Being aware doesn’t mean I care (about cyber security) 

Just because I’m aware of something, it doesn’t mean I care and I’ll do what you ask. This is the curse of cyber security training and awareness.

We can’t teach people to care, as caring is a feeling.

But we can illustrate why they should care through experiences and stories.

We can highlight what can go wrong if they don’t care enough to change their behaviours.

We can emphasise that although they may not care, others do.

Understanding the reasons people don’t care is a key part of building a great security culture.

If an employee needs to fill in a 10 page risk assessment form every time want to make a change to a system, they are less likely to care about security.

If every time an employee emails your IT or security team for help they never get a reply, they are less likely to care about security.

If your intranet content is 5 years out of date, but you’re asking people to go there to self-service security guidance, they are less likely to care about security.

How can small changes to processes or technology make security easier for people and help them to care more

• At very least, if you ask people to report phishing, then acknowledge their email.

• At very least, if you have an intranet site for self-serve information, then keep it up-to-date.

• At very least, if you have an Acceptable Use Policy, then make it easy to understand.