Your report actually supports what we are seeing as part of an internal Privacy/Security assessment in our 40 offices. We do an interview technique that looks where data is coming from (inputs), how it is internally used (process) and where it goes (outputs). We have discovered that staff are willing to share information about there behavior. We use a unstructured approach. Most are unaware, beyond the basics, that they could expose PHI or PII. What we have learned that policies are to complex especially around security. You have business staff that are focused on goals and do not relate security as part of their business goal. Staff are either pressured or just trying to do a good job will use short cuts and don't really thing about privacy and security beyond basics. A good example is staff that are on the road who leave a laptop visible while running into get a cup of coffee at a Starbucks. The challenge we see is making operational reality and policies match.

We also see the issue as being the ever changing requirements in the security field especially around non-technical staff understanding why the latest technology is not necessarily secure. Sometimes the "cool" factor takes the place of good common sense security.

The third finding is that senior management unless they have been involved in fields that have a heavy emphasis in compliance are unwilling to follow privacy and security measures even if it is regulatory. We see this especially around leadership that comes from the manufacturing field.

We have found that we have to use both a heavy educational approach (building a culture) plus technical tracking for compliance.

Larry,

I hope to take a look at the full results of this survey. By way of contrast, my organization, the Information Risk Executive Council, has surveyed over 100K users over the last 3 years and we have quite different results. We show a very small increase in following of security policies over this time. We don't believe the improvement is meaningful, but are data are clearly not consistent with a worsening overall.

http://irec.wordpress.com/2009/06/16/user-behavior-the-glass-is-half-full/

As discussed briefly in the above blog post, we do see some variation across the behaviors we track, but it is hard to ascribe much meaning to these--they seem to be more an issue of sampling error than real trends.

In this issue, as in all other employment-related issues, what the boss feels is important is what will receive attention from employees. It seems too many managers view data security as a "non-issue" because they perceive little downside to themselves if problems should occur. Employee data, customer data, credit card data, even sensitive national security data have been lost with little or no consequence to those involved. Is it any wonder Congress is toying with the idea of imposing penalties for such risky behaviors?

We've been told for years that IT security isn't all that hard to do. All we have to do is make certain that our SysAdmins and technicians never make a configuration error; that our users are so well trained and attentive that they never misjudge a file or attachment; that our patches are always applied quickly and uniformly; and that the anti-virus tables on each device in the enterprise are always completely up-to-date. Never mind that each of those four things is unattainable, we're just supposed to do it.

Without making light of the need for care in configuring the enterprise's IT systems, or the need for user training and patching, those things don't have to be critical elements of an organization's security practices. Once we acknowledge that configuration errors will, too often, be inflicted on our systems; users will forget their training or become inattentive at the worst time; and patch preparation will take too long and patching will miss too many individual nodes; then we can begin to address the real problem of enterprises staffed with normal (fallible) human beings.

Whitelisting, done right, assumes the IT world as it is, warts and all. In some quarters, it has for some time been acknowledged as the best available solution if only we could overcome the problem of fussy users and whitelist maintenance. Naknan has an endpoint security solution in which whitelist management is no longer a problem – it is done automatically as patches, updates, and applications are pushed out. Fussy users will always be with us, but we help overcome that problem by offering flexibility in the way our solution is applied.

No, we don't prevent every possible security breach, only those involving malware, where malware is defined as unauthorized software (think LimeWire and similar non-business applications). Yes, malware is only part of the problem, but it is a very large part, arguably the most damaging part, of the problem (or maybe TJX, Heartland, and Wagner don't count).

For too long we've had our head in the sand. Blacklisting doesn't work except for mail/web servers; educating a constantly-churning pool of employees means you always have some who are insufficiently educated and many who are just plain inattentive; SysAdmins and technicians will make mistakes, some which will have the potential for great harm; and patching will be delayed, incomplete, or deliberately not done on some critical node where incompatible software is running. The answer is not to work harder at the same ineffective "solutions" but to find a solution that works. Whhitelisting, done right, works.

I have seen some of the same root causes in the trend towards ignoring data security. I like your summary of confluence:

1. Increased data portability
2. Technology outpacing education
3. Bottom-line cost-saving pressure

In one of your other posts, you pointed to an article in Forbes that mentioned what I find to be an additional leading cause: desensitization due to information overload. It is not just consumers that are being overloaded by breach notifications; corporations are being overloaded trying to patch holes in a technological dike with masking tape. In addition to trying to retro fit software that was never designed with much security in mind, they are unwilling to dip into their bottom line to buy some duct tape (or to repair the holes at the source).

It is not an easy solution, but education at the employee level (not the departmental level, not the executive level) is the beach head for this particular mission. Alas, education budgets have been cut even further than security budgets, compounding the problem. Of all the audiences I speak to, the healthiest companies have actually increased their budgets for security awareness and education. And they start it at the grass roots level: by teaching their employees to care about their own data security.