1 research outputs found
Maximising the Effectiveness of Information Security Awareness
Over the last twenty years, technical controls for information security have advanced
and matured considerably. Despite these technical advances, information security
breaches still occur on a regular basis. It appears that technical security controls
have evolved faster than management controls. Despite efforts at promoting
information security awareness there is evidence that human behaviour remains a
potential vulnerability in any information security system.
This thesis presents an alternate perspective of the “human problem” and assesses
information security awareness as a management control by applying principles of
Psychology and Marketing. Psychology and Marketing principles show significant
opportunities for a more holistic approach to information security awareness. The
methodology identified for Mental Models shows significant promise in mapping
existing audience beliefs and attitudes. The use of punishment sanctions is reviewed
and reveals an unintended consequence that people have an incentive not to report
an information security breach. A case study is presented for an organisation that
has used rewards to motivate compliance behaviour instead of relying on fear
sanctions.
An analysis of relevant Marketing principles identifies Direct Marketing as a
methodology closely aligned with the goals of information security awareness. The
importance of audience research, measuring existing attitudes and beliefs and
finding quantifiable metrics all have important implications for information security
awareness.
Two models were created as part of this thesis. The first one in Chapter Two
illustrates the steps involved in achieving a behavioural change and demonstrates
the number of potential barriers that need to be considered. The second model in
Chapter Five is a scorecard that information security professionals can use to
evaluate the extent to which an information security awareness campaign takes into
account Psychology and Marketing principles. While both models offer significant
opportunities to help refine approaches to information security awareness it will be
difficult to quantify the benefit until improvements are made to the way that
organisations measure the success of information security awareness