Abstract

Let us assume that a person knows all the driving rules. But, does knowing all the driving rules make a person a better driver? This is exactly what is wrong with the way organizations manage the “HUMAN” aspect of information security. Organizations are smart enough to know that the “human” aspect of information security is important. But, they focus only on “AWARENESS” and not “BEHAVIOR”. The end result is that they have employees who know the “security rules”, but do not “apply them or break them”. This proposed talk shall focus on the following:

1. Introduction to the problem: Focus on “security awareness”, not “behavior”
2. Real life case study of why a US$100, 000 “security awareness” project failed
3. Solution to the problem: a. Defining ESP’s (Expected Security Practices) b. Dividing each ESP into “awareness” and “behavior” components c. Awareness creation strategies: Clarity, Visibility, Impact Visualization, Using psychology d. Behavior motivation and enforcement strategy
4. Real-life case study of “success” in behavior change

The talk is modeled on the open methodology HIMIS (Human Impact Management for Information Security) authored by Anup Narayanan. To know more about HIIMIS, please visit www.isqworld.com/himis