Table Of ContentSecurity Awareness
Design in the New
Normal Age
People working in our cyber world have access to a wide range of
information including sensitive personal or corporate i nformation
which increases the risk to it. One of the aspects of protection of
this data is to train the user to behave more securely. This means
that every person who handles sensitive information, their own or
that of other people, be aware of the risks that their use can pose as
well as how to do their job in such a way as to reduce that risk. The
approach we use for that is called ‘security awareness’ but would be
more accurately described as security ‘unawareness’ because most of
the problems come where the user doesn’t know about risk from their
behaviour or its potential impact. In these post-COVID days of ‘New
Normal’ working, in which staff spend more of their time working at
home, organisations are still responsible for the protection of sensitive
personal and corporate data. This means that it is more important
than ever to create an effective security awareness communication
process. This book will primarily consider the problem of hitting
that ‘Sweet Spot’ in the age of ‘New Normal’ working, which means
that the knowledge about secure practice is not only understood and
remembered but also reliably put into practice – even when a person
is working alone. This will be informed by academic research as well
as experience, both my own and learnt from my fellow professionals,
and then will be used to demonstrate how ‘New Normal’ working can
improve security awareness as well as challenge it.
Security Awareness
Design in the New
Normal Age
Wendy F. Goucher
First edition published 2023
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487–2742
and by CRC Press
4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN
CRC Press is an imprint of Taylor & Francis Group, LLC
© 2023 Wendy F. Goucher
Reasonable efforts have been made to publish reliable data and information, but the
author and publisher cannot assume responsibility for the validity of all materials or
the consequences of their use. The authors and publishers have attempted to trace
the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted,
reproduced, transmitted, or utilized in any form by any electronic, mechanical, or
other means, now known or hereafter invented, including photocopying, microfilming,
and recording, or in any information storage or retrieval system, without written
permission from the publishers.
For permission to photocopy or use material electronically from this work, access www.
copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978–750–8400. For works that are not available on CCC
please contact [email protected]
Trademark notice: Product or corporate names may be trademarks or registered
trademarks and are used only for identification and explanation without intent to
infringe.
Library of Congress Cataloging‑in‑Publication Data
Names: Goucher, Wendy, author.
Title: Security awareness design in the new normal age / Wendy F. Goucher.
Description: First edition. | Boca Raton : CRC Press, 2022. | Includes
bibliographical references and index.
Identifiers: LCCN 2022001842 (print) | LCCN 2022001843 (ebook) |
ISBN 9781032047645 (hardback) | ISBN 9781032047652 (paperback) |
ISBN 9781003194583 (ebook)
Subjects: LCSH: Computer security. | Computer networks—Security measures. |
Risk Communication. | Risk perception. | Organizational behavior.
Classification: LCC QA76.9.A25 G675 2022 (print) | LCC QA76.9.A25 (ebook) |
DDC 005.8—dc23/eng/20220422
LC record available at https://lccn.loc.gov/2022001842
LC ebook record available at https://lccn.loc.gov/2022001843
ISBN: 978-1-032-04764-5 (hbk)
ISBN: 978-1-032-04765-2 (pbk)
ISBN: 978-1-003-19458-3 (ebk)
DOI: 10.1201/9781003194583
Typeset in Caslon
by Apex CoVantage, LLC
Contents
Acknowledgement viii
introduction 1
Common Sense . . . Isn’t 1
chApter 1 whAt is security AwAreness And why
should you cAre? 5
Introduction 5
Practicality 8
Example 8
Insecurity Awareness 9
Human Insecurity Awareness and the Media 10
In Plain Sight 12
Governance and Compliance 14
You and Your Staff Are the ‘Weakest Links’ 15
chApter 2 security AwAreness And protecting
informAtion through history 17
Introduction 17
Obfuscation 18
Separation and Access Control 21
Social Engineering 24
The Door Chain 25
The Confidence Trickster 26
Example One – Kitchen Composter 27
Example Two – Grooming 28
Situational Awareness 29
Cognitive Bandwidth 30
vi Contents
chApter 3 the chAllenges of communicAting About
security AwAreness 33
Introduction 33
Resistance 34
Reluctance 37
Relevance 40
Revision 42
chApter 4 tAking on An invisible threAt 45
An Exercise in Understanding and
Defending Against Data Leakage 45
Introduction 45
Raising Awareness Around Visual Data Loss 52
Sharing Data 53
Sensitive Information 54
A Security Awareness Lesson 54
Resisting an Invisible Threat 55
chApter 5 turning ‘behAviourAl intent’ into
hAbituAl behAviour 57
Introduction 57
The End Users’ Perspective 60
The Gulf of Execution 64
Making It Matter 70
chApter 6 the chAllenges of the covid yeArs And
the ‘new normAl’ 71
Managing Your Staff 71
Introduction 71
The Video Challenges 73
Taking Virtual Control 75
Living at Work 77
The Business Laptop 78
The Management Boundary 79
The Commute Opportunity and Threat 80
Summary 81
chApter 7 security AwAreness progrAms And
mentAl heAlth in the ‘new normAl Age’ 83
Introduction 83
BC: Before COVID 84
The Mechanical View of Workplace Stress 86
Normalising Mental Health 87
Work-Based Stress 89
Norms 91
Return to Work 93
Security Versus Mental Well-being
Opportunity Cost 94
Contents vii
chApter 8 looking bAck At the stArt of ‘new
normAl’ working: A cAse study 99
Introduction 99
chApter 9 cArrying forwArd the loot from the
hArd-fought bAttle 117
chApter 10 “they think it’s All over . . .” 121
Introduction 121
When Will It Stop? 122
index 126
Acknowledgement
I would like to thank Alasdair Pemble and Cate Pemble for their work
in editing this book.
I
ntroductIon
Common Sense . . . Isn’t
Modern businesses run on information. Every service, every prod-
uct, every interaction or transaction, and every employee are recorded
somewhere.
It makes sense, then, for modern businesses to consider not only the
physical security of their assets but the digital security of their infor-
mation. Some may even argue that taking steps to ensure information
security, and security awareness, is common sense. But is it? And is
common sense really that simple — or that common?
It will come as no surprise to anyone reading this book when I say
that the way we work, have worked and will work has changed dras-
tically over recent years. Whether we are talking about increasingly
powerful personal devices, access to WiFi in public spaces, or the abil-
ity to continue working and connecting with colleagues even when
we’re sitting on a plane travelling 550 miles an hour, 40,000 feet in the
air, our working practices are evolving. Indeed, this process of moving
away from the traditional on-site desk-tethered mode of working may
be the greatest change in generalised working styles since the develop-
ment of the production line!
But have our security practices kept up with these changes? Do
people understand the steps they need to take to make sure they can
work securely while travelling, or sitting in a café, or even working
from home? The honest answer is ‘probably not’, and that’s a p roblem –
after all, advanced password protection software means nothing if
people are still writing their passwords on Post-it® notes and taping
them to their screen or keeping them in a word document on their
desktop.
This is why one of the most important steps in improving informa-
tion security practices is training the user so that they use and under-
stand secure working practices. But this is no small task, it means
training every person who handles sensitive information of any kind,
to make sure they have the information and the skills necessary to use
DOi: 10.1201/9781003194583-1 1
