An organisation has been launched to promote security awareness in the wake of the plethora of major security breaches in 2007.
The Information Security Awareness Forum (ISAF), launched on Tuesday at the British Computer Society (BCS) in London, will be an umbrella body for a number of organisations, including BCS, IT industry lobbying group EURIM, and web-safety campaign Get Safe Online.
The forum was created as a result of various security breaches last year, which ISAF said were the result of a lack of security awareness. These included the HMRC breach, where 25 million personal details were lost, and the TJX breach, where up to 96 million credit-card details were compromised.
ISAF aims to promote information security awareness across government, corporations and small businesses, as well as among individuals. David King, chair of ISAF, told ZDNet.co.uk that security awareness was one of the "big things" for all organisations, and that there was common security ground between all sizes of public and private organisation.
"There is some common ground," said King. "For example, picking good passwords, changing passwords frequently, and being conscious of the impact of sharing information on social-networking sites. Companies have a responsibility to handle information securely, just as government does."
King said that ISAF would seek to change people's behaviour so they would think of the possible security ramifications of their actions before acting. While organisations needed to have "awareness on the agenda", multiple approaches needed to be taken to change behaviour, according to King. "To change behaviour we have to come at the problem from different angles," he said.
ISAF says it will aim to publish a "Guide for Directors on Information Security" by the end of April. This will be aimed at senior figures in public- and private-sector organisations.
Senior civil servants in particular need to have information security awareness on the agenda, according to Philip Virgo, secretary general of IT industry lobbying group EURIM. "There's definitely a confusion among civil servants, just as there's a confusion among [private sector] managers," said Virgo. "That's down to the amount of conflicting security advice being given [by groups promoting commercial interests]."
ISAF membership will mainly consist of industry bodies. While the membership of those bodies consists primarily of commercial organisations, as well as EURIM, David King said the ISAF would not be a lobbying group or promotional tool for any particular vendor or set of products.
"We are not a lobbying organisation," said King. "We don't have corporate members. Our agenda will be delivered by industry body representatives. Those industry bodies have different organisations, which all have their own agendas."
ISAF will also collaborate with web-safety campaign Get Safe Online to promote security awareness in small businesses and for consumers. The campaign has been running since 2005, and encountered controversy when its membership costs were revealed and also the fact that sponsors' products would be promoted by the site.
Other organisations involved with ISAF include the BCS, the Institution of Engineering and Technology, (ISC)2 , the Institute of Information Security Professionals, (IISP) and Jericho Forum.
As well as publishing the "Guide for Directors", the ISAF will also promote an Information Security Awareness Week from 21 to 25 April, to coincide with the Infosecurity Europe conference at Olympia in London.