Open access repository

Home Open access repository

In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).

» Openaccess proceedings » 5th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2011)

5th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2011)

5th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2011)
London, UK, July 7-8, 2011
ISBN: 978-1-84102-284-0

Title: Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness
Author(s): Geordie Stewart, David Lacey
Reference: pp11-21
Keywords: Information Security Awareness, Risk Communication, Safety, Mental Models, Extended Parallel Processing Model, NIST 800-50, Bounded Rationality
Abstract: Mainstream information security awareness techniques are failing to evolve at the same rate as automated technical security controls. Humans are increasingly seen as the weak link in information security defences and attackers are starting to prefer exploiting human factors such as greed, curiosity and respect for authority.

Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness therefore is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient.

To improve the effectiveness and efficiency of security awareness techniques this paper leverages safety risk communications which is a mature discipline with common objectives. A critical feature of safety risk communications which is missing from the information security approach is a set of methodologies to systematically evaluate audience requirements. Accordingly, this paper explores the concepts of bounded rationality, mental models and the Extended Parallel Processing Model in an information security context.
Download count: 1706

How to get this paper:

Download a free PDF copy of this paperBuy this book at Lulu.com

PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.