Every year or so, an otherwise smart information security professional publishes some really bad information security advice about how awareness and training is a waste of time and money. The latest proclamation at CSO Online has generated a small bit of a firestorm since it was published. 

As time goes on, and more and more information security incidents and privacy breaches occur, and more information is put into the hands, and care, of more and more end-users who have no background in information security or privacy, such statements are simply bad, bad, bad advice. Making such statements also makes it harder for information security and privacy pros to do their job as effectively as possible when business leaders believe such hogwash and then wind up cut funding for information security and privacy education as a result.  I’ve been in the information security and privacy compliance profession for a very long time, have built such programs and assisted many organizations in building theirs, and I could fill a book with examples of how training and awareness activities have improved their information security and privacy efforts and outcomes.  Others in this profession with hands one responsibilities for the full lifecycle of information protection could also write their own books with such examples.

I wrote a blog post about this topic in 2009, and now is a good time to write another and point out that there is greater need than ever before for organizations, of all sizes, to make the comparatively small investment in information security and privacy education for their workers.

5 flawed arguments against information security and privacy education

1. Using single, isolated examples as so-called proof that education in general does not work proves nothing.  Just because some people have still done some bad security actions after receiving training does not mean that all organizations should not provide regular information security and privacy training. The training mentioned in the naysayer’s article could have covered a completely different topic, it could have been ineffective training (good training would have had different results), those who did the security mistake may not have participated in the training, and the list of possibilities could go on and on.

Using this flawed logic we could also say that because anti-virus software does not prevent all viruses from entering a system or network, then it shouldn’t be used at all. Bad idea. Or, that since firewalls do not keep out everything then they should not be used at all. Bad idea.  And the examples could continue on for a very long time.

Would you tell someone not to use seat belts because they do not protect everyone in all situations? No; it just doesn’t make sense.

2. Providing training does NOT transfer responsibility away from IT professionals. Every individual who uses, stores, handles, or otherwise handles information is responsible for securing that information while they go about their daily job activities. It simply makes sense that if they are using information then they must be made aware of how to protect it.  This means that not only IT folks must receive training, but everyone involved with using the information must receive training.  Ultimate responsibility for ensuring appropriate information security practices, including training and awareness, typically falls to the information security department, which is increasingly housed outside of IT any way, since all forms of information (not just that on the network) must be appropriately secured.

3. All information users have responsibilities to protect the information to which they have access. To say workers “don’t have the ability to recognize or protect against modern information security threats” is an especially arrogant and pompously inaccurate statement. Everyone who touches information within a business has a responsibility to use and protect it appropriately, and organizations are responsible for ensuring those workers have had appropriate training to do their work activities securely.

4. Sweeping generalizations cannot be made based upon a few narrow observations. Giving advice for all information security awareness and training activities based upon a few isolated situations, concerning only a very narrow activity is a bad idea. Isolated events do not support such broad generalizations or conclusions. Even the author indicates he could not find any supporting statistical evidence to support his claims.

5. Removing education leaves huge gaping security holes in the business. Removing all information security and privacy education activities and devoting all efforts on technology leaves humongous administrative, physical and operational holes, not to mention violating numerous legal requirements.  The author does not seem to be considering anything but email security (for which his statement is also invalid). He should consider the entire lifecycle of information, in all forms. There are many points throughout that lifecycle where there is no technology involved, and where we must depend upon workers to know how to secure the information.

3 things to know about information security and privacy awareness and training

1)    Training and awareness communications must be relevant to those receiving them to be effective.
I’ve believed this, and practiced this, for a very long time! In fact, I created my training packages (such as Security Search) and my awareness tools (such as Protecting Information) with this very concept in mind. Participants in training and awareness MUST be able to see how the issues relate to them in order to pay attention, and really understand the security and privacy issues and then carry those lessons learned into their daily work activities.

I not only relate security and privacy issues to individuals personally, I want them to see how these issues relate to their own life away from work, and take the awareness communications to their friends and family and share with them. I even include a “Youth Reporter” article within each issue of “Protecting Information” written by a teen to get his or her perspective and point of view on the topic so that the kids in the family will find the topic of interest and be able to relate to something written by someone close to their own age. We really need to start educating children in K-12 about information security and privacy if we expect to have security-and-privacy-smart leaders in the future.

Unfortunately there are a LOT of very poor, and downright horrible, training content packages and tools out there. I’ve reviewed well over 200 different organizational training and awareness programs, and it is sad to see the types of activities and content that is passed off as “training” that is absolutely the furthest thing from training! In fact, much of what organizations try to use for “training” is actually anti-training and ultimately hurts all educational efforts. And makes otherwise smart people say dumb things about the need for training and awareness.

So, so much to say about this. I cover this thoroughly in my book, “Managing An Information Security and Privacy Awareness and Training Program, 2^nd Edition.” I’ve often thought about putting out snippets of the book, one at a time each day or week, just to get tips out there and make folks aware of what is needed for EFFECTIVE training and awareness. Yes, such types of messages are good awareness communications. 

2)    Humans must know how to secure information; technology alone cannot do it.

In almost every information security incident and privacy breach, humans were the cause. Sometimes because of malicious intent, but more often through lack of knowledge and awareness or mistakes made often because security and privacy were not in mind. Even when malicious intent was involved, it typically exploited human security unawareness in some way.

I do agree that computer systems and applications must be built with more robust and more transparent security capabilities than are currently found. However, when it comes to effective information security and privacy protection, which is what is necessary to help dam this raging flood of privacy breaches, effective and regular information security and privacy training and ongoing awareness communications is absolutely necessary.

You cannot create a computer technology so secure that no training is necessary for those using the computers. It’s like saying you can build a car so secure that you don’t need to teach people how to drive safely. Who wants to be on the road with those folks?

And besides being smart and wise to provide effective, regular training and ongoing awareness communications to help prevent information security incidents and privacy breaches, it is also a requirement in most data protection laws and regulations to provide such education. That is one thing our government leaders have recognized and generally gotten right to require.

Providing effective information security and privacy training and awareness is one of the most cost effective and results effective practices that businesses can do to keep their information assets safe.

Business leaders, if technology-specific vendors tell you that training is a waste of time and money, it is likely they want to put their hands in your pockets, much deeper than any education investment would be, to sell you a system, service or application that is tens to hundreds of times the cost of any education program you could put in place.

Business leaders, be smart; invest in information security and privacy education for your personnel. If you don’t, personnel ignorance resulting from your dumbness will probably lead to information security incidents and privacy breaches that could have been prevented with effective training and awareness practices in place.

3)    Many legal requirements exist for information security and privacy awareness and training.  

I’ve covered this topic many times over many years. As mentioned earlier, there are a growing number of laws and regulations that include requirements for organizations to provide some type of information security and/or privacy awareness and training to not only their personnel, but also in some instances to their customers and consumers. For example, the fines and penalties applied under HIPAA have increased dramatically when there was no HIPAA training provided. This is not an exhaustive list, but these laws and regulations include the following (I provide full details for each within Chapter 3 of book “Managing an Information Security and Privacy Awareness and Training Program.”)

Specific Regulatory Education Requirements

• HIPAA
• HITECH Act
• FCRA
• Red Flags Rules
• 21 CFR Part 11 (Electronic Records/Electronic Signatures)
• Bank Protection Act
• Computer Security Act
• Computer Fraud and Abuse Act (CFAA)
• Privacy Act
• Freedom of Information Act (FOIA)
• Federal Information Security Management Act (FISMA)
• 5 U.S.C. §930.301 (for federal offices)
• Appendix III to OMB Circular No. A-130 (2)
• Digital Millennium Copyright Act (DMCA)
• GLBA
• Department of Transportation DOT HM-232
• SOX Act
• The Organization for Economic Cooperation and Development (OECD) Security and Privacy Principles
• The European Union Data Protection Directive
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Bottom line for all organizations, from the largest to the smallest:  Humans have always been, and will always be, the weakest link in information security and privacy.  Too many organizations either provide for no training and awareness communications, or do completely inadequate types of training and awareness.  Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a smart and wise business decision to provide effective regular training and ongoing awareness, with a comparatively low input cost and tremendous return on significantly better security practices, it is also a requirement in most data protection laws and regulations to provide such education.

Other Information about messaging security and privacy

Here are some other good thoughts and advice about information security and privacy awareness and training:

• Security awareness can be the most cost-effective security measure
•  Security Awareness: Once Is Never Enough
•  Does your staff overshare your corporate private information
• The value of awareness
• The State of Phishing Attacks: Looking past the systems people use, they target the people using the systems
• Security awareness training for SMBs

 

Tags: awareness, breach, compliance, CSO Online, e-mail, electronic mail, email, Information Security, information technology, infosec, IT security, Keywords: personal information, messaging, midmarket, non-compliance, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, SPI, systems security, training

This entry was posted on Monday, August 6th, 2012 at 5:22 pm and is filed under Laws & Regulations, Training & awareness. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.