If you are like most infosec professionals, you probably have to evaluate the security awareness training program that will be used in your organization. These training programs are important, and more recently, they are required in many regulated organizations.
Perhaps your security awareness training is “home grown,” or perhaps you use a training program offered by one of the many third-party training companies. There are many excellent security awareness vendors, and I am not going to endorse any specific product. I find them all worthy of evaluation to see which one fits best with the culture of your organization.
Whenever I introduce a training program, I find it surprising that the greatest resistance to the training originates from the IT staff.
Why is it that the folks who are responsible for much of the cleanup in the wake of a cybersecurity event seem to treat the training with haughty disdain?
In psychology circles, this is a problem known as “availability bias.” The knowledge that we already have available about a topic clouds our judgement. Some of my more zen-minded friends refer to it as the problem of “clarity.” (Those zen masters always have a touch of cynical humor in their observations.)
Availability bias occurs when we become so familiar with a subject that we think that we know all there is to know and it no longer merits our strict attention. This problem is not limited to the infosec profession. It happens in all occupations. Unfortunately, this disregard for reinforcement of the basics can sometimes lead to problems.
Are you an amateur musician, golfer, chef, or other hobbyist? Think of every teacher or coach from whom you have sought advice about taking your performance to that next level of perfection. They always start with a review of (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Bob Covello. Read the original post at: The State of Security