Home > Uncategorized > Concerns about Information Security Training and Awareness – Part 1

Concerns about Information Security Training and Awareness – Part 1

Someone does not have to be in the field of information very long before becoming acquainted with the long-held belief that information security training and awareness provides one of the best returns on investment of any control measures. Empirical data support this belief. To counter personnel-related security vulnerabilities from 1994 through 2002, the US Military Regional Computer Emergency Response Team (RCERT) in Europe initiated a security training and awareness effort in which users were instructed on the value of computing assets as well as the security-related risks and appropriate procedures. One important finding from the study was that training significantly reduced the time between the discovery of vulnerabilities and when they were fixed.

However, a substantial problem—a huge gap between the theory of information security training and awareness and the practice of it— exists. Much lip service is given to security training and awareness, but in reality organizations devote relatively little time and resources to it. In many organizations security training and awareness consists of little more than having awareness posters taped to walls in passageways as well as message pads with a trite slogan such as “Think security.” And, strangely, whenever there are funding problems for information security practices, security training and awareness sessions and courses are almost invariably one of the first to be slashed. The same goes for training and awareness specialists who are members of the information security staff. How can this be if security training and awareness produces more “bang for the buck” than any other initiative?

I also find it perplexing that so few articles and papers in professional magazines and journals cover security awareness and training. Most of the ones I have read over the years have some value, but I have not read any that I would consider breakthrough articles, ones that share insight that can transform a training and awareness effort into one that is super effective. Possibly the reason for the dearth of published training and awareness articles is fear of leaking intellectual property—after all, numerous organizations and individuals make a large portion if not all of their revenue from security awareness and training. Sharing breakthroughs to competitors would, of course, be most unwise. Still, if training and awareness produces such a great ROI, one would think that proportionally more articles on this subject would be published.

I do a fair share of teaching courses for professional organizations, so I am not in a good position to objectively evaluate what is good and what is deficient about training materials and curricula. I do, however, know that many of the topics about which I teach are not too innately interesting to attendees. Take, for example, network security. Learning about the various types of network media and protocols is not exactly the kind of thing people want to do during their leisure hours. I have to use every trick I know to make the content of such courses interesting to attendees. Additionally, most courses nowadays consist of slide presentations followed by demos or hands-on sessions followed by more slide presentations. With all the breakthroughs in media technology, one would think that there would be more use of different, interesting and engaging learning methods in information security training and awareness.

So—I’ll close by repeating what I said earlier—that there is a huge paradox. Information security professionals believe that training results in huge dividends, yet training and trainers are in practice greatly undervalued. I’ll propose some possible solutions in my next blog entry.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.