A New Way to Build Security Awareness ISF's Durbin Describes Risk-Driven Approach
A New Way to Build Security Awareness
Steve Durbin
Embedding some information security practitioners within business units could help improve IT security awareness in many enterprises, reducing security risk, says Steve Durbin, global vice president of the Information Security Forum.

Several forum members have transferred some of their IT security professionals into business units. That way, Durbin says in an interview with Information Security Media Group, IT security pros can gain a first-hand understanding on how their work has an impact on business operations.

And conversely, that helps non-IT security managers and employees to gain better insight into the importance of adopting information security practices. "Security isn't viewed as a necessary evil, an add-on," Durbin says. "But, it can be viewed as something that is integral in the way that you go about doing your business."

The forum recently issued a report, From Promoting Awareness to Embedding Behaviors, that addresses how organizations can change employees' and stakeholders' behavior to improve IT security awareness. The group's research identified four requirements for getting employees to better practice safe security by:

  • Developing a risk-driven program;
  • Targeting behavior change;
  • Setting realistic expectations; and
  • Engaging people on a personal level.

Durbin says that many organizations have found that investments to build security awareness have not paid off. "What we've seen is trying to put a dollar value on security awareness improvements has proven to be very, very difficult for a large number of organizations," Durbin says.

"A lot of organizations have no compliance activities that fall under the general heading of security awareness," he says. "The real commercial driver behind all of this should now be risk and how new behaviors can reduce that risk.

"So, what we're looking to do is to say, how do you embed what we term 'positive-information-security behaviors,' which will result in 'stop and think' becoming much more of a habit in an organization's information security culture, and then measure the success of that behavior change."

In the interview, Durbin:

  • Provides examples of how organizations take the risk-based approach to security awareness;
  • Explains how to get people to change their conduct toward IT security through behavioral, cognitive and neuro psychology; and
  • Outlines how chief information security officers and others within the enterprise should collaborate in implementing a risk-based information security awareness program.

An independent, not-for-profit organization with members from some of the world's leading enterprises, the Internet Security Forum investigates, clarifies and resolves key issues in cybersecurity and risk management by developing best practices.

Business growth strategist Durbin joined the forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank comprising telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, where he served as group vice president worldwide.

Around the Network