Home > Uncategorized > Concerns about Information Security Training and Awareness – Part 2

Concerns about Information Security Training and Awareness – Part 2

I’ll continue from where I left off in my last blog entry.  I’ve pointed out some problems and dilemmas associated with information security training and awareness. What are some possible solutions?

First and foremost, senior management must understand what information security training and awareness is and why it is so potentially valuable to the organization’s business. I have a strong suspicion that even some of the top information security professionals overlook the necessity of getting senior management buy-in for training and awareness. Don’t get me wrong—information security professionals have a difficult enough time trying to win senior management support for their information security programs—trying to obtain their support for parts of and initiatives within these programs is, I am sure, even more difficult. But unless senior management really understands what security training and awareness can potentially accomplish at the cost of relatively few resources, the chances of a training and awareness effort being effective diminish considerably.

Perhaps part of the problem with senior management’s lack of awareness of the many benefits of security training and awareness is that training and awareness efforts seldom target senior management. Putting security awareness posters in the hallway to which senior managers’ offices connect is certainly not very likely to be effective in making senior management more aware of security-related issues and solutions. Although I am aware of (and have occasionally taught) security awareness courses for senior management in a few organizations, I also know that unless attending these courses is mandated by the CEO, the likelihood of managers attending is miniscule. And if managers are forced to attend, the ill will towards information security that obligatory attendance creates can often outweigh any benefits of the training.

A few years ago I tried a different approach to trying to expose senior management to some security training and awareness. I figured that because senior managers’ time is at such a premium, allowing them to get awareness training using their own computer in their own office was the way to go. Working closely with someone from the publications department, I developed learning objectives for a short (approximately 15 minutes) distance learning course, and then sent email describing these objectives and asking for feedback to a number of senior managers whom I considered part of the target audience. Although most recipients of my messages predictably did not respond, a few did, and the ones who responded gave some very valuable feedback, particularly in pointing out issues that I had omitted. I then proceeded to design the distance learning course content from the revised objectives, and finally worked with the publications staff member to create interactive slides, sound effects, and a short quiz at the end. Next I rolled out a small pilot project in which I was able to get about a dozen managers (the majority of which was not actually “senior”), obtained feedback, and then made final revisions to the course content. The course, which was available on-demand at a special Web site, was announced several different ways, and I was even able to get the CIO to announce the course at a staff meeting. A few weeks later, I asked the same persons who originally announced the availability of the course to announce it once again. The result of all the time, effort and money invested was extremely disappointing—only a small fraction of senior managers ever took the course, and of those who did, almost nobody bothered to take the ten question self-assessment quiz at the end. My reaction was extreme disappointment—I had pulled out all the stops, so to speak, investing far more time and effort than I was ever paid for, and only a fraction of the targeted audience took the course.

As I look back at what happened now over four years ago, I realize that unless senior managers were required to complete the course (just as they are required to complete sexual harassment and safety courses), they would not do so. But I did not have the power to require anything, and although I tried to convince the CIO that it would be very worthwhile for him to mandate taking the course, I was not successful (mainly because the CIO was fearful of the political consequences of making such a mandate).  Furthermore, I had inroads neither with the president to whom the CIO reported nor his staff. But once again, even if I had been successful in getting a requirement to take the distance learning course in place, mandating participation in security training and awareness would have produced quite a bit of resistance.

The “bottom line” is that there is no clear path to success with security training and awareness.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.