The difference between the “Reality” and “Feeling” of Security: Information Security and the Human Being

Let us assume that a person knows the traffic rules. But, does knowing the traffic rules make a person a better driver? Apply the same for “information security”. Does knowing the security policies guarantee that a person will practice the policies correctly and as required while at work. So, how do you make a person “accept and apply information security”? To answer this question, what we must understand is that for security practitioners, information security is a mathematical probability based on threats, vulnerabilities, impact and risk. For the end user (which is more than 99% of the workforce), security is a feeling. By influencing the feeling of security, it is possible to make the end user adopt responsible information security practices#.

The paper shall focus on the following:

The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,


Speaker : Thomas Kurian

Thomas Kurian Ambattu CRISC, ISLA – 2011 (ISC) ² is an information security consultant with Wings2i IT Solutions.Thomas is passionate about information security and his areas of interest include Human Impact Management, information security awareness and behavior. He is based in Bangalore India. Thomas was honored with the prestigious ISLA (Information Security Leadership Achievement) award by (ISC) ² for 2011.