Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.
The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).
As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.
By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.
All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!
