Death by a thousand facts
Criticising the technocratic approach to
information security awareness
Risk Intelligence Ltd, London, UK, and
David Lacey Consulting, London, UK
Purpose – The purpose of this paper is to examine why mainstream information security awareness
techniques have failed to evolve at the same rate as automated technical security controls and to
suggest improvements based on psychology and safety science.
Design/methodology/approach – The concepts of bounded rationality, mental models and the
extended parallel processing model are examined in an information security context.
Findings – There is a lack of formal methodologies in information security awareness for
systematically identifying audience communication requirements. Problems with human behaviour in
an information security context are assumed to be caused by a lack of facts available to the audience.
Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that
behaviour improves. There is a tendency for technical experts in the ﬁeld of information security to tell
people what they think they ought to know (and may in fact already know). This “technocratic” view
of risk communication is fundamentally ﬂawed and has been strongly criticised by experts in safety
risk communications as ineffective and inefﬁcient.
Practical implications – The paper shows how the approach to information security awareness
can be improved using knowledge from the safety ﬁeld.
Originality/value – The paper demonstrates how advanced concepts from safety science can be
used to improve information security risk communications.
Keywords Information technology, Data security, Data management, Psychology,
Information security awareness, Mental models, Extended parallel processing model, NIST 800-50,
Paper type General review
Over the last 20 years there have been enormous advances in the sophistication and
maturity of automated technical information security controls. Sophisticated technical
controls such as client-based ﬁrewalls, anti-virus and real time patching are now common.
Despite the presence of advanced technical controls, information systems remain
vulnerable because of human behaviour (Lacey, 2009). There is growing evidence to
suggest that human vulnerabilities are increasingly being seen as an easier option to
exploit information systems (Deloitte, 2009). There are a number of reasons why this
is the case. Researchers have noted that there are problems with the usability
of information systems (Parkin et al., 2010), unreasonable risk trade-off decisions
The current issue and full text archive of this journal is available at
This paper is a version of the paper which was presented at the HAISA 2011 conference on
7-8 July 2011 at Kingston University, London, UK.
Received 3 January 2012
Accepted 13 January 2012
Information Management & Computer
Vol. 20 No. 1, 2012
q Emerald Group Publishing Limited