Promoting Security Awareness is an ongoing challenge in our field. Without a good understanding of Security Awareness and issues, getting appreciation at the senior management level for security issues is a real problem. Security Awareness is critical in influencing business decisions to include (and hopefully fund) security components into every project, protecting the corporate assets from both theft and lawsuits.
Department managers will be more zoned in on budgets and funding, as well as directing their reporting groups towards policy compliance.
People who work on the actual deliverables of the company may be concerned about personal incentives, system uptime, or may be influenced by corporate policies.
Awareness for developers tends to concentrate on secure coding and peaceful co-existence with system administrators who are enforcing policies at a technical level in the Datacenter and desktops.
From a Security Awareness perspective the blanket term “end user” grows to encompass many audiences – not only folks with basic desks and phones, but developers, senior managers, salespeople, engineers, health-care professionals, all kinds of people with different concerns, different goals, and a different set of reasons/excuses for exceptions to one thing or another.
Sadly, even today almost everyone tends to view security concerns as impediments to their job rather than as actions and factors that assist and support them.
The short answer is "it varies".
The best answer that I’ve seen is that we need a toolkit of methods, and for any particular audience we need to dip into that arsenal and pick the 2 or 3 or 5 methods that we think will work best to deliver your message successfully, get them to take your message to heart and see that desired positive change in behavior.
We’ll collect data on this survey and report back in a follow-up diary in a couple of weeks.
=============== Rob VandenBrink Metafore ===============
Apr 7th 2010
7 years ago