Developing a Security-Awareness Culture - Improving Security Decision Making

CIOs, managers and staff are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, including security policies; new technologies, patches and threats; and, new sources of information. As the environment continues to become more dynamic the process of making good security decisions is becoming more and more challenging. The answer lies in creating security-aware cultures in our organizations. This paper proposes that creating security aware cultures is dependent on improving how individuals make security decisions. Awareness of our decision-making processes as security practitioners can help us make better decisions in these uncertain conditions and help promote security-aware cultures in our organizations. Key to doing this is in understanding the process of how we really make decisions and what factors in the process may impair our abilities to make good security decisions for our organizations. This paper examines important facets of individual and group decision-making and provides prescriptive guidance on how we may improve the quality of our decision-making processes, leading to better security decisions.