Addressing the people problem: Human performance technology

Matt Rose, Instructional Director & Outreach Coordinator, CERIAS

Effectively promoting end-user security awareness is a challenge for most companies. Unfortunately, many security professionals inundate users with training sessions, posters and other paraphernalia, rather than taking the time to proactively identify user weaknesses. The result is a far from effective infosecurity campaign.

While campaigns are arguably more effective than doing nothing, infosecurity trainers and managers could benefit from using human performance technology (HPT), an outcomes-focused discipline that identifies gaps in performance.

Corrective measures could include:

  • Training.
  • Creating job and other performance aids.
  • Revising policies to better reflect organizational culture.
  • Implementing new technologies to better address user needs.
  • Eliciting top-down support to initiate culture change.
  • Measuring the results of the intervention to see if the gaps have really been addressed.

Selecting awareness or training programs before identifying the fundamental problem is often costly and harmful. A comprehensive training program likely will be ineffective if the cause of the problem is a lack of employee motivation, poor knowledge retention, poor policy enforcement or any number of inhibitors that training and awareness activities can't address.

Applying a HPT approach shifts the emphasis to discovering why policies and practices aren't being followed and subsequently selecting an appropriate plan

    Requires Free Membership to View

of attack. If the gap is a mixture of lack of motivation and lack of retention, a better approach might be to develop peer mentors who are trained in end-user security and serve as localized security support personnel and advocates. Based on an identified gap, this approach saves money in terms of delivery--significantly fewer people to train -- and implementation -- fewer incidents, less paperwork, less disciplinary action.

This approach also could improve the security culture from the ground up. To find out if it did, we ask and answer questions such as: "How many security incidents occurred in the month after the intervention? How do these numbers compare with the number of incidents prior to the intervention?"

Ending the cycle with a systematic evaluation process not only provides comparisons, but helps to fine-tune security campaigns over time for efficiency and effectiveness, and can demonstrate ROI.

Though people are generally regarded as the weakest link in the infosecurity chain, it shouldn't automatically be assumed that users need to be pelted with training or awareness activities. Following the tenets of HPT, human controls can be made more efficient and cost effective, a win-win situation for everyone involved.

About the author
Matt Rose is an instructional director and outreach coordinator at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

For more information on this topic, visit these resources:

This was first published in August 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.