Home > Uncategorized > Concerns about Information Security Training and Awareness – Part 4

Concerns about Information Security Training and Awareness – Part 4

I need to air out one last thing about information security training and awareness. Typically, a security training and awareness course is taught, attendees listen, take notes, fill out course evaluations, and then leave. Unbelievably, a measurement of the amount of learning or skill development on the part of the attendees is seldom taken. I’ll confess that not too long ago, I taught a course on Windows security without arranging for any kind of post-hoc measurement of the amount of learning achieved, so I cannot with good conscience say that I have done better. But how can an information security practice possibly claim to have given effective training when there are no indicators other than glowing reports of success by instructors and testimonials on the part of attendees?

One promising approach is the approach taken by the SANS Institute. Approximately ten years ago the founder, Alan Paller, started to become concerned that course attendees were not being held accountable for the time and expense invested in security training courses that they were attending. This was the beginning point of the SANS GIAC certification program in which after taking a course, attendees of SANS training could become certified in areas such as information security essentials, information security management, firewalls, hacker techniques, and many others by passing an examination in their area of training. The fact that individuals who take SANS courses have the option to demonstrate that they have achieved at least a minimum level of knowledge afterwards has opened the way to measurement in information security training and awareness. Several other security organizations have since followed SANS’ lead in this area.

Examinations after information security training represent a step forward, but they do not provide a set of robust and meaningful metrics that information security governance requires. Metrics have become more entrenched in the information security arena over the last half decade or so, but not in the information security and awareness area. This is surprising, because creating and using such metrics in this area seems rather intuitive and straightforward. Suppose that a course on firewalls is held. Measuring attendees’ knowledge in areas such as firewall policies, configuration, maintenance, and interpreting log output would not be all difficult. But although gains in knowledge would nice to see, such measures are not the kind of performance indicators that truly show that an information security practice is achieving its strategic goals. Metrics that measure critical variables such as the change in employees’ attention to and respect for information security, the change in the number of security-related incidents and policy violations that occur after a massive training effort, the change in the number of security-related bugs in programmer’s code after training, and so on are far more suitable.

Consider a saying: “If you don’t measure something, it didn’t happen.” I do not wholeheartedly believe this saying, but it seems to be that information security professionals should heed its message to a greater extent when it comes to security training and awareness efforts. If security training and awareness is really as important as we information security professionals say it is, we could and should do a better job in devising and measuring security training-related metrics.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.