There’s an interesting article in this month’s ISSA journal about awareness by Gordie Stewart.. I think it can be generalized to all of education, not just adult education in technology.
The mainstream approach of teaching topics regardless of what audiences
already know or perceive seems an extraordinarily wasteful approach of
people’s time — both ours and our audiences. Lance Spitzner from the SANS
Securing the Human Program makes an interesting point about humans being
just another operating system (OS). I think we could take his analogy even
further. If we were asked to secure a Windows operating system,
we’d inspect it to see what security controls were missing.
To suggest that we just fire patches at it blindly without
knowing what was already installed would be ludicrous. But that’s
exactly what we do with human operating systems. Where’s
the awareness equivalent of the Microsoft Baseline Analyser?
and later …
Rick Wash did a fantastic piece of re-search on security mental models and
clearly demonstrated the value of understanding audience perspectives.
Wash found that there was a common perspective held by American home
computer users that the Internet threat was mostly mischievous hackers.
This fundamental misunderstanding then infuenced people’s attitudes
toward security behaviors such as patching and antivirus. The
audience had heard the advice about patching and antivirus, but
their belief about the nature of the threat overrode the recommendations
they had heard from the experts. The mistaken perception about the threat
prevented them from acting on good advice. Reiterating general advice
about patching and antivirus is unlikely to help this audience.
However, with a greater understanding of their perceptions in regards
to the nature of the threat, the approach for this audience is now obvious.