It seems like security practitioners are still saying the same things they said ten years ago. Use complex passwords. Change them often and don’t use the same one for every account. Verify the identity of persons before you transact with them. Check it before you click it. These and many more have been on the tongues of professionals for years and some wonder why.

Like the boy who cried wolf, the security practitioners are simply prophets of woe until someone sees a wolf. We all know security threats (wolves) exist and that they impact companies but until that event is localized and impacts us or someone we are closely associated with, the guidance of security practitioners is reduced to hyperbole.

The question we must ask is how do we show the benefit of safe computing when the threats are not real and evident to the individual?

The first approach is to make the threats real to the individual. To be real, a threat must be shown to have a significant impact and high likelihood, not just in the abstract but specifically to the individual or organization. Essentially, a person must acknowledge the threat in order for it to be real to them. This can be accomplished through questions that reveal the pain of the threat or by demonstrating the threat to them. Consider these questions yourself:

Would someone have access to my data if a phone or laptop was stolen?

Would it be easy for my employees or coworkers to commit fraud if they wanted to?

How do I rationalize my approach to cyber security?

Threats can also be demonstrated to make them real to the individual. For example, an email with an attachment or link could direct a user to a site that informs them that they just performed a potentially harmful action or users could be called and asked to reveal their password or other sensitive information.

Once a threat is real, however, security choices still need to make business sense. Security professionals need to be able to show that security solutions mitigate the threats that are real to their customers in a cost-effective way. So what approaches work for you? I’d love to hear your thoughts.