Security training and awareness campaigns too often fail to change user behavior in any meaningful way, putting both the user and the organization at risk. The solution, experts say, is better security analogies.
Information security is an abstract and unintuitive discipline that frustrates and baffles non-technical humans. Attempts to train lay audiences in security best practices commonly involve security analogies that either do not engage and motivate, or that users take too literally.
“The assumption we make is that if we give people information, if we educate people on their roles and responsibilities, people will process that information in a logical way,” says Bruce Hallas, the founder of the Analogies Project, which collects useful security analogies. “This isn’t the case….in the heat of the moment, in a situation they are not familiar with, they will make an irrational choice even though they know they should be complying [with policies and procedures].”
Read more about why, given the fact that humans make irrational decisions under pressure, security training needs to focus on changing behavior, not just raising awareness, and how using effective analogies can help with this, on CSO.