What’s interesting to me is the difference between what we think we need now, and what will help us get to a better place. The questions we ask may be what determines how soon we get there. (Deep, I know, but there is a simple point I’m leading to.) To paraphrase Bruce Schneier, we shouldn’t worry too much about the bad things in the news because they hardly ever happen… that’s why it’s called NEWS.

If we had a better security awareness model, we might start asking better questions.Many of us spend time worrying about being a victim of the latest spectacular risk making news. We find it interesting to recount the details with friends and make predictions, but our more pressing risks are hardly ever talked about. Few people seem to understand how to prioritize their risks. We won’t make much headway, as a society, in the battle for control over our computers, workplace, schools, etc. until the majority of us figure out some basic principles.

The reason I say “the majority of us” is that many of today’s risks exist because not enough of us are aware of how to manage risks. We don’t all need to know how to manage risk, but effective risk management depends heavily on general awareness of the population - specifically, what are the “best practices” to reduce risks. This topic is often cited as an essential part of Security Management, but I believe it is still the weakest link. It doesn’t get a lot of mention in press because there aren’t a lot of technologies and new developments that make it newsworthy.

In his book “The Tipping Point” by Malcolm Gladwell, I see some interesting clues as to how we can approach security awareness with an expectation of success. The basic premise is that “social epidemics” (sometimes called fads or trends) share a lot of characteristics with biological epidemics, which we can learn from. Specifically, there are conditions that make it more likely that a social epidemic will spread as an identifiable trend.

So, if we want to raise the level of security awareness within a population, an enterprise or an institution, we can apply some of the observations from The Tipping Point by doing the following:

  1. Identify the people who know the most about security, and who stay up to date on it (the Mavens)
  2. Identify the people who have regular contact with many different groups within the population (the Connectors)
  3. Identify the people who have the skills to articulate the benefits of security awareness (the Salespeople or Persuaders) to subsections of the population, based on the generic benefits
  4. Have the Persuaders formulate targeted, “sticky” awareness messages from the Mavens, and communicate them to the Connectors, who will accelerate the message through the parts of the population they come in contact with

OK, it may sound complicated, but it can be applied systematically, and at any level of society. I am not the only person who has noticed this possibility. (See Joe Knape’s post “What We Have Here is a Failure to Communicate” on the Security Catalyst blog.) But I am surprised that more people haven’t explored the idea further.

The simple premise is, once you can find a systematic way to bring a compelling, or “sticky” message to the right individuals in a population, the tipping point can be reached, and an “epidemic of awareness” is much more likely. This will make a security manager’s job much easier on a daily basis. Together with the right feedback mechanism, this can be sustained as people become aware that their “best practices” are making a difference. Then individuals will have more confidence in where they need to be (in terms of prioritizing risks), and we will all get much closer to where we should be (in terms of total security posture or exposure to risk).

If you have any ideas on how this model might already be working for security awareness, please let me know. If not, please read “The Tipping Point” and then send me your comments.

NOTE: When you do a Google search on “Tipping Point” together with “Security”, you will find many hits on a company by the same name that sells computer network security equipment (I believe they were acquired by 3M not long ago). It’s not hard to imagine an eager Product Marketing Manager thinking “Wouldn’t it be a great name for a solution which, once it reaches a threshold of deployment, could spread everywhere and save the world?” Yes, it would be. Sadly, however, the answers to the questions we are asking do not seem to be coming out of technology, but they may be found in sociology (if we’re lucky).