Advanced Search
Journal search
Journal cover: Information Management & Computer Security

Information Management & Computer Security

ISSN: 0968-5227

Online from: 1993

Subject Area: Information and Knowledge Management

Content: Latest Issue | icon: RSS Latest Issue RSS | Previous Issues


Icon: .Table of Contents.Icon: .

Death by a thousand facts: Criticising the technocratic approach to information security awareness

Document Information:
Title:Death by a thousand facts: Criticising the technocratic approach to information security awareness
Author(s):Geordie Stewart, (Risk Intelligence Ltd, London, UK), David Lacey, (David Lacey Consulting, London, UK)
Citation:Geordie Stewart, David Lacey, (2012) "Death by a thousand facts: Criticising the technocratic approach to information security awareness", Information Management & Computer Security, Vol. 20 Iss: 1, pp.29 - 38
Keywords:Bounded rationality, Data management, Data security, Extended parallel processing model, Information security awareness, Information technology, Mental models, NIST 800-50, Psychology
Article type:General review
DOI:10.1108/09685221211219182 (Permanent URL)
Publisher:Emerald Group Publishing Limited
Acknowledgements:This paper is a version of the paper which was presented at the HAISA 2011 conference on 7-8 July 2011 at Kingston University, London, UK.

Purpose – The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Design/methodology/approach – The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context.

Findings – There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient.

Practical implications – The paper shows how the approach to information security awareness can be improved using knowledge from the safety field.

Originality/value – The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications.

Fulltext Options:



Existing customers: login
to access this document


- Forgot password?
- Athens/Institutional login



Downloadable; Printable; Owned
HTML, PDF (123kb)

Due to our platform migration, pay-per-view is temporarily unavailable.

To purchase this item please login or register.


- Forgot password?

Recommend to your librarian

Complete and print this form to request this document from your librarian

Marked list

Bookmark & share

Reprints & permissions