Daniel, the self-proclaimed “reluctant CISSP and InfoSec curmudgeon”, sat down with Infosecurity at this week’s RSA exhibition in San Francisco to discuss the topic of user education programs – specifically where and how they are most effective.
User education is highly ineffective, Daniel believes, in the most extreme environments – where organizations literally need to bolt down IT assets to prevent theft or tampering. “Those are not people who [will embrace] education about how to protect your customer’s data.”
The examples he provided are outside of the knowledge-based economy, such as food service jobs, manufacturing, and other lesser-paying occupations, yet still make use of modern IT.
As you make your way up the employment food chain, for example retail, education of end users can have some effectiveness Daniels asserted, but organizations must balance the resources committed to such a program against the expected returns.
In this mid-level, there are often employees who are willing to learn and absorb the lessons of an effective security education program, he added. “Think about who you can make a difference with, and focus your efforts on the people who are willing to learn. Then you have a couple of people you can count on to not make [the situation] worse.”
User education, however, is far easier to impart upon end users within organizations that inherently understand risk: for example, insurance and financial services firms.
Nevertheless, Daniels believes that even among these more receptive user bases, education is approached from the wrong perspective. In his opinion, yearly or periodic compliance seminars – typically comprising rather generic PowerPoint presentations – are rarely effective for imparting enduring security and compliance education.
“Here we have an audience that can learn, but we often do it wrong, he lamented. “It’s very easy to do security education incorrectly in a whole bunch of ways.”
So what makes for an effective security education program, in situations where they can actually have a positive effect on reducing risk? Daniels, who often engages Astaro’s clients and other community partners in user education programs, said security practitioners must remember that their end users are employed to do their specific job, and not data security or compliance.
“That’s our job”, he declared. “What we have to do is teach them in a way that it relates to their job and remember that there are some things we will ask them to do that will make it harder to do their job.”
The key, Daniels concluded, is to provide real-world examples that illustrate the self-interest aspects of an organization’s security program. “They need to think about how their stewardship of data relates to their personal stake” in the company’s mission and, by extension, the security of their own employment. It’s a matter of not just explaining what to do, but being candid as to why users need to perform certain tasks it in a specific manner.