The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While an awareness training program can impart information security knowledge it rarely has significant impact on people’s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
This paper originally appeared in Information Security Management Handbook, Fifth Edition, Volume 3, edited by Hal Tipton and Micki Krause, Auerbach, 2006.Visit Resource