Main Nav

Cybersecurity Awareness and the Need for "Cultural Change"

I recently had the opportunity to serve on panel for a Symposium on Cyber Security Policy held at the National Press Club in Washington, D.C., and hosted by the Carnegie Mellon University CyLab. The panel entitled, "Modifying Unsafe Online Behavior and Practices - Moving Beyond Awareness", provided an opportunity to promote National Cyber Security Awareness Month. Additionally, it provided me with an opportunity to share some thoughts about "why security awareness is overrated". Below are some of the personal remarks that I conveyed during the panel discussion:

  • We should look to the awareness campaigns from other social problems (alcohol and other drugs, tobacco, childhood obesity, sex discrimination and harassment, reckless or drunk driving, firearm safety, and sportsmanship) and learn from their successes and techniques.
  • Accountability is an important component of modifying behavior. Therefore, part of the "awareness message" should be a description of the consequences if you do not behave in accordance with laws, policies, or expectations.
  • Awareness is the beginning stage of the "Learning Continuum" and should focus on "conscious-raising" that will influence decisions. Awareness activities typically only invoke our "short-term memory" and grab our attention in the near-term. Therefore, there is a baseline of security awareness that is needed by all users of networked technologies.
  • Training, on the other hand, teaches "job skills" and can provide instruction on tasks or methods that can be stored in our "long-term memory" for recall as necessary. IT staff and the users of information systems that contain sensitive data are good candidates for more focused training activities.
  • Information Literacy and Technology Fluency are goals that schools and institutions of higher education should strive to employ to help students and employees assimilate the need to adapt the use of information technology in their academic pursuits or work. This is often achieved through intensive training sessions for employees or for-credit orientation classes for students.
  • Culture has been described as "shared, learned values, ideals, and behavior - a way of life" (attributed to John Bodley, Washington State University). To improve cybersecurity, you must create a culture where employees have the necessary knowledge (what to do), skill (how to do), and attitude (want to do) (attributed to Melissa Guenther, an independent consultant.) Therefore, to successfully modify or change behavior, security awareness must be part of an intentional, systematic organizational change effort that adjusts "attitudes" and reshapes values and norms.

Following the presentation of these observations and arguments for why cybersecurity awareness programs are overrated without a corresponding effort to invoke cultural change, I concluded with the following policy recommendations:

  • Cybersecurity awareness requires a coordinated national effort and needs the corresponding resources. Specifically, I urged the U.S. Dept. of Education and the U.S. Dept. of Homeland Security to devote one employee full-time to further cybersecurity awareness efforts on behalf of the school-aged children and broader efforts.
  • Cybersecurity training and education requires coordinated national effort and needs the corresponding resources. Noting the importance of current programs that fund the National Centers of Academic Excellence in Information Assurance Education and other efforts, including community college programs and training from the private sector, there is currently no coordination between the programs or a strategic focus on national policy and workforce needs.
  • Accountability for cybersecurity will result from compliance activities that are both voluntary and mandated. No one wants more laws or regulations. Nonetheless, there is little dispute that advances of other social causes were aided by federal or state laws and regulatory requirements. Hopefully, market-based incentives and voluntary efforts will provide the sufficient accountability needed to modify both organizational and individual behavior.

The Symposium also provided an opportunity for dissemination and discussion of the EDUCAUSE/Internet2 Security Task Force press release "Cybersecurity Awareness on the Rise in Higher Education."

Tags from the EDUCAUSE Library