Security Awareness, Education and Training Trump Technology

Carl Weinschenk

It's easier to talk about anti-virus, intrusion detection systems, network access control and other pieces of hardware and software than about the real problem: people.

The reason the human element is not discussed as often as security widgetry is because of its unpredictability. Code operates under a given set of conditions. Humans clearly do not.

While dealing with people is messier, it also has a far greater upside for security professionals. People, unlike security applications, can be taught to do a better job. The good news is that ever-more information is available to protect laptops (which seem to be particularly vulnerable) and other devices and systems.

The trick is to get people to pay attention. This Processor piece, which is based on a survey of more than 450 senior executives and IT managers at small and medium-size businesses (SMBs), found that managers believe better awareness among employees will improve security. The bottom line is that improving education and training is among the most cost-effective ways to buttress security. This message -- that the more folks learn about security, the safer devices and systems will be -- clearly is intuitive.

But that doesn't mean that organizations have done all they can do to exploit the opportunity.

The Processor story offers some suggestions:

  • Companies should make sure new employees have a clear understanding of the organization's security policies;
  • Policies and procedures -- and changes to them -- should be communicated in an ongoing and accessible manner;
  • Upper management should be made to understand the importance of security and be partners in its execution;
  • Professional trainers should be brought in;
  • Outside organizations should assess security and the results should be used to sharpen training and awareness programs.

Another area in which education is a big deal is how potential customers perceive the safety of e-commerce. The Pew Internet Project released a study that revealed that 75 percent of those surveyed don't like to give out personal information on the Internet. Report author John Horrigan is quoted as saying that this belief, whether it is "real or perceived," is slowing the growth of the Internet economy.


Pew even puts a number to the notion: Horrigan said that 7 percent more people would shop online if the fears didn't exist. Of course, no system can be guaranteed completely safe. The story makes the compelling case, however, that online commerce is more secure than the use of credit cards in brick and mortar scenarios. Driving that notion home clearly is the salient challenge to security personnel working for organizations that must coax sensitive information out of the consumers with whom they deal.


Some progress is being made. Forty percent of respondents to The Conference Board's Consumer Internet Barometer say that they are planning to file their federal tax returns online this year, an increase of 6 percent from three years ago. More than two-thirds -- the release doesn't provide a precise number -- have filed online for three years or more. That number was less than 55 percent in 2005.


The Consumer Internet Barometer, the release says, is a survey of more than 10,000 households. It's interesting that paying taxes online is considered safer than other types of cyber-transactions. Half of respondents said that they are "extremely concerned" with banking online and online bill payments, while only 44 percent expressed the same sentiment for online tax filing. Women, the survey said, are remain more concerned than men about paying Uncle Sam through cyberspace.


There also is a long way to go. The study referenced in this OSA post is aimed at consumers. Clearly, however, the results have ramifications for IT security staffs simply because people don't become any smarter or knowledgeable when they go to work. Important details on the study are not provided, but the results seem in line with what is happening. Twenty-five percent of respondents have not heard of phishing, 46 percent couldn't accurately define the term, and 78 percent had no idea of how to assess the security of an online site.


The good news, if there was any in the survey, is that virtually all respondents (98 percent) understand that it is important to know whether or not a site is safe to visit. Security staffs and IT departments must play a big role in teaching them -- as well as employees who they oversee -- two things: The Internet doesn't have to be a dangerous place and the keys to keeping it from becoming one.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Feb 21, 2008 12:01 PM Aaron Higbee Aaron Higbee  says:
Good post Carl. I'm glad others can see that user training has real value. Reply
Mar 12, 2009 5:14 PM ram ram  says:

good work

Jun 8, 2009 7:40 PM Karen Letain Karen Letain  says:

Here we are a full year and a bit past when this blog entry posted and I am not sure we have made much progress on this.  I see more companies struggling with trying to implement a security awareness program in their organization.  I see many fail...typically due to the fact that they 1.  do not have management buy-in at the on-set.  2.  Do not assign a project manager and champion to spearhead the project.  3.  They don't communicate and market it to the end users so that there a a clear understanding of why this is important.  4.  They don't make it engaging or even remotely fun. 5.  There is no reinforcement of learned behaviors.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.