Security awareness is becoming an ever more important issues in modern systems, networks, and organizations. With the proliferation of the Internet of Things (IoT), which is the interconnection of things with each other, internal systems, and possibly the Internet, it is becoming more important than ever. In the past, concern over the security of physical systems was mostly a problem for industrial environments that used Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and similar devices and systems. Today, nearly every corporation has a smart something. It may be lighting systems, HVAC control, building monitoring, or any number of other systems. In addition, these organizations still have the traditional computing devices such as laptops and desktop computers, as well as newer devices like tablets and mobile phones. With this proliferation of connectivity, security awareness has become increasingly important.

So, what is security awareness? Well, it is the combination of the words security and awareness. But two combined words do not always result in the meaning one might infer from them. Does the first modify the second? Does the second modify the first? Or do they combine to form some unusual or esoteric meaning? Let me start by providing a definition of security awareness and then discussing how we arrive at this definition.

security awareness: noun phrase
[si-ˈkyu̇r-ə-tē ə-ˈwer-nəs]

the level of possessed or demonstrated realization, perception, or knowledge an individual or group possesses in relation to the current threats and vulnerabilities within the current environmental context

You see, awareness is simply the quality or state of being aware (Merriam-Webster) and to be aware is to have realization, perception, or knowledge (Merriam-Webster) of any action, inaction, person, place, thing, or idea/concept. However, in the context of security awareness, one is not either aware or unaware. Instead, one has some level of awareness. Therefore, we must modify Merriam-Websters definition of having or showing realization, perception, or knowledge to become the level of possessed or demonstrated realization, perception, or knowledge.

This awareness may be measured for individuals or for groups and both are very important. For example, if a group of ten individuals have access to the same information on the organization’s network and nine of them have strong security awareness levels while one of them is oblivious to active attacks, that one individual brings the group’s security awareness down to that individual’s level. The resources that can be accessed by the group are only as secure as the weakest individual in the group.

Now, on the security part of the phrase, we are constraining the awareness of which we speak. We are not concerned about general awareness, but about specific awareness related to the security of our systems, networks, and information. Therefore, our definition constrains the awareness to that related to the current threats and vulnerabilities within the current environmental context. Two important factors of this latter portion of the definition must be considered: 1) current threats and vulnerabilities, and 2) current environmental context.

The current threats and vulnerabilities are identified from both technical and non-technical perspectives. From a technical perspective, the current threats are those being experienced now (not in the past or the future), which might seem obvious, but it is not so well implemented in many security awareness programs. The same is true of vulnerabilities. To maintain knowledge (a component of awareness) of current threats, one’s mental information base must be updated regularly. This means that a good security awareness program starts with effective foundational training but is supplemented with ongoing information provided to the user community. This can be accomplished with notifications, emails, printed memos (yes, they are still used in some organizations – particularly for critical communications – and are often coupled with emails), and organizational employee newsletters. Concepts and principles related to security remain very consistent over time. Practical realities change year-by-year or even day-by-day as new systems and technologies are introduced, and as new attack methods are discovered.

From a non-technical perspective, current threats and vulnerabilities will only be discovered by those desiring to do so. This factor comes down to motivation. Are the employees motivated to keep up with or maintain their knowledge of current threats and vulnerabilities? To help them acquire this motivation, they need to see what’s in it for them and not just for the organizations. Part of this is managed under typical employee morale programs that most HR groups implement. Another part can be managed by the security awareness program managers themselves. This latter part is building an understanding in the individuals that the security awareness they develop at work provides benefit in their entire life. In our CCyBP (Certified Cybersecurity Business Professional) course, we remind participants of this several times so that they understand the value of the knowledge and skills they are acquiring. This value is for them and for their employer.

Finally, context changes everything. This reality is because the environmental context changes the threats. When you are in a public location, like a coffee shop/bar or an airport terminal, threats exist that do not exist when in the work office. For this reason, individuals must understand that their “security antennas” must be raised and tuned to additional “frequencies” when in public locations. They must be alert to shoulder surfers (individuals looking over their shoulder or at other angles to see their screen(s)), more common in-person social engineering attacks, malicious wireless networks, and more.

Therefore, security awareness, in the context of cybersecurity, is the level of possessed or demonstrated realization, perception, or knowledge an individual or group possesses in relation to the current threats and vulnerabilities within the current environmental context. When security awareness is coupled with security skills or abilities (the knowledge required to use security controls, such as passwords, encryption, physical locks, etc.) overall security increases. The security awareness provides the motive or energy to enact the abilities.