BlogInfoSec.com

Security awareness and security education are two different things.

In my mind, awareness is a “lighter” version of education. To be educated means one has a deep understanding of something and acts upon that understanding. Awareness, or to be made aware of something, means that one knows about something but may not understand the details of it.

Reading about a recent unsophisticated ATM scam (here, here and here) in NYC reminded me of a trip to London not long ago.

Upon going to withdraw money from an ATM machine at Citigroup in Covent Garden/SOHO London, there was a sign posted on ATM machine itself making me aware that there were thieves in the area committing ATM fraud (such as here). I also noticed signs in other parts of the city warning of pickpockets.

I was not educated as to how these scams worked in detail, but I was made aware that they were occurring. I took some precautions to make sure I was not duped or scammed.

It seems to me that this should be how we need to treat end users. Make them aware. Conveniently remind them of potential issues and the proper course of action, but don’t expect them to have or gain any real working knowledge of information security.

Bookmark this post

•Sphere: Related Content•  Print

Related Articles:

• End User Education: RTM - Oh wait, he did!
• Biography of Allan Pomerantz
• Looking Through the Wrong End of the Telescope
• NYC Security: Mayor has Encoding “Batphone” that Receives Telemarking Calls
• Toward a phishing solution, given the two-factor proxy authentication issue