1 research outputs found

    Maximising the Effectiveness of Information Security Awareness

    Get PDF
    Over the last twenty years, technical controls for information security have advanced and matured considerably. Despite these technical advances, information security breaches still occur on a regular basis. It appears that technical security controls have evolved faster than management controls. Despite efforts at promoting information security awareness there is evidence that human behaviour remains a potential vulnerability in any information security system. This thesis presents an alternate perspective of the “human problem” and assesses information security awareness as a management control by applying principles of Psychology and Marketing. Psychology and Marketing principles show significant opportunities for a more holistic approach to information security awareness. The methodology identified for Mental Models shows significant promise in mapping existing audience beliefs and attitudes. The use of punishment sanctions is reviewed and reveals an unintended consequence that people have an incentive not to report an information security breach. A case study is presented for an organisation that has used rewards to motivate compliance behaviour instead of relying on fear sanctions. An analysis of relevant Marketing principles identifies Direct Marketing as a methodology closely aligned with the goals of information security awareness. The importance of audience research, measuring existing attitudes and beliefs and finding quantifiable metrics all have important implications for information security awareness. Two models were created as part of this thesis. The first one in Chapter Two illustrates the steps involved in achieving a behavioural change and demonstrates the number of potential barriers that need to be considered. The second model in Chapter Five is a scorecard that information security professionals can use to evaluate the extent to which an information security awareness campaign takes into account Psychology and Marketing principles. While both models offer significant opportunities to help refine approaches to information security awareness it will be difficult to quantify the benefit until improvements are made to the way that organisations measure the success of information security awareness
    corecore