Death by a thousand facts

Purpose The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science. Design/methodology/approach The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context. Findings There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient. Practical implications The paper shows how the approach to information security awareness can be improved using knowledge from the safety field. Originality/value The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications.