Why you shouldn’t trust (awareness) experts, what should you trust instead, and my new year resolution.
By Eh’den Biber
(see the end of the post with the update…)
Prologue – SANS
During the SANS European awareness summit, I’ve ended up in an interesting debate on twitter with one of the attendees (John Scott). The debate was on the observation I made that science was not part of the agenda in this major awareness summit. There was not a single scientist on stage to talk about their breakthrough research, and none of the tweets about the event (#SecAwareSummit) included any science in them.
My observations didn’t go that well with John, who seems to have taken it a bit personal. To show me I was wrong he mentioned that Jessica Barker gave a talk. Yes, she did, and yes: she’s a (civil design) doctor, and I barely finished Kindergarten.
When SANS finally posted the slides from the event (including the workshops that occurred before), it seems that the only one who provided external references in their slides was Jess (well done). She mentioned 5 academic papers (from 1996, 1999, 2008, 2008, 2009), one reference to TED talk (2012) and one book (2017). Only one of the research mentioned was focused on information security (2009, Self-efficacy in information security: Its influence on end users’ information security practice behaviour), it used social cognitive theory, and the results suggested that simply listing what not to do and penalties associated with a wrong doing in the users’ information security policy alone will have a limited impact on effective implementation of security measures.
I’ll let Iago express my feelings about that one: