I've heard some colleges use what's called a cybersecurity pledge to encourage students to practice good security...
hygiene, such as using strong passwords, leveraging multifactor authentication and avoiding unencrypted USB devices. The idea behind such a pledge is to encourage students to think twice about doing something that could potentially expose their data or compromise their accounts and/or systems. Could a security pledge work with enterprise employees? Could it be a possible alternative or supplement to security awareness training?
Duke University is one of the universities to start a security pledge called the CyberSmart Pledge. All university staff, faculty and students are encouraged to take this pledge and "commit to secure computing practices both at home and at work."
This security pledge is a good idea, and it could go even further. The pledge at Duke University was taken by completing an online survey and was only active during October 2015 -- National Cybersecurity Awareness Month. Cybersecurity awareness shouldn't last just one month, so the pledge could be a continually available option. Also, the CyberSmart Pledge did not address whether there were consequences for not taking the pledge, and not all the 70,000+ people who access Duke data and systems took the pledge. If there were defined consequences, perhaps more people would have taken the pledge.
Most enterprises have new hire orientation that includes an introduction to the internal information security program. Along with the employee handbook, new hires are asked to sign a form agreeing to abide by internal policies and procedures, including the information security policy. While this is certainly similar to the security pledge, it could go further.
In addition to new hire orientation, all employees should sign an annual Acceptable Use Agreement (AUA) that states they will abide by the enterprise information security policy. This agreement augments -- not replaces -- the enterprise security awareness program, and a security pledge should be taken the same way. It should come at the end of security awareness training, not instead of it.
If an employee chooses not to sign the AUA, human resources and information security should question the individual and disable his account, with the possibility of termination if he still refuses. This may seem like harsh punishment, but why would an enterprise keep a employee who will not commit to following company information security policies, keeping passwords safe or reporting suspected security incidents?
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out how follow-on training helps supplement security awareness training
Learn the pros and cons of user behavior analytics compared to security awareness training
Discover whether or not third-party security awareness training programs are effective
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.