Death by a thousand facts: Criticising the technocratic approach to information security awareness

G Stewart; David Lacey

doi:10.1108/09685221211219182

Back

Death by a thousand facts: Criticising the technocratic approach to information security awareness

Journal article

Peer reviewed

Death by a thousand facts: Criticising the technocratic approach to information security awareness

G Stewart and David Lacey

Information Management and Computer Security, Vol.20(1), pp.29-38

2012

DOI: https://doi.org/10.1108/09685221211219182

Files and links (1)

url

https://doi.org/10.1108/09685221211219182View

Published Version

Abstract

information technology

data security

data management

psychology

information security awareness

mental models

extended parallel processing model

NIST 800-50

bounded rationality

Purpose - The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science. Design/methodology/approach - The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context. Findings - There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This "technocratic" view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient. Practical implications - The paper shows how the approach to information security awareness can be improved using knowledge from the safety field. Originality/value - The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications. Copyright © 2012 Emerald Group Publishing Limited. All rights reserved.

Details

Title: Death by a thousand facts: Criticising the technocratic approach to information security awareness
Authors: G Stewart (Author) - Risk Intelligence Ltd, United Kingdom
David Lacey (Author) - David Lacey Consulting, United Kingdom
Publication details: Information Management and Computer Security, Vol.20(1), pp.29-38
Publisher: Emerald Group Publishing Ltd.
Date published: 2012
DOI: 10.1108/09685221211219182
ISSN: 0968-5227
Organisation Unit: Cyber Institute; University of the Sunshine Coast, Queensland
Language: English
Record Identifier: 99449470602621
Output Type: Journal article

Metrics

3 File views/ downloads

633 Record Views