It really bothers me when so-called information security and privacy “experts” make statements that awareness activities have no impact. They base their opinions on measurements that could very well be, and likely are, unrelated to each other. Last year a study was presented in Europe claiming awareness activities has no impact on security.
Hogwash!
I wonder how much time these folks have actually spent developing and delivering awareness and training, and what kind of adult education experience or expertise they actually have? Likely none.
These purported academically-based studies typically have huge flaws…such as trying to say that just because a company spent a ton of money on awareness activities and then someone was able to social engineer entry to the building past one security guard that awareness activities are worthless. Did the expensive awareness activities cover social engineering? Was it even a good awareness product? I’ve seen many expensive, crappy, and completely ineffective, products being hawked by vendors with slick advertising and smooth-talking sales dudes. Was the security guard even involved with the awareness activities? And so many other variables…and such very bad conclusions in such studies.
Of course you have to make personnel aware of, and understand, the importance of safeguarding information assets. Organizations must understand that there are many different ways to do this. They must also understand that there are many different types of learners working for them.
You cannot do one thing and realisticly think that it will be effective for all personnel. You must provide a variety of training targeted to different groups within your organization, and you must provide ongoing awareness activities that will engage your personnel in *ACTIVELY* thinking about the issues being communicated to them. Many of these activities can be done with little to no expense. The key is to create them thoughtfully and with your personnel learners in mind.
The importance of training and awareness to information security and privacy cannot be underestimated. When I start pursuing my PhD, my planned research study is to show, with valid data, the value of awareness and training to strengthening information security and privacy.
One of my favorite types information security projects is creating awareness activities.
Several years ago I was working at Principal Financial Group (PFG).
I was fortunate that they had a dedicated art department with some fantastically-gifted artists. For an awareness activity I worked with the lead artist, Bob (I wish I could remember his last name!! He’s so talented!), passing on to him my ideas for a poster for a security awareness activity.
The poster showed a 3-story building, the side of which was cut away so that you could see all the workers and their work areas inside. The poster also showed the streets, grounds and parking area around the building. I had around 90 very detailed, viewable security infractions that I wanted the artist to visually represent and incorporate into the poster, and he rose to the challenge wonderfully. As just a few examples,
* The door to the back of the building propped open and no one around, but a sneaky looking person (picture someone like Boris or Natasha) looking at it.
* An unattended computer with confidential information on the screen.
* A worker in the building not wearing an ID badge, while all others around have their badges on.
* Confidential information in a trash can.
* And so on…
Yes, this was an oversized poster to fit in all the details. When I first saw a “Where’s Waldo” book a few years later after my first son was born, it reminded me of that poster with regard to the detail involved.
I sent the poster to each business team/department throughout the business campus (around 130 – 140 areas). Accompanying each poster were the instructions along with blank answer sheets for the teams to fill out.
Each team had around a week to write each of the security infractions they found on the answer sheet and send back to me. They were *not* told how many infractions were within the poster; I wanted them to identify all they could without any preconceived limit.
The prize, to the team that correctly identified the most infractions, was a pizza party during lunch for all their team members. I also wrote about the event in our company magazine, and included a photo of the winning team, along with their names and department. This went to all employees, agents and brokers worldwide, so the winners got wide recognition.
I notified the managers a couple of weeks before the posters were sent to let them know that that the contest was coming. The contest was supported by our executive sponsor, a Sr. VP, whose name was on the management communication, and who also encouraged the managers to have their personnel participate.
*The importance of executive sponsorship to the success of awareness activities, and information security in general, cannot be underestimated.*
There was a fantastic response. I don’t remember the exact statistics, but it was well into the 90% – 95% range for the numbers of business units participating.
The answers provided were also fantastic. The contest submissions were very creative; many provided situations that weren’t really security infractions (e.g., “a man wearing a plaid jacket with mismatched striped pants”) but were entertaining to read! There were also a few team submissions that provided additional security infractions that I had not even planned into the poster.
The winning team identified what I determined to be around 110 actual infractions. Yes, they found things that could be considered as security infractions that I had not purposely engineered into the poster!
Many of the areas left the poster hanging in their area for many months, and even years, following the contest, allowing for further ongoing awareness.
The contest was a great awareness raiser.
* It got the participants actively engaged in thinking critically about the vast range of information security issues within a business.
* It got participants talking with their co-workers about the situations, engaging in friendly debate about whether a situation should indeed be an infraction.
* It got participants talking with their managers about their own related situations.
* Many of the teams updated their own procedures after realizing some of the situations presented similar threats in their own areas.
* As I walked through the campus after the contest I heard personnel talking in the cafeteria, in the hallways, in the gym, etc., about information security issues much more than I had ever heard before.
* The information security intranet website started getting more hits than ever before after the contest.
* Our information security area started getting more calls and emails about security issues after the contest.
* And many other noticeable, positive, changes…
Right now I’m speaking with some publishers about creating these types of contest posters again to make available to organizations. Such engaging activities truly do make a positive impact on the security practices of personnel…I’ve experienced it.
Remember, information security and privacy cannot be accomplished solely with technology. Personnel must have an understanding of how their actions impact security and privacy. Information security and privacy professinals must effectively help them reach this understanding.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, risk management, social engineering