Death by a thousand facts
Criticising the technocratic approach to
information security awareness
Geordie Stewart
Risk Intelligence Ltd, London, UK, and
David Lacey
David Lacey Consulting, London, UK
Abstract
Purpose – The purpose of this paper is to examine why mainstream information security awareness
techniques have failed to evolve at the same rate as automated technical security controls and to
suggest improvements based on psychology and safety science.
Design/methodology/approach – The concepts of bounded rationality, mental models and the
extended parallel processing model are examined in an information security context.
Findings – There is a lack of formal methodologies in information security awareness for
systematically identifying audience communication requirements. Problems with human behaviour in
an information security context are assumed to be caused by a lack of facts available to the audience.
Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that
behaviour improves. There is a tendency for technical experts in the field of information security to tell
people what they think they ought to know (and may in fact already know). This “technocratic” view
of risk communication is fundamentally flawed and has been strongly criticised by experts in safety
risk communications as ineffective and inefficient.
Practical implications – The paper shows how the approach to information security awareness
can be improved using knowledge from the safety field.
Originality/value – The paper demonstrates how advanced concepts from safety science can be
used to improve information security risk communications.
Keywords Information technology, Data security, Data management, Psychology,
Information security awareness, Mental models, Extended parallel processing model, NIST 800-50,
Bounded rationality
Paper type General review
1. Introduction
Over the last 20 years there have been enormous advances in the sophistication and
maturity of automated technical information security controls. Sophisticated technical
controls such as client-based firewalls, anti-virus and real time patching are now common.
Despite the presence of advanced technical controls, information systems remain
vulnerable because of human behaviour (Lacey, 2009). There is growing evidence to
suggest that human vulnerabilities are increasingly being seen as an easier option to
exploit information systems (Deloitte, 2009). There are a number of reasons why this
is the case. Researchers have noted that there are problems with the usability
of information systems (Parkin et al., 2010), unreasonable risk trade-off decisions
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0968-5227.htm
This paper is a version of the paper which was presented at the HAISA 2011 conference on
7-8 July 2011 at Kingston University, London, UK.
Information
security
awareness
29
Received 3 January 2012
Accepted 13 January 2012
Information Management & Computer
Security
Vol. 20 No. 1, 2012
pp. 29-38
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685221211219182