Is Data Security Awareness Training Effective?
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
A recent article in CIO explores the question: Is data security awareness training effective?
The answer: Yes.
The article points to an ISACA study that seeks to measure the effectiveness of data security awareness training. The study concludes: “Security awareness training is a vital nontechnical component to information security. As such, it is in the interest of the public and private sectors to continue to research this component that directly impacts security’s weakest link: humans.”
The study notes that “Respondents from a recent Enterprise Strategy Group survey stated that training users on confidential data security policies was the most important measure for protecting proprietary information.”
The CIO article points out that “when specific employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.”
Education has both an intrinsic and instrumental value. Education is good because it is good in-and-of-itself to learn more about things, and education is good because it is one of the most powerful tools for improving decisions and behavior.
So the conclusion of the article is no surprise. But it’s always nice to hear it emphasized.
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. The views here are Professor Solove’s personal views and not those of any organization with which he is affiliated.
Self Employed - CyberSecurity Consultant and Project Manager
10 年I have long been an advocate for raising cyber security awareness - particularly in industries that are in business to help others (think healthcare) but where IT struggles to get any substantive budget allocations. Every little bit helps and users remain a weak link in most organizations due to sophisticated spear type phishing attacks. Thanks for the encouraging perspective.
LOOKING FOR NEW ROLE - Legal IT, Lawtech (Software) & Law Firm Cloud Computing Sales & Marketing Consultant / Director
10 年There is a huge Technical IT Security Skills Gap, and no amount of user awareness and training will overcome this.
Data Center Technician at Atos
10 年Data security awareness training can be effective only if you have employees who are willing to understand the importance of protecting company data. As networks become more complex, training must be ongoing for employees so that they are mindful of the fact that there are hackers that are out there that want to cause chaos.
Yes and no. Training is something that has to be done on an ongoing basis. For example providing training just to meet compliance requirements will not be enough. Companies must understand that there are several ways a network can be hacked, from outside the perimeter and by internal users. Training has to be done on an ongoing basis to address this variations so that people understand how data is handled and the impact a data breach can have. Furthermore, Sensitive data can be found almost everywhere and it is necessary for companies to understand that all that data access can be controlled. But as important as putting controls are, it is necessary to provide ongoing training to data owners, we need to put entitlement reviews in place and guideline to grant and remove access. Finally, we need to use technology wisely. If we know that there is a lot of sensitive unstructured data around your company and we know that many data breaches exploit the lack of controls around it, lets address the issue, find the right technology, get processes and guidelines in place and take control of it. Data security awareness training by itself will aways fail. You need training, processes, technology and incentives to keep data secured.