve security awareness
I penned a short series on security awareness on the Translating Security Value blog at CSO. It starts by exploring the basic concept of awareness.
As the concept of “security awareness” makes an awkward shift from relegated compliance cost to front and center discussion on how to influence behavior change in organizations, it’s important to consider what “awareness” is in order to improve our outcomes.
One of the principal challenges is how the term “security awareness” is used and what people expect from security awareness.
In the security industry, this concept is poorly defined, goes by many misleading terms, and creates confusion by working against recognized concepts of awareness in other fields.
Whether called “security awareness,” “cyber awareness,” “security awareness training,” or the clever “security awareness and training,” the nomenclature causes confusion. Some seek to sidestep the confusion by focusing on education. I think that’s a good idea, but I have a different suggestion (more on that in a future post).
One of the things I’ve experienced in the last two decades of information security is that when something is not understood, it has no value. Things that are obligated, but misunderstood with little value are unfunded. As a result, people don’t care.
When it comes to “security awareness,” somehow the centuries-old concept of “awareness” was hijacked from it’s meaning to signify something different. A few month ago, I started practicing yoga. Awareness is a key concept in yoga.
Here’s the thing: awareness in yoga, especially for someone new (like me), means only that I realize something. First and foremost, it doesn’t mean I understand. Initially, it is a realization. Further, awareness — with or without understanding — doesn’t mean that I know what to do about it, or even if I should do anything about it.