Moving from benchmarking to baselining.
By Eh’den Biber
Trying to figure out the level of awareness to information security within an organisation is a taunting task. Throughout the years I’ve seen multiple attempts to deliver effective metrics and frankly – most of them sucked, big time, including the ones I came up with. Retrospectively I can humbly say – especially the ones I’ve chosen.
The difficulty arises from the simple fact that most of the information security professionals who are assigned to deliver such task have no clue what awareness is. We (humans) think we know what awareness is, but since our experience is subjective we don’t have a clue what it actually means. Awareness, or the nature of consciousness which is aware of itself is beyond the scope of this article. I’ve written a series of articles about it (the desolation of awareness) and I invite you to read them, rather than repeat segments of it.
Because people don’t understand awareness, they end up playing “pretend”, use wide area of definitions to describe how it relates to information security, and based on that they develop multiple methods of “measuring it”. Examples? How many users have passed the computer based training we gave them on the subject, or how many users were fooled by fake phishing emails we sent them. These sounds like great metrics yet I’m sorry to disappoint you – they don’t mean anything when it comes to awareness, they are just the “soup-du-jour” of awareness metrics.
When I try to challenge the metrics used I experience the same behaviour a heavy smoker acts when being told it is dangerous to his health – a total denial, sometimes in a very aggressive way. Truth, the real one, not the subjective one we carry upon us via our culture and life experiences is devouring, and most of us will steal, borrow and beg to avoid facing it. Life is an endless complex adaptive systems that interact with themselves, bringing rise to endless amount of emerging properties that are a result of this dance. Life is nothing but a probability field, rather than what we perceive it to be. There are no solid elements, or colours, or sounds, only a quantum field, and endless subjective experiences. To be aware is to experience that by yourself.
Back to awareness metrics. What most of us are doing is measuring the surface of awareness, the signals, rather than investigating the real nature of awareness. Our measuring attempts are similar to the way Franz Joseph Gall, who invented phrenology did in the 19th century while trying to solve the mystery of the mind. First named “cranioscopy” by him, and later changed to “phrenology” by his followers, this method was supposed to allow the scientist who used it a way of understanding the state of mind by measuring the scalp. Driven from Greek words phrēn (“mind”) and logos (“knowledge”), Phrenology claimed that certain brain areas have localized, specific functions or modules and thus by measuring the scalp one can have an understanding of the performance of the brain and the mind.
Guys, I know it is hard to acknowledge it, and thus I write with deep kindness, love, and compassion – what we do isn’t measuring awareness at all. True awareness is when consciousness recognise itself for what it is. Everything else that is being called “awareness” are mind projection, a dream, maya, or whatever your culture calls it. I do encourage you to question every word and statement I made, and at the end, see for yourself.
I realise the above sounds strange to anyone who either never had an awakening experience or who grew in a culture where such ideas are ridiculed. It’s easy for intelligent people to laugh at astrology, but it is very hard for the same people to accept that what they do believe in is not truly real. nothing is “real” as we perceive it to be, but since we are unaware it seems real. Don’t take my word for it, read what Einstein wrote about it.
The concepts above are very hard for most individuals to grasp and practically impossible for organisations to handle. Information security awareness training is being done or led by information security people, not people who were trained to understand other people, not to mention people who has been looking into the nature of awareness. The human resources (assets) department that is supposed to be in charge of delivering human resources (assets) to processes don’t have the tools or the resources to truly provide a shift in awareness. If an organisation wishes to have more aware people in it, it must come from above, as a management driven effort, as a cultural objective. Since you have no clue what awareness means until you had a glimpse of it, what usually happens is that either management calls external “experts” who uses pseudo-scientific claims in order to sell themselves as experts who can raise the level of awareness in the organisation – or simply reject the idea completely.
While the idea of an aware organisation seems to be a la-la-land idea, there is one organisation that shifted to be aware and changed. I might write about it in another post, as the story can be a lesson to the virtues of such change.
When you recognise what awareness is you realise your limited capacity and move from benchmarking to baselining. Instead of defining an awareness goal for individuals and try to figure out the state of these individuals vs. the standard you defined look at individuals as a unique unit of awareness, which they are. Help them discover what awareness is, what consciousness is, what their true nature is.
Only after one is experiencing by himself what his true nature is, only then this individual can start to live a life which is not driven by his story. Only then that individual can start to recognise when he is operating from an aware state or being driven by his stories or stories of others. To help an individual reach that state they needs to be part of an environment that is not trying to compare them to others but see them as a unique, sacred part that can only be understood by themselves. This is what awareness baseline is all about. Until that point, any claims, attempts and measurements that will take place are as effective as trying to know how much someone else loves you by measuring their scalp.
2015, All rights reserved ©