Do people care about information security?

I’ve been thinking about this question a lot recently, not least because it forms part of a presentation I am doing in the August. The reality as I see it is that for people who don’t work in information security, well, they just don’t seem to give a s**t about it. Is this surprising? Probably not – people have busy lives after all. I’ve seen first hand evidence though – family members, neighbours, friends – all doing stupid things, getting hacked, losing money, getting socially engineered. They seemed to shrug and not want to take action, like it was something they had no control over. Infuriating! :)

The infosec community, me included, spend so much time thinking about it at work and outside work (some would say even more so outside of work), spend time on twitter focusing on it (I get irritated if anything non-infosec comes up on twitter – sad I know) and reading blogs and articles etc. The rest of the population is decidedly non-plussed. I recently told somebody who works in marketing in my company what I did, she just laughed and said, “So something really interesting then” in a sneering sort of way. And I know what that meant. It meant she hadn’t spent 30 seconds in her life thinking about how to protect her information (perhaps company information as well as her personal information) and her identity.

So how can we change that? I mean we are supposed to be leading this area. How do we as infosec people change a society’s views? Of course it's ambitious! It would be boring if it wasn't.

I’m intrigued by the question though and intend to spend a lot of time investigating this. I recently set up ‘Information Security Awareness Ireland’ (admittedly it’s early days) specifically for this purpose. There are two broad focus areas in my view (and this view will no doubt mature).

Firstly we need to focus on what we have at least some some control over, namely our organisations and how to get people to pay attention there. That is about maturing the organizational culture regarding information security. On this I will be focusing my efforts in the coming months.

However, the second and more difficult area, is the general public. There are some great campaigns by various groups trying to get children to be safe online which is great but I am amazed at how little focus is put on the adults. Surely you can’t have one without the other. Educating the wider public will take a monumental effort over years to change thinking, just as the campaign to change the public’s attitude to seat belts (or smoking or exercise) took years. I believe that we as leaders in this field need to play a strong role and yes, that means taking a role outside of work. We just need to decide what these activities are and what to prioritise to facilitate change quickly.