How well are information risks being communicated to your computer end‐users?

The aim of this paper is, first, to discuss how the risk perceptions of computer end‐users may be influenced by improving the process of risk communication by embedding symbols and graphics within information security messages. The second aim is to describe some pilot study research that the authors have conducted in an attempt to ascertain whether the embedding of symbols and graphics within information security messages achieves a shift in the risk perceptions of computer end‐users.

Two pilot studies were undertaken. The objective of each study was to establish whether the embedding of a relevant graphic relating to some known aspect of information security, when placed inside an information security message, would have any influence on the information security risk perceptions of any individual to whom the message was being communicated. In both studies, the method of eliciting a response from each participant involved the use of a type of semantic differential (SD) grid.

On completing an analysis of the responses to the SD grid survey for both studies, no statistically significant differences were detected between the groups with respect to any of the six relevant scales. Nevertheless, it seems that the differences were large enough for the present authors to be convinced that the SD measures used are an appropriate survey technique for future studies in a workplace environment.

The research subjects (i.e. survey participants) for both pilot studies were students of the University of South Australia. There are many ways in which information risk communication could be made more effective and this paper only attempts to show how graphics and symbols could be used to convey risk messages more effectively. This paper does not in any way attempt to provide any “silver‐bullet” solutions for management in terms of what they can do towards managing information risk.

The ultimate objective of this research is to subsequently advise management on how they can communicate information risk simply and more effectively to achieve the final outcome, i.e. the mitigation of actual risks.

It is believed that, if the effectiveness of the various forms of risk communication within an organisation can be increased, then the general perception of the risks to the information systems will be more realistic.