03 June 2026
For many years, organisations have invested heavily in security awareness training. Yet despite this investment, many organisations still struggle with understanding information risk. Employees watch videos about phishing emails, complete online courses and answer multiple-choice questions designed to help them recognise suspicious behaviour. The assumption is that if people can recognise threats, they will make better security decisions.
But something in this approach is off. It is like trying to stay healthy by studying disease and taking medicine. Those are important but nobody becomes healthy by concentrating exclusively on illness. Health comes from understanding the body: how it works, how its systems interact and how small changes in one area can affect another. Disease matters, but when they strike, it is often too late.
Understanding Information Risk Starts with Understanding the System
Information awareness requires a similar shift in perspective. Rather than starting with the attacker, it needs to start with coming to grips with the information itself.
When Strava published its global heat map several years ago, nobody leaked military plans or emailed confidential documents to the wrong person. Nobody clicked a malicious link. Instead, soldiers, aid workers and contractors simply used a fitness application while exercising. Individually, each activity appeared harmless. Collectively, the data revealed the locations of military facilities, patrol routes and operational patterns in places where such information was never intended to become public.
The story is fascinating because there was no obvious attack. Traditional security awareness provides a cast of familiar characters: the hacker, the scammer, the suspicious email and the malicious attachment. The Strava incident contained none of these things. The information emerged because people failed to understand what they were creating rather than because they failed to recognise a threat.
Cases such as Strava demonstrate why understanding information risk involves more than recognising attackers. The risk emerged from the information itself and the way seemingly harmless fragments combined to reveal something much larger.
Understanding Information Risk Means Looking Beyond Threats
Most awareness programmes begin with the attacker. They teach people what a phishing email looks like, how a fraudulent invoice might appear or why somebody might attempt to steal credentials. Information awareness begins somewhere else. It begins with the information itself. Before asking how information might be attacked, it asks what the information actually is, how it is created, how it moves through an organisation and what meaning it acquires as it accumulates connections to other information.
We already understand it intuitively in other contexts. Historians rarely reconstruct events from a single document. Archaeologists do not discover ancient civilisations because they uncover a neatly written report explaining everything that happened. Instead, they assemble fragments. A road, a coin, a building foundation and a collection of pottery shards may reveal more about a society than any individual artefact. Meaning emerges from relationships.
Understanding Information Risk Through Relationships and Context
Consider a calendar. Most people regard calendars as administrative tools rather than information assets. Yet a calendar records relationships, priorities, travel, commitments and recurring patterns of activity. A supplier list appears equally mundane until somebody realises it describes how an organisation actually functions. Project names reveal direction. Contact lists reveal relationships. Access permissions reveal trust structures. None of these things were designed to communicate strategy, yet together they often describe an organisation with surprising accuracy.
What makes this interesting is that people readily recognise the value of information when analysing somebody else’s organisation. Give an experienced executive a supplier list, a hiring plan, a project portfolio and a travel schedule from a competitor and they will quickly begin constructing a picture of priorities, dependencies and future direction. They do not need a strategic plan because they can infer the strategy from the surrounding evidence.
Yet when organisations think about their own information, they often focus on documents and systems rather than relationships. Information becomes something stored in a file rather than something that emerges from a network of interactions.
This may explain why traditional awareness training sometimes feels incomplete. It teaches people to recognise threats but rarely helps them understand information. Employees learn to identify suspicious messages without necessarily understanding the lifecycle of the information they create, modify, share and consume every day. They become aware of attackers while remaining largely unaware of the information ecosystem that surrounds them.
In many cases, understanding information risk requires understanding that lifecycle and the relationships that information develops as it moves through an organisation.
The distinction is subtle but important. Threat awareness asks whether somebody might steal a document. Information awareness asks what story that document, its metadata, its relationships and its surrounding context might tell when viewed alongside everything else. One perspective focuses on the attack. The other focuses on the information.
Both matter.
But if organisations truly want people to make better decisions, they may need to spend less time teaching employees about threats, because threats evolve, and more time helping them understand the ecosystem. After all, people rarely create security problems because they fail to recognise a threat. More often, they create them because they never realised the information was valuable in the first place.
