I have created a series of basic level “introduction to security” units. I find that security awareness really lacks the drive for autonomy that we have in other areas. Health education is one. We often have to fight to get appropriate care and be heard by medical practitioners. This is the same in information security where it can be hard to change process or convince managers that change is needed. However, we have a huge focus on health education, autonomy and food is even labelled accordingly.
Making sound decisions about security and privacy is very different. There is little outreach or education. Valid questions, even when they show significant technical awareness, are often mocked. We have adopted a “try harder” ethic that came from a marketing campaign for a challenging exam. This should not be a general ethos of how we try to educate ourselves or each other. It is incredibly hard and often expensive to find information and product labeling is only just being rolled out.
So I am creating a series of resources, some in collaboration with others who do outreach in this sector. I hope it will be useful and constructive. I have sat with customer facing or call centre teams and observed how they have scripts and time limits to respond. This simply does not work for security. I have also seen how using terms without explaining them is extremely damaging. People switch off or misinterpret things. If we educate people and involve them, we gain engagement. We need to stop mocking people and speaking of technical or non tech. All we need is to inspire interest and understanding. I do not care about cars but I understand the basics of car care. The basics only. I drink too much coffee and eat candy but I know to brush my teeth and exercise. No doctor or mechanic expects expertise from me.
So I hope we can create a new paradigm where we educate and inform. I am creating a bronze level security course perhaps, an intro that may spark interest but it should definitely inform people.