Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Insider Threat: Horrible Tragedy Highlights Need For Policies & Training | Main | Rights for Privacy Breach Victims »

Common InfoSec & Privacy Training Mistakes

I've been reviewing some of the information security and privacy training and awareness content for some organizations; some large and some small. Most of the training is ineffective...

When information security and/or privacy incidents happen, too many organizations, and otherwise smart professionals, say that information security and privacy training doesn't work and isn't worth the time, when in fact the problem is that the training they are providing is bad and ineffective, and usually awareness communications are non-existent!

Step back and consider that everyone does NOT learn and understand in the exact same way. Organizations must think about the communications used within training and awareness efforts.

Human nature closely parallels mother nature...

I like to run around my lake next to the hay field. Not only is it good exercise, it also gives me some good thinking time. As I run, I hear the constant croaking of the bullfrog and the intermittent but regular chirps of the leopard frog. When I'm close to the water, the sandpipers start squeaking at me from where they stand and continue until I leave the water's edge. There are three red-winged blackbird nests right next to my running path. When I approach each, the parent birds start screaming at me and flying around me, trying to distract me from their nest. As soon as I am a little distance away, they stop their tirade. These are four different creatures with four different and distinct ways of communicating. The bullfrog constantly drones with his loud message, the leopard frogs emphasize their chirping message regularly, the sandpipers start sounding their warnings when I approach, and consistently squeak while I'm in their area. The red-winged blackbirds scream only when I am very close.

They remind me of how organizations do their awareness and training activities: The frogs sing out to anyone within earshot, such as many organizations do who are sending awareness messages for anyone to read or notice. The blackbirds targeted their messages specifically at me, much like training efforts that are targeted at specific groups. As with most organizations, these messages are basically the same, regardless of who might be within hearing range.

Indiscriminate announcements such as these are bound to be ineffective with some types of passersby. This consistent and unvarying type of communicating is often the same move that organizations make when it comes to information security and privacy training and awareness activities; they send the same messages in the same way to widely diverse groups of audiences. This is just one of the mistakes organizations make when launching training and awareness programs.

Tailor training content and awareness communications to be specific to your organization, and provide different content to your different target groups, based upon their job responsibilities.

I will provide much more about infosec and privacy training and awareness mistakes, along with more in-depth details, in blog posts to come!

Have any questions? Let me know and I'll try to address them in future posts.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 1, 2009 9:50 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/995

Comments

One approach to security awareness activities I am aware of and which apparently works is to make the activities *personally relevant* to the workforce.

One large organisation in the UK did this by providing training/information sessions for staff related to personal/home computing - i.e. how to install/configure AV software and why it was necessary, how to use a personal firewall, how to spot a phishing e-mail and so forth. From here, they then turned the focus of the training to the company's aims and objectives with the result that staff understood why security policies and controls were necessary and why they were implemented.

I'm not sure how prevalent this approach is in the States (it's not really prevalent in the UK), but would be interested to hear your views.

Oh, and your views on Marcus Ranum's "6 Dumbest Ideas in Computer Security" (http://www.ranum.com/security/computer_security/editorials/dumb/), specifically number 5 ("Educating Users") would also be of interest!

Posted by: fatbloke | June 1, 2009 7:43 PM

Thanks for your comment, fatbloke! (Gosh, I feel really rude saying that!)

I wholeheartedly agree, and I've been preaching this for over a couple of decades. My training and awareness tools, contents and products are all built upon making information understandable, and relateable, to the personnel.

And yes; I have some definite views about #5 of the 6 so-called ideas!

I will elaborate upon all this on a blog post in a day or two!

Rebecca

Posted by: Rebecca Herold Author Profile Page | June 2, 2009 1:27 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for the past two decades. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the world's best privacy experts and on their list of the best privacy consulting firms in both 2007 and 2008. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 13th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.