Editor's Note: M. Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at UCL. She is one of the speakers for the upcoming EU Security Awareness Summit in London on 10 July. Below she discusses what her talk will be on and what you can learn from it.
This is the 'cat among pigeons' talk of the security awareness summit: I am going to argue that most security awareness we currently do is misguided. Far too often, we are telling staff to follow security rules that put them in conflict with their main work goals and productivity. And when rules are sensible and could be complied with, we just tell them about the rules, but do not support their behaviour change process.
At the summit I will present a new framework resulting from a collaboration between academics from UCL, and practitioners from HP and CESG. The Security Behaviour Transformation Framework is based on psychology and organisational behaviour research. To transform non-secure habits, the desired security behaviour needs to become a routine activity employees can execute without thinking. Security hygiene - ensuring that compliance with policies is possible in the context of staff's productive activity is the necessary: 'Never issue a policy that staff cannot be comply with.’ Once this is achieved, further steps include 1) targeted content to avoid exceeding 'Compliance Budget' 2) clear communications of expectations, and 3) mechanisms of feedback and accountability.
BIO: M. Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at UCL. Over the past 15 years, her team has conducted pioneering research to understand how humans understand security, privacy, identity and trust online, and how to develop security that supports users' activities, rather than getting in their way. She has published 200 peer-reviewed publications, and is currently the Director of the UK Research Institute in Science of Cyber Security (RISCS) http://www.riscs.org.uk/