Measuring this awareness is crucial for both individuals and groups. Security awareness is becoming an ever more important issue in modern systems, networks, and organizations. With the proliferation of the Internet of Things (IoT), which is the interconnection of things with each other, internal systems, and possibly the Internet, it is becoming more important than ever. In the past, concern over the security of physical systems was mostly a problem for industrial environments that used Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and similar devices and systems. Today, nearly every corporation has a smart something. It may be lighting systems, HVAC control, building monitoring, or any number of other systems. In addition, these organizations still have the traditional computing devices such as laptops and desktop computers, as well as newer devices like tablets and mobile phones. With this proliferation of connectivity, security awareness has become increasingly important.

The Essence of Security Awareness

So, what is security awareness? Well, it is the combination of the words security and awareness. But two combined words do not always result in the meaning one might infer from them. Does the first modify the second? Does the second modify the first? Or do they combine to form some unusual or esoteric meaning? Let me start by providing a definition of security awareness and then discussing how we arrive at this definition.

security awareness: noun phrase
[si-ˈkyu̇r-ə-tē ə-ˈwer-nəs]

the level of possessed or demonstrated realization, perception, or knowledge an individual or group possesses in relation to the current threats and vulnerabilities within the current environmental context

You see, awareness is simply the quality or state of being aware (Merriam-Webster) and to be aware is to have realization, perception, or knowledge (Merriam-Webster) of any action, inaction, person, place, thing, or idea/concept. However, in the context of security awareness, one is not either aware or unaware. Instead, one has some level of awareness. Therefore, we must modify Merriam-Websters definition of having or showing realization, perception, or knowledge to become the level of possessed or demonstrated realization, perception, or knowledge.

Measuring this awareness is crucial for both individuals and groups. For example, if a group of ten individuals have access to the same information on the organization’s network and nine of them have strong security awareness levels while one of them is oblivious to active attacks, that one individual brings the group’s security awareness down to that individual’s level. The group’s access to resources is only as secure as its weakest individual.

Now, on the security part of the phrase, we are constraining the awareness of which we speak. We are not concerned about general awareness, but about specific awareness related to the security of our systems, networks, and information. Therefore, our definition constrains the awareness to that related to the current threats and vulnerabilities within the current environmental context. Two important factors of this latter portion of the definition must be considered: 1) current threats and vulnerabilities, and 2) current environmental context.

Factors Influencing Security Awareness

The current threats and vulnerabilities are identified from both technical and non-technical perspectives. From a technical perspective, the current threats are those being experienced now (not in the past or the future), which might seem obvious, but it is not so well implemented in many security awareness programs. The same is true of vulnerabilities. To maintain knowledge (a component of awareness) of current threats, one’s mental information base must be updated regularly. This means that a good security awareness program starts with effective foundational training but is supplemented with ongoing information provided to the user community. This can be accomplished with notifications, emails, printed memos (yes, they are still used in some organizations – particularly for critical communications – and are often coupled with emails), and organizational employee newsletters. Concepts and principles related to security remain very consistent over time. New systems and technologies introduce changes in practical realities year-by-year or even day-by-day, along with the discovery of new attack methods.

From a non-technical perspective, current threats and vulnerabilities will only be discovered by those desiring to do so. This factor comes down to motivation. Do employees have the motivation to stay informed about current threats and vulnerabilities? To help them acquire this motivation, they need to see what’s in it for them and not just for the organizations. Part of this is managed under typical employee morale programs that most HR groups implement. The security awareness program managers themselves can manage another part. This latter part is building an understanding in the individuals that the security awareness they develop at work provides benefits in their entire life. In our CyberSecure course, we remind participants of this several times so that they understand the value of the knowledge and skills they are acquiring. This value is for them and their employer.

Finally, context changes everything. This reality is because the environmental context changes the threats. When you are in a public location, like a coffee shop/bar or an airport terminal, threats exist that do not exist when in the work office. For this reason, individuals must raise and tune their ‘security antennas’ to additional ‘frequencies’ when in public locations. They must be alert to shoulder surfers (individuals looking over their shoulder or at other angles to see their screen(s)), more common in-person social engineering attacks, malicious wireless networks, and more.

Therefore, security awareness, in the context of cybersecurity, is the level of possessed or demonstrated realization, perception, or knowledge an individual or group possesses in relation to the current threats and vulnerabilities within the current environmental context. When security awareness is coupled with security skills or abilities (the knowledge required to use security controls, such as passwords, encryption, physical locks, etc.), overall security increases. The security awareness provides the motive or energy to enact the abilities.

Share This Story, Choose Your Platform!

Recent Post