Clearly there is a need to do a better job educating workers about IT security risks and threats and to teach them how to be part of the security solution rather than the security problem.
CIO and CSO magazines recently joined the consulting firm PwC to conduct a global survey and publish the report Global State of Information Security 2013. More than 9,300 executives in 128 countries provided input about the state of IT security in their organizations. The report reveals a real weakness when it comes to employee security awareness and practices. Consider:
• Only 29% of the surveyed organizations say their employees (at all levels) are very aware of cyber risks.
• Only 29% are very confident they've instilled effective information security behaviors into the organizational culture.
• 68% of the respondents said their organization had one or more security incidents last year.
• 22% of the organizations had 10 or more security incidents in the previous year.
• It's estimated that in 37% of these incidents, employees were the source of the security breach.
This last statistic is upheld by the Ponemon Institute, which noted in its 2011 Cost of a Data Breach Report (U.S. edition) that 39% of breaches are caused by negligent insiders.
Traditional approaches to employee education just aren't working when it comes to IT security training. When workers sit in a classroom and view one PowerPoint slide after another, they aren't really learning the subject as they need to. The lesson is out of context with the real work environment. The class is often boring and too long. When there's no active participation or interaction with real computing situations, the lessons don't sink in. Seminar-style classes also offer little to no measurement of what was learned, no feedback to workers on how well they've done, and no continuous improvement process.
The key to effective employee security training is to use learning science principles. In other words, throw out the boring slideware and use tools and techniques that let people learn in a way that is scientifically proven to allow them to absorb and retain more of the content.
Wombat Security Technologies Inc., a provider of cybersecurity training and filtering solutions, offers up the following best practices that have proven successful in making people aware of security risks and motivating them to change their behaviors and be more security conscious.
Successful security training is a process, not a one-time event. Security training platforms that include analytics help organizations assess human risk factors across multiple attack vectors including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.