Death by a thousand facts: Criticising the technocratic approach to information security awareness

The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context.

There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient.

The paper shows how the approach to information security awareness can be improved using knowledge from the safety field.

The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications.