Security Awareness and the Wind in the Trees
Winds and Stress Wood
In the 1990s, Space Biosphere Ventures constructed Biosphere 2. The biosphere was occupied by a crew of researchers for a two-year period, investigating whether they could be sustained only by food grown within the dome. The researchers grew many types of plants in their quest to develop a self-sustaining environment. One of the surprising results from their efforts was that as many of the trees grew they suffered from a lack of “stress wood.” A tree grows stress wood to strengthen its roots and structure in response to winds. (https://en.wikipedia.org/wiki/Biosphere_2)
Many writers have drawn analogies between the importance of trees having strong roots (roots which are a form of stress wood), and the need for people to have strong roots to overcome adversity. I thought it would be interesting to look at this stress wood phenomena in the context of security awareness. I’m a security awareness practitioner in higher education. I take the complexities of good cybersecurity practices and recast them for my audience, doing the work of a technical communicator by explaining complex concepts and making them relevant and actionable to my audience.
In many ways, effective security awareness has the same effect on the development of strong roots in people that winds have on trees. Without steady winds, trees don’t develop roots and will topple from strong gusts. Without a steady light wind of security awareness education, our communities won’t withstand the gusts of cyberattacks. Security awareness programs must communicate steadily to their communities what members need to know–not only how to recognize and respond to specific cyberthreats, but good daily security practices.
Effective security awareness has the same effect on the development of strong roots in people that winds have on trees. Without steady winds, trees don't develop roots and will topple from strong gusts. Without a steady light wind of… Click To Tweet
To help our community members develop strong roots we need a programmatic approach to security awareness. It’s not enough to just communicate about specific cyberattacks (gusts) as they occur. We must embed good security practices into our culture. Good security practice must become habitual. Our end users must develop strong roots to face the adversity of cyberattacks.
We must strive to embed good security practices into our culture. Good security practice must become habitual. Our people must develop strong roots to face the adversity of cyberattacks. Click To Tweet
For several years, I’ve led a preconference workshop to my peers on developing a security awareness plan at the EDUCAUSE Security Professionals Conference, sometimes by myself, other times with a skilled co-presenter. This year, Tara Schaufler, Information Security Awareness and Training Program Manager at Princeton University, and I will be presenting Know Which Way the Wind Blows: Security Awareness that Soars. We’ll help attendees build a strategic plan and determine how to implement that plan so that their communities have that steady wind of security awareness communications.
Wind in the Trees
I think the analogy of wind in the trees works for security awareness education. Growing roots is a good way to articulate the results and culture change we should expect from a good security awareness program. Decorating the tree through a specific security awareness campaign may be eye-catching. It’s great to leverage the damage from gusts of cyberattacks to teach key concepts. However, it’s the steady breeze that will make the biggest difference for our communities.