Dr Mark Carey-Smith
Mark Carey-Smith has held various information security roles for the past 19 years. Mark’s experience includes systems administration, mentoring, training, architecture, incident response and research. He has designed and delivered information security courses at an undergraduate and postgraduate level and published peer-reviewed papers. He holds an MIT and a PhD from the Queensland University of Technology.  

Action Oriented Information Security Awareness Raising

In this presentation I will be describing an information security awareness raising (ISAR) education and communications campaign that I developed and implemented in 2017. Using my experience as a researcher and lecturer, I developed a theoretical framework based on best practices including academic and industry sources. This framework formed the basis of the training, with an emphasis on understanding why people make decisions about information security and communicating that to participants. The education campaign was centered around face to face training sessions where participants' engagement with the material was critical, and the development of a supportive, informal atmosphere was actively created. Training approach included a wide variety of methodologies, incorporating short 'lectures', small-group exercises, whole of group discussions, short video material, and 'Dad jokes'. Within this framework, elements of best practice were included based on research on the psychology of information security and pedagogy of awareness raising. For example, 'fear appeals' in isolation are generally ineffective, but combined with a rationale that people can relate to and empathise with are far more likely to change behaviour. This presentation will describe how the ISAR education and communications campaigns were created, explaining how these concepts are different, and including:
  • identifying requirements
  • meaningful performance metrics
  • training delivery options
  • cohort selection
  • the core message: Stop, Think, Act, designed to stimulate 'higher order processing' of the message and emphasise that information security behaviours are a series of users' choices
  • a continuous improvement cycle: train, measure, improve, repeat
  • ISAR as a PR exercise for the infosec team
  • ISAR as a 'force multiplier' and the importance of identifying and avoiding 'force dissolvers'
  • communities of practice
  • lessons learntPresentation will include examples of training materials developed to illustrate concepts, particularly the 'Dad jokes'.