Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 26

Awareness professionals naturally want to believe that if they inform a person about an obvious concern, that person will take appropriate action, just by virtue of having received the information. In my experience, this assumption too often proves incorrect. Gaining compliance requires much more effort than simply relaying information. You need a detailed strategy, specific to your circumstances, that involves enforcement and creating a culture where everyone implements the expected behavior by second nature as part of their normal job function. (I discuss these strategies in detail in Part 2 of this book.)

Consider how this dynamic plays out in the rest of your life. Most people know that eating healthy foods and exercising can improve their health. In some cases, they even know that they can face dire medical consequences if they refuse to eat well. Yet they continue to ignore the advice. Relating this example to security awareness, the trick is to ask people to do a few simple things differently that will reduce an organization’s risk profile hugely and quickly, not make them into security experts.

BJ Fogg, a Stanford University researcher, developed many highly accepted concepts of human behavior. One of those behavioral concepts is the information-action fallacy, which is the belief that if you tell a person what they should do, why they should do it, and how it directly benefits them, they will do it. Just as this strategy doesn’t work in fitness, neither does it work with security awareness, where the implications are less dire for the individual.

When you implement your awareness program, you must dispel any belief on the part of yourself and the security team that, just because you inform people of an apparently critical issue, they will follow your guidance.