By Eh’den (Uri) Biber
Welcome back. Is there an information security sense like there is a sense of smell? Can we evaluate it? Why our normal definition of information security prevents us from reaching awareness? In case you missed the first article, please start there before continuing.
In this article we will look at our senses. After all the definition of awareness is all about being able to notice, and we notice via our senses.
Awareness is the state or ability to perceive, to feel, or to be conscious of events, objects, or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event. (Wikipedia)
If you would ask people about senses, most people will state the usual five. Some will state an extrasensory perception (ESP) sense, also known as a “sixth sense”. There are Exteroceptive senses such as a sense of pain, a sense of balance, a sense of magnetic field, a sense of temperature, and a sense that allows us to know the position and movement of the parts of one’s own body. There are also Interoceptive senses that are senses which allows us to perceive the state of our internal organs.
There is one more sense that most of us tend to ignore the fact that it is one. It is the called Ayatana in Pali and Sanskrit, and it refers to the mind. The term was coined in Buddhism which see the mind as a sense, and in that sense ( :) ) it is in opposite to the way most of us perceive our mind which is a function that process our senses.
Our brain allows us to be aware, to perceive, to feel, or to be conscious of events, objects, or sensory patterns. In the case of the brain the events are mental events, the objects are ideas, words, definitions, and the sensory patterns are patterns of mental activities. Even though most of us don’t consider our mind as a sense it is actually easy to prove it is one – our culture has assigned expressions to describe brain activities which we sense – a sense of honour, wonder, a sense of doubt, duty, danger etc.
This brings us to the fascinating question: Could there be a sense of information security?
To answer that let us look at what most people can relate to, which is a sense of “information overload”. It means a person cannot understand and/or make decisions due to too much information. People can sense that state, and its existence is sense is heavily used by technology companies with a never-ending feed of information, media organisations and marketing agencies.
Now let’s look at information security.
The definition of information security is …the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction (Wikipedia).
Let’s focus a little here:
The definition of information security is …the practice of defending information
Awareness is the art of noticing, of noticing our senses, yet right now we consider defending of information as a practice. If we want people to be aware we need to perceive, to feel, or to be conscious of events, objects, or sensory patterns. If we want people to be aware of information security we need them to sense it.
This means that in order for information security to be successful we need to move from a definition of
…the practice of defending information…
to a definition of
…the sense of defending information…
Why does it even matter? It matters because before you can practice your senses you need to feel them. You can practice your sense of touch only after you experience it. If you’re blind, how can you practice seeing with your eyes?
By approaching information security as a sense we can also explain why it is so easily overwhelm by other senses. After all, our senses are a result of our experiences, some of which are transferred to us via the life experience of generations and species that came before us, and they are much stronger in grabbing our awareness.
The first task of an information security awareness training is to help people develop a sense of information security, then to work with them and help them to be aware of that sense, and then to assist them to develop an ability to respond with ability when they are aware of information security.
I do understand that what I am suggesting here means a very different approach to information security, one which requires us to re-think and re-feel what we do. But hey, I didn’t call this series “the desolation of awareness” for no reason ;)
 – I received a comment on the article that made me realised that perhaps the reason we never looked at information security as a sense is because senses relates to feelings, and with an IT crowd which is overwhelmingly dominated by male population who simply LOVES to talk about feelings (NOT) it is no wonder we moved directly to practice. Technology is a great way to avoid feelings, not only the feelings of others but especially ours. And no, I’m not pointing fingers, I’m as guilty as everyone else :)
This leads us to another minefield which is measurement of senses.
How can you measure a sense of information security? If you wish to understand the state of information security awareness in your organisation, ask your users to tell you how they feel about information security. Not think, feel. Use open question here, allow them to reply in their own words and allow them one other option they can choose which will be “I don’t know” (please do not try to help them by providing them multiple options). Since we are in the age of twitter limit their reply to 140 characters.
Analyse the responses. How many of them are statements without any feelings (such as “it’s important” or “it protect us”)? How many statements reflect a negative emotions (such as “It’s frightening”)? How many statements are positive (such as “I’m feel confident”)? How many combined both non-feeling and feeling? How many replied with “I don’t know”?
People who have replied only with a statement without any feelings do not have a sense of information security, and they have not assigned an emotional state to it. Most likely they think they have one. These people can and would be manipulated as they will not sense a change when an information security related object will occur. People who are answering with a reply that represent a negative emotion already have an association of information security to other senses. Try to identify the sense, usually it relates to a sense of pain, or a sense of suffering. This means that in case of an information security related event these people will not have the ability to operate in a way that will allow them to respond with ability as they will be operating in fight/flight mode. People who replied with positive statements should be evaluated, as this might indicate that they already developed a sense of awareness to information security and that they feel confident to use it. If you are not afraid of the sense of fear it allows you to operate even when you are afraid, if you are not afraid of the sense of touch it allows you to experience touch, if you are not afraid of your sense of information security you will be able to experience it. This group of people can be great candidates to become an information security ambassadors/champions in your organisation.
Finally – those who replied with “I don’t know” have no sense of information security but at least they are honest about it!
My next article in this series will be about… well, try to sense it and tell me what you feel :)