Conclusions

The concept of information security awareness is more complex than many people think. There are no cure-alls, and the issue of reliable indicators and metrics is going to run and run until some very serious academic research is pointed at it. The diversity in cultures amongst and between organisations is such that solutions will rarely be transportable without considerable customisation and enhancement for each. The main conclusions the author have drawn from experience and the process of writing this book are as follows: create achievable goals and objectives – and match these to metrics and indicators that relate to behaviours as well as knowledge and attitudes. Risk perception is a strange phenomenon that needs to be understood (and used) whenever possible. There is no panacea, and no methodology than can be prescribed that will meet all needs.