As very young child to my astonishment I learnt that adults do not always refer to objects by the correct name. Once while playing with one of my young peers he was quick to correct me when I referred to the vacuum cleaner as a Hoover. But that was how all the grown ups had referred to this appliance so it had to be correct. My young friend with great consternation exclaimed "Hoover is a brand, they make all sorts of appliances not just vacuum cleaners!"
So here's the thing in the field of cybesecurity the term "Security Awareness" has been widely popularized and accepted. But I would dare to say there is a great deal of cybersecurity awareness, there is not a day that goes by that we do not hear about, phishing, data loss, ransomware or some other malicious activity. And yet millions of dollars are being spent on the "human element".
So what would be a more appropriate term and what are we really trying to achieve? Firstly, I agree we do try to raise awareness and more precisely generate interest in the subject. We can do this in a number of ways and on various mediums one of my favourite being the purple cow story . What if someone told you they had a purple cow? That is something that would get your attention, we are not used to seeing purple cows. But that is only half the story, because what we really want to achieve is "responsible security behavior". It is required that given any number of perilous scenarios our users are fully instructed in such a way as to avoid the danger. And this is exactly why the purple cow is not enough! Our users must not only be made aware they have to accept the responsibility to respond in a calm and predefined manner. But the freedom that we enjoy in life is that we are free to make bad decisions, it is a part of life and we have all made them.
Again going back to my childhood in the UK I can remember when cars were first fitted with warning lights that would light up if the seatbelts were not fastened. Some of them even had the temerity to beep at you! At this time when wearing seatbelts was still not mandatory, many drivers chose just to fasten the seatbelt behind the seat. No warning light and no annoying beeps. Sadly it took the human cost of lost lives and serious injury, heavy advertising, and a change in the law, to bring about the "acceptance" and requisite behavior. To promote responsible security behavior you need buy-in and collaboration.
Just like in your home, everything is designed to accommodate the people that live there. And normally everyone knows what keeps them safe. On the other hand if a member of the family is a baby, we don't expect the baby to avoid the stairs and not fall down them. The normal thing would be to install a baby gate at the top of the stairs. We can all empathize with a baby and carefully respond to its needs. In the enterprise we need to do the same. The user is not the weakest link, or the strongest link. They are just a part of the system, so don't blame the user, just like you wouldn't blame the baby. Instead let us work towards responsible security behavior, but let us do it together. Let us support each other, build better systems, and remember: Empathy first, Humane security.