Security awareness- A very big buzz word. We all know and often say that awareness is the key to security. An organization who is aware has much more likelihood of being secure than its counterparts. But to what extent do we give awareness to the audiences? When we address them, generally we talk about what is information, what is meant by its security, what aspects of information we secure, what are the general controls we have and what are the common/ grave mistakes one could do and what could be its possible impact.
Well, if we say awareness is directly related to perception of information security risks, then awareness in itself might become another risk because you are making aware the audiences what could go wrong sometimes, without realizing the fact, that unless you would have told them, they might never get to know about that and thus giving them a chance to say “Ah, I don’t know that this kind of breach is that simple?”
I tell you a recent example, not from information security space but a larger society curse, which was highlighted by a national daily not even a week before. The objective was to highlight pathetic conditions of the some illegal trade in city however, they end up highlighting the tariffs, locations etc. without taking into account, that now it will make this a known fact to thousands and lakhs of readers (and even younger generation) who otherwise would have never bothered to know, how easy and cheap is to avail such services.
Ideally, when giving awareness, one should tell about the dire consequences on the perpetrator rather than limiting it to the impact on business or organization. I had never seen any awareness session giving information about the provisions given in Indian Penal Code (IPC) to deal with information security breaches and the amount of fines or imprisonment involved. Make your awareness session mapped to IT Act of India (section with deals about IPC).
Apart from it we should also restrict ourselves while imparting awareness about common mistakes with grave consequences, or at least we should take into account the type of audiences we are targeting before finalizing list of such errors, as I said earlier, such list will become a possible list of breach for a mischievous mind. Giving your audiences perception of risk still remains the best way to tell them what could go wrong.
Another way of dealing with it could be that your level of awareness material should grow in timely manner. One should not end up delivering same awareness when doing periodic sessions but should give an enhanced version of it as now you are dealing with audience who are not at level 0 but are bit matured.
So moral of the story is that awareness will always remain as the principle control when we talk about information security but we need to be cautious in our act while imparting awareness, especially when we are covering topic of possible breaches and common mistakes done by people, with an objective which is entirely different than the one taken by the one who is a sitting wolf among the goats as audiences.