Effectively promoting end-user security awareness is a challenge for most companies. Unfortunately, many security professionals inundate users with training sessions, posters and other paraphernalia, rather than taking the time to proactively identify user weaknesses. The result is a far from effective infosecurity campaign.
While campaigns are arguably more effective than doing nothing, infosecurity trainers and managers could benefit from using human performance technology (HPT), an outcomes-focused discipline that identifies gaps in performance.
Corrective measures could include:
- Creating job and other performance aids.
- Revising policies to better reflect organizational culture.
- Implementing new technologies to better address user needs.
- Eliciting top-down support to initiate culture change.
- Measuring the results of the intervention to see if the gaps have really been addressed.
Selecting awareness or training programs before identifying the fundamental problem is often costly and harmful. A comprehensive training program likely will be ineffective if the cause of the problem is a lack of employee motivation, poor knowledge retention, poor policy enforcement or any number of inhibitors that training and awareness activities can't address.
Applying a HPT approach shifts the emphasis to discovering why policies and practices aren't being followed and subsequently selecting an appropriate plan of attack. If the gap is a mixture of lack of motivation and lack of retention, a better approach might be to develop peer mentors who are trained in end-user security and serve as localized security support personnel and advocates. Based on an identified gap, this approach saves money in terms of delivery--significantly fewer people to train -- and implementation -- fewer incidents, less paperwork, less disciplinary action.
This approach also could improve the security culture from the ground up. To find out if it did, we ask and answer questions such as: "How many security incidents occurred in the month after the intervention? How do these numbers compare with the number of incidents prior to the intervention?"
Ending the cycle with a systematic evaluation process not only provides comparisons, but helps to fine-tune security campaigns over time for efficiency and effectiveness, and can demonstrate ROI.
Though people are generally regarded as the weakest link in the infosecurity chain, it shouldn't automatically be assumed that users need to be pelted with training or awareness activities. Following the tenets of HPT, human controls can be made more efficient and cost effective, a win-win situation for everyone involved.
About the author
Matt Rose is an instructional director and outreach coordinator at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
For more information on this topic, visit these resources:
- Security Policies Tip: Creative user education
- News & Analysis: Dos and don'ts -- Policing user security policies
- Best Web Links: Employee security education