Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Could a security pledge replace security awareness training?

Some universities use a security pledge so that students commit to good cybersecurity practices. Mike O. Villegas discusses whether this might work for enterprise employees.

I've heard some colleges use what's called a cybersecurity pledge to encourage students to practice good security...

hygiene, such as using strong passwords, leveraging multifactor authentication and avoiding unencrypted USB devices. The idea behind such a pledge is to encourage students to think twice about doing something that could potentially expose their data or compromise their accounts and/or systems. Could a security pledge work with enterprise employees? Could it be a possible alternative or supplement to security awareness training?

Duke University is one of the universities to start a security pledge called the CyberSmart Pledge. All university staff, faculty and students are encouraged to take this pledge and "commit to secure computing practices both at home and at work."

This security pledge is a good idea, and it could go even further. The pledge at Duke University was taken by completing an online survey and was only active during October 2015 -- National Cybersecurity Awareness Month. Cybersecurity awareness shouldn't last just one month, so the pledge could be a continually available option. Also, the CyberSmart Pledge did not address whether there were consequences for not taking the pledge, and not all the 70,000+ people who access Duke data and systems took the pledge. If there were defined consequences, perhaps more people would have taken the pledge.

Most enterprises have new hire orientation that includes an introduction to the internal information security program. Along with the employee handbook, new hires are asked to sign a form agreeing to abide by internal policies and procedures, including the information security policy. While this is certainly similar to the security pledge, it could go further.

In addition to new hire orientation, all employees should sign an annual Acceptable Use Agreement (AUA) that states they will abide by the enterprise information security policy. This agreement augments -- not replaces -- the enterprise security awareness program, and a security pledge should be taken the same way. It should come at the end of security awareness training, not instead of it.

If an employee chooses not to sign the AUA, human resources and information security should question the individual and disable his account, with the possibility of termination if he still refuses. This may seem like harsh punishment, but why would an enterprise keep a employee who will not commit to following company information security policies, keeping passwords safe or reporting suspected security incidents?

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out how follow-on training helps supplement security awareness training

Learn the pros and cons of user behavior analytics compared to security awareness training

Discover whether or not third-party security awareness training programs are effective

This was last published in May 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Would your organization consider implementing a security pledge? Why or why not?
Cancel
How the pledge differs from the company's security policy?
As a a new employee, I must agree that I will adhere to the security policy - so why any pledge?
If something is important, it should be incorporated in the policy. If it's not, why any pledge?
Cancel
Online security is an effective marketing tool since it adds credibility to a profile that is generally viewed as unscrupulous, the web.
Cancel
Anything to promote a cybersecurity mindset is probably a good thing, though doing a "pledge" on entry to an organization is probably going to have limited impact unless it is repeated regularly, in a meaningful way.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close