Embedding positive security behaviors is essential
Posted on 06 May 2014.
Organizations have spent millions over recent decades on information security awareness activities. The rationale behind this approach was to take their biggest asset – people – and change their behaviors, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.

The ISF proposes that making people aware of their information security responsibilities and how they should respond is no longer enough. Instead, the answer is to embed positive information security behaviors, which will result in ‘stop and think’ becoming a habit and part of an organization’s information security culture.

The success of behavior change for information security should be measured through a reduction in risk, rather than what people know, or fail to know, and can choose to ignore.

"While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk," said Steve Durbin, Global Vice President, ISF.

"The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team," Durbin added.

"Today’s leaders often demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative," continued Durbin. "Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals."





Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //