Trick or Treat for Poll Clicks, Please! :)
Do you think my current blog poll (right side of screen, scroll down a bit) is lame? I had a couple of my friends and information assurance friends tell me that my question this week is a no-brainer; that no one will take a poll that is obvious.
Well, if you read my blog occasionally you know that I am a strong believer that information security and privacy awareness and training is absolutely necessary for security and privacy efforts to be effective. But, I have also seen published statements from some otherwise very smart folks stating that awareness and training efforts are a waste of time, a waste of money, or that only technology alone can result in effective security since most folks will "never learn anyway."
So that is why I posted the poll. I wanted to see if any of those folks who think awareness and training are worthless read my blog...it would motivate me to seek out and provide you with some demonstrable evidence that awareness and training *IS* of utmost importance. I also want to see how many of you believe that education is very important.
The results so far have been interesting, but I want more poll clicks! I feel like I've gone Trick-or-Treating and I'm coming home with an almost empty bag...like I must have just cut two holes into an old flowered sheet and used that as my costume.
Please click this week's poll by Sunday, and I promise the poll I have for next week will be much more intriguing...I'm going to have more than two choices! And I know from some recent articles that the topic I will be polling on can be somewhat controversial. It'll be like I have traded in my flowered-sheet ghost for my super-duper Elastigirl costume! :)
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Pretty much everyone agrees that information security awareness and training are important, but the more interesting question is how to do it. Some organizations seem to think it's worth putting employees through a compulsory training course once a year or less. I think they're nuts. Some say "awareness doesn't work because employees still do dumb things". I wonder if there is a correlation between the people with both points of view?
Posted by: Gary Hinson | August 12, 2007 3:21 AM
Thanks for your thoughts, Gary!
Unfortunately, as I just blogged about today (8/12), I have seen a small percentage of folks that do not have this opinion, much to the potential damage of information security efforts.
I do like the "how to do it" question. This is something I've been studying and doing work in for a very long time. Yes, education done poorly is very likely a significant reason there are still too many security incidents and privacy breaches.
I'd love to see research and an experiment demonstrating the correlation! However, who wants to purposefully do education poorly? Perhaps the small percentage of folks I blogged about today? :)
Posted by: Rebecca | August 12, 2007 8:43 PM
Hi Rebecca.
I don't think people *deliberately* run useless awareness programs. Rather, they don't know any better and have a lack of experience, creativity and capability in this area. Part of the problem is that information security is usually the responsibility of IT Security people, who are usually IT people, and hence are often nerds. Nerds are great at communicating with fellow nerds but hopeless at putting anything across to ordinary mortals or indeed understanding them (I know, I'm exaggerating to make a point; if it helps, I consider myself a reformed former nerd!).
I'm quite confident there is a preponderance of certain personality types in IT. Nerdyism is more than just a joke. I'd be willing to bet that there's an uneven distribution of Myers-Briggs Personality Types in IT compared to the rest of the organization. With your background in psychology, Rebecca, would you agree? If so, could this be why typical security awareness programs are so badly designed and ineffective, and hence give the whole concept a bad name?
All the best,
Gary
Posted by: Gary Hinson | August 14, 2007 4:41 PM
I agree that "nerdyism" as Gary put it is overly common in IT. Maybe this is because as kids, teenagers, and young adults, people who are good with computers are usually loners. I don't mean loners in a bad way, but they are happy by themselves, working away at a computer. I always was. These loners don't usually learn confidence in dealing with other people. Luckily I've learned how to relate to people, or at least talk loud enough for them to hear me ;) I've ran into many nerds who haven't though, and I feel bad for their struggle.
I feel myself about to make the same point as Gary, that the bridge between the majority of IT people and the rest of company personnel is often to hard to cross. And perhaps this is where security awareness gets lost in the crossing.
My 2 cents,
Kara
p.s. Hello Rebecca, from a fellow Missourian.
Posted by: Kara | August 16, 2007 10:18 AM
Gary and Kara, you make some great points.
I think you both highlight the common practice of giving awareness and training responsibilities to folks with no background or training in how to effectiviely *DO* awareness and training. It would be like assigning the high school custodian to also teach the math classes along with his/her other duties, or assigning the cafeteria cooks to also teach history classes.
Organizations need to ensure that the people given education responsibilities know how to educate. Then this gap can be more successfully bridged. Unfortunately this is rarely the case, which results in poor quality and ineffective training and awareness activities.
Kara, nice to virtually meet a fellow Show-Me-Stater! :)
Posted by: Rebecca | August 17, 2007 12:01 PM