Information Security Training And Awareness – Paradigm Shift Required?

I’m not an information security professional and neither am I a qualified teacher or trainer but I do have a passion and interest surrounding the topic of enabling people to look after themselves, be that at home (or on the go with their mobile devices) or within their workplace.

Helping people stay secure, or keep their company’s assets protected, is both challenging and rewarding at whatever level you are operating at.

But should it be so?

Should increasing awareness and training people to a certain level even be an issue? I don’t think it should but, of course, the truth is that an awful lot of people are quite clueless when it comes to securing devices and information.

Why is that?

A good point I picked up from the RANT Conference that I attended yesterday (from Mark Stevenson’s talk) is that the rate of our technological progress as a species is advancing at an exponential rate. The security role, however, is not.

And I’m not just talking about security professionals here – the general populace is moving into the digital age at a rate that they, frankly, cannot handle, at least not from a security point of view. Our children are picking up new devices almost every week it seems and their natural inquisitiveness allows them to do great things with them that will push the boundaries even further for the next generation.

And thats great.

But who is tempering this advancement with the sound voice of reason? Who is putting controls into place that will allow us to advance in a responsible and secure manner? And how are we teaching our children and employees to use these new gizmos in a way which doesn’t leave themselves and our orgainsations exposed to ever increasing risk?

Something to think about eh?

Traditional teaching

teaching is a profession that is always evolving – I know that the education my children are currently receiving is considerably different to the one I experienced back in the day when the world was still black and white.

There are many good teachers out there, doing a sterling job in school classrooms in return for what some may say is poor pay. But there are also some very poor teachers too – working for a government run organisation always seems to lead to a level of job security that would never be seen in the private sector for some reason. And then there is the curriculum – if security training and awareness isn’t on it then it is highly unlikely to be taught.


And in the workplace the same is true again. There are great trainers and poor trainers out there, as well as good and bad security professionals. Then there are the good information security practioners who are charged with training but that isn’t what they signed up for – they have the knowledge for sure but they maybe don’t have the communication skills required to get the message across in a format that their students will fully grasp.

Thats why CBT (computer based training) courses still seem to be the de facto means of getting the message across within business.

Or at least it has been in my experience.

Or, should I say, previous employers have used CBT as the means of teaching myself and my colleagues such thrilling topics as retail law and health and safety –  security isn’t actually something that any of the companies I’ve previously worked for have paid any consideration to whatsoever as far as I can tell.

Have you ever taken a CBT course? At a previous job we’ve had to work through the same two packages once a year every year. Nothing ever changed and the answers were all the same. Heck, I even had to sit there when my team took their tests – I well and truly memorised all the answers to the point where I could say the answers were A, A, A and C, B, etc without even being anywhere near work! As to the questions, I dunno, I lost interest in those years before.

So how effective is CBT learning in your place of work? Do you take it seriously? Do you learn anything from it? Do the people who struggle with it just get someone else to do it for them in order to get signed off (and, yes, that does happen in many workplaces).

I would suspect that the majority of people who undertake CBT courses relating to security are uninterested in the topic and totally lack the motivation to learn from staring at a screen.

CBT is boring.

And thats much like the traditional classroom environment in many cases too. I’m sure we’ve all been to meetings and training courses where someone stands up and monotones us to death. Its boring as sin and a cue to start daydreaming. Learning does not occur.

Alternative means of getting the message across

So we need to educate and raise awareness in different ways don’t we?

I know some people already get that, either in part or in full.

For instance, the Data Dealer game I wrote about not so long ago may not be the de facto means of teaching privacy awareness but I guarantee that it will be a far more effective tool than the traditional teaching methods that I mentioned above.

Its a game first and foremost, and a relatively simple one at that. But it does appeal to a wide range of people – I like it, elder friends like it and the kids I’ve told about it like it too. After playing they may not suddenly have become privacy gurus, and likely never will. And they may still give their data away too cheaply but they certainly realise afterwards that they shouldn’t have.

And thats a step in the right direction, learned through a lesson that was different and, above all else, fun.


Another way of getting the security message across is via storytelling.

If you’ve read this blog for any length of time you’ll know that I’m a keen supporter of The Analogies Project – I’m absolutely convinced that it will be huge one day soon – and the way that Bruce and the other contributors use non-security stories to get a security message across.

Its an appealing method of spreading a message and raising an awareness because everybody likes a good story right?

Its all about the delivery method – a story is something that out brains will retain for far longer than a monotone speech or poor CBT course thats for sure.


Then there is the use of video. Again, this is an alternative approach that is inherently more effective because it appeals to more than one of our senses at a time.

Seeing and hearing the message at the same time probably doubles the chances of retention I would imagine. If you can then add some humour into the mix, like Javvad does then you can probably ramp the retention rate up even higher.

You need to a flashplayer enabled browser to view this YouTube video

Start young

So, and this is only my opinion so you’re free to disagree totally, I think the key to training people in security is to use delivery methods that differ from the currently accepted norms.

Thats not rocket science though – other industries already do it well – but security needs to catch up. Its an industry that moves far quicker than most – the landscape almost seems to change daily – but the means of spreading awareness and educating are not keeping pace by any means.

But is there a better way yet?


I think there is and its obvious too. Here in the United Kingdom, just like every other country of the world I would hope, we want to be the best. We want to be the leaders, or at least in the leading pack, when it comes to the digital age. And if we really want to realise that ambition then we have to start young.

Our educational futures are defined more by our childhood than any other period of time in our lives I believe. Sure, colleges and universities can teach us depth of knowledge, but our core set of skills, such as learning potential, are developed in nurseries and primary schools. The things we learn at this age are never forgotten.

So why can’t we get the security message out to 5 year olds? If its presented in the right format then we can begin our children’s security education today. How great would it be if they reached adulthood and the workplace forearmed with the basics that many of our generation seem to lack?

I mean, c’mon, how can we live in the 21st century and still have grown men and women opening up email attachments from unknown senders? Thats so basic and points to a failing in the education system at large rather than the infosec industry doesn’t it?

How much money would organisations save if they didn’t have to teach adults how to act in the most basically secure ways? How much time would be saved? How many security measures would become redundant when the workplace comes prepared against stupidity or lack of common sense?

I really think the future of security training and awareness lies in the way we prepare our kids from the first day that they touch a computer, tablet or whatever the latest new device may be.

And it can be done – just ask Wendy Goucher what she has done with children in the Middle East.

For now though it seems early awareness just comes from an odd company popping into a school every now and again – and I’ve only heard that from Bruce Hallas – I’ve never actually heard of it from my own children who are all still in the education system themselves.

Heck, my eldest two give advice to their teachers about their bad security practices.

Blame me for that!

So when will we change the system? When will we put security at the forefront of everyone’s’ minds and everything that we do? How will we educate in the future so that the message is put out there and bought into by everyone in this country and on this planet?

Or do we not need to do anything? Am I getting riled up by this topic for no good reason? Tell me!

images: US Navy, (c) CC-BY-SA, The Analogies Project, Lupuca

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. […] £4 million funding for this awareness campaign will come from the £650 million that the government have already put aside for tackling cyber […]

Speak Your Mind