Kenneth F. Belva

Security Awareness – Not Education – is the Answer

Security awareness and security education are two different things.

In my mind, awareness is a “lighter” version of education. To be educated means one has a deep understanding of something and acts upon that understanding. Awareness, or to be made aware of something, means that one knows about something but may not understand the details of it.

Reading about a recent unsophisticated ATM scam (here, here and here) in NYC reminded me of a trip to London not long ago.

Upon going to withdraw money from an ATM machine at Citigroup in Covent Garden/SOHO London, there was a sign posted on ATM machine itself making me aware that there were thieves in the area committing ATM fraud (such as here). I also noticed signs in other parts of the city warning of pickpockets.

I was not educated as to how these scams worked in detail, but I was made aware that they were occurring. I took some precautions to make sure I was not duped or scammed.

It seems to me that this should be how we need to treat end users. Make them aware. Conveniently remind them of potential issues and the proper course of action, but don’t expect them to have or gain any real working knowledge of information security.

One Comment

  1. Janet Feb 19, 2011 at 6:38 pm | Permalink

    I hope in the time since this article was written that the author’s view has matured. Simple comments to make someone “aware” of pickpockets in the area might be enough to enable someone to guard against becoming a victim ….because pickpockets have been the subject of discussion in literature, news, and other forums for decades. The education was done through that very long process. But to think that increasing awareness about computer security or privacy with equally simplistic remarks like “stay safe online” is naive and dangerously inadequate. That message and other simplistic platitudes have been bandied about for a long time, but with little (if any) discussion or detail. As we know from the proliferation of children, teens and young (and not so young) adults who are victims of identity theft, fraud, stalking, and grooming/luring, the education has been lacking and mere ‘awareness’ is not enough. If it were, then saying “stay safe online” would have been enough to guard against the many crimes and scheme perpetrated online.
    And please don’t think that it’s up to “the government” to do something about this. “The government” is only a group of individuals who are equally ignorant of it all; so leaving it to them to teach, legislate, or set standards about something they’re clueless about is even more dangerous than doing nothing. They might intend to improve things, but their ignorance all too often translates into laws that are needlessly cumbersome, unworkable, and create more problems than they resolve.

One Trackback

  1. […] Just because an end user knows how to use the features, does not mean that they can accurately assess the technological risks. That said, that’s why I recommend awareness more than education. […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*