alphaspirit - Fotolia

Could a security pledge replace security awareness training?

Some universities use a security pledge so that students commit to good cybersecurity practices. Mike O. Villegas discusses whether this might work for enterprise employees.

I've heard some colleges use what's called a cybersecurity pledge to encourage students to practice good security hygiene, such as using strong passwords, leveraging multifactor authentication and avoiding unencrypted USB devices. The idea behind such a pledge is to encourage students to think twice about doing something that could potentially expose their data or compromise their accounts and/or systems. Could a security pledge work with enterprise employees? Could it be a possible alternative or supplement to security awareness training?

Duke University is one of the universities to start a security pledge called the CyberSmart Pledge. All university staff, faculty and students are encouraged to take this pledge and "commit to secure computing practices both at home and at work."

This security pledge is a good idea, and it could go even further. The pledge at Duke University was taken by completing an online survey and was only active during October 2015 -- National Cybersecurity Awareness Month. Cybersecurity awareness shouldn't last just one month, so the pledge could be a continually available option. Also, the CyberSmart Pledge did not address whether there were consequences for not taking the pledge, and not all the 70,000+ people who access Duke data and systems took the pledge. If there were defined consequences, perhaps more people would have taken the pledge.

Most enterprises have new hire orientation that includes an introduction to the internal information security program. Along with the employee handbook, new hires are asked to sign a form agreeing to abide by internal policies and procedures, including the information security policy. While this is certainly similar to the security pledge, it could go further.

In addition to new hire orientation, all employees should sign an annual Acceptable Use Agreement (AUA) that states they will abide by the enterprise information security policy. This agreement augments -- not replaces -- the enterprise security awareness program, and a security pledge should be taken the same way. It should come at the end of security awareness training, not instead of it.

If an employee chooses not to sign the AUA, human resources and information security should question the individual and disable his account, with the possibility of termination if he still refuses. This may seem like harsh punishment, but why would an enterprise keep a employee who will not commit to following company information security policies, keeping passwords safe or reporting suspected security incidents?

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out how follow-on training helps supplement security awareness training

Learn the pros and cons of user behavior analytics compared to security awareness training

Discover whether or not third-party security awareness training programs are effective

This was last published in May 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information