Dunning-Kruger effect is an illusion of competence bias, presenting itself in two ways: one, the severely incompetent do not recognise their own incompetence, nor do they recognise competence in others, and assume they’re far better than they really are; two, the highly competent assume that others are at a similar level of competency and/or assume that the test, knowledge, etc. is easy to come by and that they’re nothing special. Frequently, the Dunning-Kruger for competent comes with a partner, the Impostor Syndrome.
In Part 1 we looked at the deterrence quality of security controls. It’s one of the three attributes of security controls that are often ignored; sometimes consciously but more often due to ignorance. Now we will look at another attribute that is too often neglected: awareness. Typically when discussing security awareness the immediate mental image is of mandatory courses, presentations and drab, unimaginative posters around the workplace. What this post talks about is the information security situational awareness: what is happening, where, why, and who is involved.
Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this is just perpetuating the losing race is not a message most IT security staff are willing to concede. There is a better way to improve information security posture of large and small organisations, and it starts by mimicking physical security, where psychology has played a significant role.