John Colley (Global) - Bolstering Cyber Defenses with Public Education and Awareness

Governments are waking up to the fact that the public they serve require new instincts for a digital age. Everyone must learn to avoid risk in a fast developing new environment as they rush to take advantage of the opportunities on offer.  Given this, we are seeing an encouraging trend toward public investment in programs to create public awareness of new threats and tactics for dealing with them. To get the most out of this investment, it must be recognized that the objective goes beyond awareness to motivating a significant change in behavior and attitudes across society.  The challenge can be likened to other public safety initiatives, such as the effort to eradicate drink driving, which continues to require attention despite more than a generation of public investment.

Assessing the task ahead begins with a review of the desired objectives to be achieved. At least part of the interest for government is self-serving: The move of services and citizen interactions online are expected to ramp up as cut-backs and austerity measures take a bite out of public spending generally.  Beyond this, there is growing recognition of our economic dependencies on a secure online business world.  The United Kingdom for example, in its Cyber Security Strategy released last month, recognizes that the Internet drives prosperity, accounting for 21% of the country’s GDP growth and 6% of overall GDP currently, nearly twice the average across developed economies. Clearly the need is to ensure a safe environment for business, and this includes ensuring everyone recognizes their responsibility in that task.

Despite the increasing commitment to public awareness, the effort has only just begun. Returning to the UK’s Cyber Security strategy, which offers a fairly advanced view of how governments are tackling this challenge, we find commitment to investing in online web resources for individuals and small business; along with the intention to exploit new media such as social networks to reach people with their message.  While laudable, this only scratches the surface.  It is also light on detail with little insight offered into how much investment would be made available for the campaigns, how long they would last or how they would be implemented.  Clearly more thinking is required.

Developing secure instincts for a digitally–dependent society requires a multifaceted approach that calls on resources that are available from key stakeholders, including business, law enforcement and various levels of government. The profession too, which has been developing campaigns and programs in this area for some time will contribute significantly to the effort.   They have an inherent passion for tackling the issues because they know that getting the public to act responsibly would result in fewer unsecured computers and mobile devices, greatly reducing the opportunity for (and therefore amount of) cybercrime.  Public awareness represents the front line of the professional’s core objective.

Encouraging individual accountability for their own security will require:

•    A comprehensive crime prevention strategy, akin to the campaigns conducted by crime prevention officers that teach people how to secure their homes against break-in.

•    A highly visible and sustained public service campaign designed to encourage change in attitude and behavior, by making people aware of the risks and where to go for help.

•    An easily accessible and well recognized repository of information and tools to both advise and support people as they become motivated to manage their risks.

•    Access to expert advice, either through community outreach programs or more involved public services that can help, particularly small businesses upgrade security measures to a basic level.

The effort will call for differentiated messages and communications channels for different age groups and strata of society.  We cannot assume that one size will fit all.  Here again the instincts of the security professionals who are on the frontline everyday are invaluable. At (ISC)2 we actively shared our knowledge by supporting member volunteers in their efforts to reach thousands of schoolchildren with our Safe and Secure Online Program. Many members have expressed the desire to expand the outreach across society.

I cautiously congratulate the growing public commitment to enhancing public education and awareness.  However I fear complacency may set in if they develop a false sense of security in outlining a few cursory measures. It must be recognized that we are still in a very immature phase when it comes to security awareness. The generic program delivered by online campaigns will not achieve the objective.

That being said, government should not be alone in this mission. There is great will from professionals, corporations and other stakeholders, many of whom have already made an effort to offer strategic insight, do volunteer work, develop materials, and support varied campaigns.  Clearly this represents a significant resource to tap into.

This article is the final in a series of three articles by John Colley, CISSP, Managing Director, (ISC)2 EMEA. (ISC)2 is the largest membership body of information security professionals, with 80,000 certified members worldwide, and the administrator of the CISSP®.


« Tanya Kalyan (South Africa) - Astronauts, Inventors and Entrepreneurs


Gene Zaino (US) - Running Your Business of One: Consulting Tips and Tools »


Do you think your smartphone is making you a workaholic?