I am pleased to see a dawning recognition that security awareness is not an end in itself, nor something that has to be done purely for compliance reasons. It is not security training, and (to any sentient management at least) it is not a tedious once-a-year lecture to the troops. It is in fact a means to drive positive cultural change through the organization, or in the case of public campaigns, nationwide, and through that change to improve security.
Culture is hard to define and measure, and harder still to change in a concerted and directed manner. Just like large masses in physics, large bodies of people have a natural inertia which resists change and tends towards more of the same, the status quo. There are cultural norms and accepted ways of doing things, reinforced by all manner of psychological and behavioral cues from the people around us, the majority of which are so subtle as to be practically invisible to the conscious mind.
Cultural inertia is a significant factor in awareness, since change inevitably takes time and effort to achieve, and major cultural change is slower and harder still: in a nutshell, we're running a marathon not a sprint - more like steering a supertanker than a speedboat.
Furthermore, at the level of individuals, we each have our own habits both good and bad. And we all know how hard it is to change habits. Even addicts with their physiological attachment to drugs, alcohol or gambling can break out of their rut provided they have both the self-will and the support of others. There are two more clues about making awareness work: the self-will bit means helping the addict reach the point of recognizing that something has to give (providing information and motivation), while the support network (peers, experts, friends and family) is a vital part of the treatment.
Aside from addiction, that mention of good and bad habits suggests another possible approach, namely to emphasize and reinforce good security behaviors, or play down and discourage the bad. Arguably, it is better to do both - for instance, instead of just ticking-off naughty employees for leaving their PCs logged-in, unlocked and unattended, give some sort of reward to those who spare a moment to hit Windows-L before walking away from their desk. 'Some sort of reward' could be as simple and cheap as a little thank-you note and maybe a sweet, while the ticking-off could be a note explaining why there is no sweet today. This may sound rather childish, not a million miles from one of Dr Pavlov's experiments, but the point is that psychologists and educationalists have a pretty good grasp of what works - so why not take advantage of their skills?
OK, that's enough waffle from me for this evening but if this piece resonates with you, please leave your comments or questions or email me if you'd like to hear more. Meanwhile, ponder on. See how many cultural security cues you can spot as you go quietly about your business. Believe me, once you open your eyes and ears to them, you'll find there are loads. No wonder, then, that something as simplistic as, say, a security awareness poster is hardly going to revolutionize the way people think and behave, if that's all you change while leaving everything else the same.
Gary Hinson Gary@isect.com