How to build information security awareness

information security awareness

This blog only exists because information security awareness is important, if not indispensable. Mankind is and will remain the “key actor” in the information system. The human being will also remain its weakest link if we do not take the necessary actions.

And we have to act fast as, in our more and more virtual world, humans sink and even seem to disappear.
No!, technology isn’t everything and, without people, it would not only be impossible to run, but it would simply not exist at all.

The role of the human being

The human being holds a non negligible role in the information system. Not only is he capable to memorize, to handle and communicate information – and to write – without the need of electricity, but without him, there is no technology. It’s human beings who decide what to do with what technology produces.

We need someone to conceive, draw, build, install, operate, use, maintain, update, move and throw technology away, and to manage information. Be it hardware, software or information processes.

If, as soon as it is conceived, technology doesn’t contain the indispensable quality and security elements, there is little chance that what it produces will meet up our expectations, or will be able to produce in adverse conditions.

The ‘functions’ of humans

Humans, in their interaction with information and the information system have three basic functions.

They are users. They read, listen or feel information. They manipulate technology and operate the security solutions. Everybody has this function, even the two other groups.

They are managers, administrators, controllers or conceivers. They have a specific function in relation with information and information flows, or with the components of the information system. They, eventually, have a function with regards to security, its mechanisms and its solutions.
We all know there are several levels in this function and that grouping objects is frequent.

They are decision makers, owners, investors in the information system and its security. This function controls all the others.

We also note that, any private person simultaneously plays the three functions, everything is gathered on one single pair of shoulders.

The need for awareness and training

People should be made aware of their fundamental role in security, along the whole information life cycle, and the life cycle of the business process and of the technology.

Each function has its own objectives, messages and means for security awareness. And, in organizations, a complete programme is needed for each.

We should:

  • Make aware: bring Knowledge
  • Train: give techniques allowing to Do (know-how) and, eventually, train others on what and how to do.

This very blog is aimed at everybody. You, hence, find a bit of everything. Sometimes is it technical, sometimes theoretical, sometimes lighter (at least in my perception).

The final goal of a security awareness programme – and of my ambition with this blog –, is to create a ‘security culture’. To motivate you, to give you the desire to apply what I tell you. As soon as it becomes a habit, your ‘behavioural skills’ will be activated.

Awareness helps to 1° Increase your knowledge (Know), 2° Lead Actions (Do) and 3° Decide on good ground (Be) with your information and their protection.
It’s the very aim of information itself. So we’re back to square one…

 

Your awareness experience, your specific questions are useful for everyone. Let them know though completing the message here below.

See you soon, safer with your information

Jean-Luc

© Patrickma | Dreamstime.com – Chief And Menu Blackboard Photo

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.