Unlocking Security Awareness: The Foundation of Effective Cyber Protection
In our Cybersecure course we put significant energy into the “why” behind the “what” of security. The reason for this is simple: we are more likely to take an action (or not take an action) when we know why. A rule without a reason is more often broken.
In the book, Security Awareness Design in the New Normal Age, by Wendy F. Goucher, the author says,
“without understanding the ‘why’ of a particular policy or practice, staff may choose to ignore it… presenting a security risk in the process.” When we talk about security risks, we must consider the risk that people will not act in a secure manner. The only option we have to reduce this risk is to ensure that they are properly educated in security awareness concepts.
The author goes on to say:
So, making staff aware of security means not only educating them about the kinds of security in place but their role in it. There is no use in providing half of the information when people need to understand the why as well as the what. They need to understand the risk or threat and what they must do to recognize how important their own actions are in maintaining that security. This is traditionally achieved through formal, scheduled training: where a designated person takes on the role of communicating important rules and guidelines to staff in order to inform and empower them to work in a way that protects sensitive information.
You, the user of information technology and systems, are just as important to security as the security specialist within the organization. We cannot secure an organization without the assistance of the users of the systems within that organization. You play a very important role.
Strategies for Unveiling the ‘Why’
Here are three suggestions to help you understand the “why” behind the “what” in your specific organization:
- Ask the question: Don’t be afraid to ask why a particular rule is in place. Communicate that you want to understand the importance of the rule and be sure you are abiding by it in the right way so that the best security results.
- Research the situation: Take the time to read about the importance of a particular rule or guidelines. Search for things like “why does a good password matter” and “how can encryption help to protect my information.” Many software companies provide excellent materials on these topics. In addition, the CCyBP course provides the why behind the most common security practices companies require of their employees.
- Understand the context: This means knowing what kind of information you are working with in the systems you use. Do they contain customer information? Do they contain sensitive trade secrets? Do they contain private employee information? These are just a few examples of the kinds of data to which you might have access and begins to reveal the importance of protecting that data.
Practical Steps: How to Embrace the ‘Why’ in Your Organization
In the end, it is up to you to ensure that you know the “why” behind your organization’s security policies and procedures. And, more often than not, when you understand the “why” you will be more likely to remember to do the “what” every time.
Safeguard Your Business, Secure Your Success: Equip Yourself with AACSP’s CyberSecure Skills.