Avoiding Common Mistakes in Information Security and Privacy Training and Awareness Programs
By Rebecca Herold, Posted 01/09/10
In Part I of this three-part Executive Update series on information security,1 I discussed the reasons that business leaders would be wise to realize there is not a more effective information security and privacy defense than informed and aware employees. Protecting information in all forms is not only a business priority; it is also a business requirement. Business leaders have an obligation to ensure that all information within the organization is adequately protected. Effective information security and privacy training and awareness activities are not only necessary to meet regulatory requirements; they are also necessary to ensure that your employees have a true understanding of information security and, as a result, work in the most secure manner possible. Without effective training and ongoing awareness communications, your organization is vulnerable to information security incidents and privacy breaches. This could not only severely damage your reputation and brand, but it could also result in significant financial damage. Over the past two decades, I have not only built information security and privacy education programs, but I have also helped organizations turn their dismal education practices into effective programs. Here in Part II of this series, I describe the 14 mistakes organizations consistently make that render training and awareness programs ineffective and often even detrimental to information security and privacy efforts.2
1. NO LEADERSHIP SUPPORT
Top executives often do not clearly or visibly support educational efforts. If employees do not think that executives support training and awareness efforts, then they will probably not be motivated to participate. Executive sponsorship and support are necessary for a successful information security and privacy education program. Businesses must get their leaders to sponsor and promote education. Make it a priority to get executive sponsorship, preferably from the CEO or president, which you can use to visibly promote education. If a company’s employees do not think its top business leaders care about information security and privacy, then the employees will not care either.
Figure 1 contains a memo you can use as a template to create one to send from your executive sponsor, with his or her modification, of course, to promote the importance of training and awareness.
2. THROWING THE EDUCATION PROGRAM TOGETHER TOO QUICKLY
Many organizations try to put together information security and privacy training and awareness materials and programs quickly just to meet either an auditor’s or regulator’s requirements, or to try to comply with a regulatory or legal requirement deadline. This thrown-together training is rarely effective, and it usually does not include the components necessary for proper training and communications. It usually lacks learning objectives and does not engage the learners.
Do not build your program without thought. Throwing together an education program will have an ineffective result, which will ultimately make your leader’s educational efforts seem worthless to employees.
3. NOT FITTING THE ENVIRONMENT
Many organizations do not build the education program around the business environment. They purchase a ready-made training module and copy as much awareness materials as they can free from the Internet.
Figure 1 — Sample executive memo.
They also may copy the awareness and training program for a specific topic from another organization, but do not take the time to modify the materials to fit their own business environment. Using purchased training materials and good (the operative word) communication about awareness are good places to start, but you need to modify material to meet your organization’s business environment. Do not try to introduce a ready-made program or another organization’s education program into your organizational environment without customizing it, or your employees will readily see that the material does not apply to your organization and will largely ignore the information, making it ineffective.
4. NOT ADDRESSING LEGAL AND REGULATORY REQUIREMENTS
Organizations often put together information security and privacy education programs without researching or taking into consideration the regulatory requirements for such education, resulting in large gaps in their education efforts. Training and awareness requirements applicable to your organization must be researched and pertinent topics must be covered.
5. BUDGET MISMANAGEMENT OR NO BUDGET
Many organizations are under the misconception that planning, creating, and delivering training and awareness activities take little expertise, insignificant preparation, few resources, or a combination of all of these. Most organizations do not carry out an impact analysis to determine educational needs and then establish a realistic budget. As a result, corporate information security and privacy education programs are often underfunded or even have no funding. Plan adequately for education and then obtain an appropriate budget.
6. USING UNMODIFIED EDUCATION MATERIALS
Organizations often have the unrealistic optimism to assume that information security and privacy training and awareness efforts can be fulfilled using off-the-shelf materials without modification or tailoring. This leads to ineffective training and awareness, along with frustration of the trainers and the learners, with the use of inappropriate materials. Using materials that don’t fit your business environment will ultimately damage your education efforts. Always make sure materials are modified as appropriate to meet your organization’s unique education requirements.
7. INFORMATION OVERLOAD
Organizations often try to dump a huge amount of information into a learner’s brain in a short period. Too many try to tell all there is to know about privacy and/or information security during a single one-hour training session. Many studies indicate, however, that people can comprehend, and remember, only five to nine items of information at any one time.3I’ve found the limit in the classes I’ve taught to be seven specific pieces of information.
In addition, if you cover too much material at once, learners might feel as though they are having massive amounts of material unrealistically piled on them. This will likely make learners resentful and not want to learn. Break up training and awareness messages and sessions into sizes that can be successfully absorbed. Instead of giving one huge training session for one to two hours each year, give a 10-minute training session every quarter or every other month. It is more effective in the long run.
8. NO CONSIDERATION FOR THE LEARNER
Organizations often create training programs from the viewpoint of the person presenting. This results in information presented in a condescending way or without any of the background necessary to allow true learning to occur. Instead, training and awareness should focus on the learner. Be sure to create training curriculum and awareness activities with which the learner can relate and can easily apply to his or her job responsibilities.
9. POOR TRAINERS
Organizations often choose subject matter experts (SMEs) to do training. However, just because someone is an expert for a topic does not mean that he or she will also be a good instructor. SMEs often do not see a topic with the same perspective as a person who has little to no knowledge on the subject. If the SME has no background or knowledge about what it takes to be an effective instructor, then the SME, even with the best of intentions, will likely not be successful in getting the message across. Not only will the SME become a frustrated trainer, your employees will become frustrated learners and have the opinion reinforced that training is a waste of time. Make sure the trainers you use are not only knowledgeable in the topic but are also experienced in effective training methods.
10. INFORMATION DUMPING
Content developers and trainers often mistakenly believe that simply telling or showing is teaching. Trainers and those who develop training content must realize that people learn in different ways. Many people do not learn well by just listening or reading. Consider your target audiences and deliver training in different ways to accommodate your audience’s learning styles. To truly educate all your employees, tailor training content and awareness communications and activities to address the following three types of learners:
- Visual— learn best through seeing and reading
- Audio— learn best by listening to information
- Kinesthetic— hands-on learners who require some type of activity to learn
Do not just dump information on your audience; provide training and awareness using methods with which they can relate, understand, and absorb.
11. NO MOTIVATION FOR EDUCATION
There is often no motivation for participants to learn information security and privacy topics, and sometimes even no motivation to attend training. Thus, organizations must provide motivation for employees to know and understand information security and privacy issues. Motivate your employees to participate in information security and privacy awareness and training activities. Tell learners why the security and privacy issues the topics cover are in place and how they directly affect their jobs. Make information security and privacy activities, including training and participation in awareness activities, part of the criteria for annual job appraisal.
12. INADEQUATE PLANNING
Organizations often do not plan well for awareness and training events. Information security and privacy training events are often scheduled at the same time as another big training event within the organization or during a time that conflicts with the target audience’s own deadlines, products releases, and so on. Inadequate planning also can lead to missing resources during training events, inadequate materials for awareness activities, and a hodgepodge of other problems that will negatively affect educational efforts. Be aware of everything going on within your organization and know everything you need, right down to the smallest detail. Plan well for education delivery and success.
13. NOT EVALUATING THE EFFECTIVENESS OF EDUCATION
“You can’t manage what you don’t measure” is an old management adage that still applies today, particularly to education efforts. If you continue to give poor or ineffective training, your program will not be successful. You must evaluate the effectiveness of your program and make changes as necessary. Effective use of information security and privacy measurements can have a profound impact on your business. As you gain a better understanding of your business and move closer to achieving important goals, your day-to-day work will become easier, and your staff will be more accountable for the measurements that matter. You’ll make sound information security and privacy decisions based on consistently generated measurements that are created in the context of business.
14. USING INAPPROPRIATE OR POLITICALLY INCORRECT LANGUAGE
Many years ago, when I was responsible for building and managing the information security and privacy education program for a large multinational organization, while I was planning the company’s first worldwide training event, I learned the hard way that certain words and phrases mean something completely different in other parts of the world. Thank goodness I sent the training content to the local contacts to review first! I had to push back the training launch a few weeks as we replaced a few important terms and phrases that, while were perfectly innocent in the US, had some very derogatory and insulting meanings in some of the other countries where we had offices.
Create training content and awareness materials that will not offend your learners and discuss issues in such a way that is appropriate within your business environment, as well as within each of the geographic locations where you are providing the education.
1Herold, Rebecca. “How Information Security, Privacy Training, and Awareness Benefit Business.” Cutter Consortium Enterprise Risk Management & Governance Executive Update, Vol. 5, No. 11, 2008.
2This is an updated version of the same mistakes I discuss in:
Managing an Information Security and Privacy Awareness and Training Program. Auerbach Publication, 2005, pp. 55-60.
3Included among the many studies is the one described in: Stolovitch, Harold, D. Telling Ain’t Training. ASTD Press, 2002, p. 23.
ABOUT THE AUTHOR
Rebecca Herold, CISSP, CISA, CISM, FLMI, CIPP, is a Senior Consultant with Cutter Consortium’s Enterprise Risk Management & Governance practice and a contributor to that advisory service. She has been an information privacy, security, and compliance consultant, author, and instructor with her own company, Rebecca Herold & Associates, LLC, since mid-2003. Ms. Herold has more than two decades of privacy and information security experience and has provided information security, privacy, and compliance services to organizations in a wide range of industries throughout the world. Her blog was listed among the “Top 50 Internet Security Blogs” by the Daily Netizen; Computerworld named her among the “Best Privacy Advisers” and “Best Privacy Firm” in both 2007 and 2008; and IT Security named her as “Top 59 Influencers in IT Security.”
Ms. Herold is also an Adjunct Professor for the Norwich University Master of Science in Information Assurance program. She is currently working on her 13th book. A few books she has written include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Privacy Management Toolkit, and she cowrote The Practical Guide to HIPAA Privacy and Security Compliance. Ms. Herold has also authored chapters for dozens of books along with close to 200 published articles, including contributions to Cutter Benchmark Review and Cutter IT Journal (as Guest Editor). She creates the Protecting Information newsletter and contributes articles to other publications regularly. Ms. Herold has a BS in math and computer science and an MA in computer science and education. She can be reached at firstname.lastname@example.org.
The Executive Update is a publication of the Enterprise Risk Management & Governance Advisory Service. © 2009 by Cutter Consortium. All rights reserved. Unauthorized reproduction in any form, including photocopying, faxing, image scanning, and downloading electronic copies, is against the law. Reprints make an excellent training tool. For information about reprints and/or back issues of Cutter Consortium publications, call + 1-781-648-8700 or e-mail email@example.com.