Micro-awareness

Image from Unsplash

What grabs your attention first? A newspaper article buried on page seven, or a similar message in a personal email that even addresses your specific situation? The question answers itself, doesn’t it?

As an information security officer, you have a tough message to convey. There are all sorts of rules designed to ensure the confidentiality, integrity and availability of the data entrusted to us. Maybe those terms alone make you break out in a cold sweat. Let alone having to implement measures to comply with those rules – say, in a project. And then those measures get in your way because you can’t do something the way you envisioned. Even if you understand why it’s necessary, it’s hardly pleasant. And it’s a page-seven story: you just hope your audience sees it.

A personal email, on the other hand, always gets through. I’m talking about the kind of email we send to a team manager, telling them that an employee did something against security policy. In other words: someone broke the rules and needs to be addressed. We do this via the manager because they know the employee. Ideally, they can judge the response better than anyone else – and whether our report might be a puzzle piece in a bigger picture, possibly pointing to subversion.

Employee reactions vary from genuinely shocked (‘Oh wow, that was dumb!’) to businesslike (‘Here’s what happened’) to – on rare occasions – defensive-aggressive (‘I’m allowed to do this!’). In most cases, the response closes the report. There’s a plausible explanation, and no further action is needed. Sometimes I ask a clarifying question; you don’t want someone to get away with smoke and mirrors.

This approach turns out to be highly effective for boosting security awareness. I call it micro-awareness: focused on one person or team, and one specific observed fact. It’s almost unheard of for someone who received such a message to pop up again later. That personal attention really works.

Micro-awareness also reinforces the idea that the warning you see when logging in isn’t just empty words. You know, the one saying access is for authorized personnel only and you may only do what you’re allowed to do. Monitoring is real. It’s automated, and only when something pops up that deserves closer attention does a human take a look. We’re an organization with big stakes, and those stakes need protection.

Unfortunately, we have to consider insider threat. I know, all colleagues are incredibly trustworthy; most of us couldn’t name a single one who isn’t. And yet, in a large organization, statistics guarantee a certain percentage of bad apples. Plus, circumstances can turn a model employee into a risk. I dealt with that earlier this year (things went missing), and I can tell you it’s unpleasant for everyone. I might be the first to link that incident to insider threat. Maybe it could have been avoided if the organization were more aware of this often-overlooked phenomenon (and that’s not a blame game; it’s something we need to work on).

If there’s micro-awareness, then logically there’s macro-awareness. Those are the page-seven stories. Not necessarily in the newspaper, but maybe on the intranet or in presentations. Not everyone reads them, not everyone attends. The ones who do are interested in what you have to say. But you’d love to reach the ones who don’t show up.

The Security (b)log is also a form of macro-awareness. Loyal readers know it usually starts with an everyday situation and then twists toward information security. Wrapping a serious message in an appealing package helps. And honestly, it’s a lot of fun to do.

2025-11-21

Micro-awareness

And in the big bad world…

No comments: