Online from: 1993
Subject Area: Information and Knowledge Management
Options: To add Favourites and Table of Contents Alerts please take a Emerald profile
|Title:||Death by a thousand facts: Criticising the technocratic approach to information security awareness|
|Author(s):||Geordie Stewart, (Risk Intelligence Ltd, London, UK), David Lacey, (David Lacey Consulting, London, UK)|
|Citation:||Geordie Stewart, David Lacey, (2012) "Death by a thousand facts: Criticising the technocratic approach to information security awareness", Information Management & Computer Security, Vol. 20 Iss: 1, pp.29 - 38|
|Keywords:||Bounded rationality, Data management, Data security, Extended parallel processing model, Information security awareness, Information technology, Mental models, NIST 800-50, Psychology|
|Article type:||General review|
|DOI:||10.1108/09685221211219182 (Permanent URL)|
|Publisher:||Emerald Group Publishing Limited|
|Acknowledgements:||This paper is a version of the paper which was presented at the HAISA 2011 conference on 7-8 July 2011 at Kingston University, London, UK.|
Purpose – The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.
Design/methodology/approach – The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context.
Findings – There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient.
Practical implications – The paper shows how the approach to information security awareness can be improved using knowledge from the safety field.
Originality/value – The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications.
To purchase this item please login or register.
Complete and print this form to request this document from your librarian