Not Providing Training and Awareness Is The Dumbest Idea For Information Security

As time goes on, and more and more information security incidents and privacy breaches occur, I continue to hear otherwise smart people say silly and completely wrong statements about the need (or lack of) for information security and privacy training and awareness!

A couple of days ago I received a very thoughtful comment, from “fatbloke,” to my blog post, “Common InfoSec & Privacy Training Mistakes.”

“One approach to security awareness activities I am aware of and which apparently works is to make the activities *personally relevant* to the workforce. One large organisation in the UK did this by providing training/information sessions for staff related to personal/home computing – i.e. how to install/configure AV software and why it was necessary, how to use a personal firewall, how to spot a phishing e-mail and so forth. From here, they then turned the focus of the training to the company’s aims and objectives with the result that staff understood why security policies and controls were necessary and why they were implemented. I’m not sure how prevalent this approach is in the States (it’s not really prevalent in the UK), but would be interested to hear your views. Oh, and your views on Marcus Ranum’s “6 Dumbest Ideas in Computer Security” (, specifically number 5 (“Educating Users”) would also be of interest!”

Thanks so much for your comment, fatbloke! There are a couple of very important points in your comment that I want to expand upon.
1) Training and awareness communications must be relevant to those receiving them to be effective.
I’ve believed this, and practiced this, for a very long time! In fact, I created my training packages (such as Security Search) and my awareness tools (such as Protecting Information) with this very concept in mind. Participants in training and awareness MUST be able to see how the issues relate to them in order to pay attention, and really understand the security and privacy issues and then carry those lessons learned into their daily work activities.
I not only relate security and privacy issues to individuals personally, I want them to see how these issues relate to their own life away from work, and take the awareness communications to their friends and family and share with them. I even include a “Youth Article” within each issue of “Protecting Information” written by a teen to get his or her perspective and point of view on the topic so that the kids in the family will find the topic of interest and be able to relate to something written by someone close to their own age. We really need to start educating children in K-12 about inormation security and privacy if we expect to have security-and-privacy-smart leaders in the future.
Yes, yes, yes; your comment about making training and awareness communications relate personally to staff is spot on, and to be effective, must be created to address this!
Unfortunately there are a LOT of very poor, and downright horrible, training content packages and tools out there. I’ve reviewed well over 200 different organizational training and awareness programs, and it is sad to see the types of activities and content that is passed off as “training” that is absolutely the furthest thing from training! In fact, much of what organizations try to use for “training” is actually anti-training and ultimately hurts all educational efforts. And makes otherwise smart people say dumb things about the need for training and awareness.
So, so much to say about this. I cover this thoroughly in my book, “Managing An Information Security and Privacy Awareness and Training Program,” which I’m currently completing changes on for the second edition. I’ve often though about putting out snippets of the book, one at a time each day or week, just to get tips out there and make folks aware of what is needed for EFFECTIVE training and awareness. Yes, such types of messages are good awareness communications. 🙂
2) Humans must know how to secure information; technology alone cannot do it.
In almost every information security incident and privacy breach, humans were the cause. Sometimes because of malicious intent, but more often through lack of knowledge and awareness or mistakes made often because security and privacy were not in mind. Even when malicious intent was involved, it typically exploited human security unawareness in some way.
Now, to be fair, I do note that the 6 “ideas” were for “Computer Security“…a much narrower scope than Information Security, which goes well beyond the computer. Huge numbers of privacy breaches occur far from the computer.
I do agree that computer systems and applications must be built with more robust and more transparent security capabilities than are currently found. However, when it comes to effective information security and privacy protection, which is what is necessary to help dam this raging flood of privacy breaches, effective and regular information security and privacy training and ongoing awareness communications is absolutely necessary.
You cannot create a computer technology so secure that no training is necessary for those using the computers. It’s kinda like saying you can build a car so secure that you don’t need to teach people how to drive safely. Who wants to be on the road with those folks?
And besides being smart and wise to provide effective regular training and ongoing awareness communications to help prevent information security incidents and privacy breaches, it is also a requirement in most data protection laws and regulations to provide such education. That is one thing our government leaders have recognized and generally gotten right to require.
Providing effective information security and privacy training and awareness is one of the most cost effective and results effective practices that businesses can do to keep their information assets safe. When I finally get started on my PhD, my thesis will be to prove that effective education improves security and reduces incidents and breaches.
Business leaders, if technology-specific vendors tell you that training is a waste of time and money, it is likely they want to put their hands in your pockets, much deeper than any education investment would be, to sell you a system or application that is tens to hundreds of times the cost of any education program you could put in place.
Business leaders, be smart; invest in information security and privacy education for your personnel. If you don’t, personnel ignorance resulting from your dumbness will probably lead to information security incidents and privacy breaches that could have been prevented with effective training and awarenss practices in place.

Tags: , , , , , , ,

Leave a Reply