Blog

Legislating Social Privacy
July 30, 2010
There’s a great deal of talk these days about privacy and social media. Specifically, services like Google, Facebook, Twitter, and other popular social networking platforms are coming under increased scrutiny over their privacy policies and data sharing practices. Permalink

When Privileged Access is no longer a Privilege
July 19, 2010
I just read an interesting multi-part investigative report in the Washington Post about how intelligence gathering – and the bureaucracy that has risen since September 11, 2001 to facilitate the harvest and analysis of that information – has spun beyond the federal government’s control, not to mention its ability to make use of the sheer abundance of information. Permalink

Information Governance in the Cloud
July 15, 2010
Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec. Permalink

Home » Blog » Dr. Ponemon's blog » Training Is the Strongest Link » 

RSS Feed

RSS Feed RSS Feed

Training Is the Strongest Link

December 10, 2009

Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro).  Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?

To minimize insider threats within the corporate environment, I believe there is nothing more important that educating the workforce. Despite its importance, our Institute's benchmark results suggest organizations are not doing enough to educate employees, temporary employees and contractors. Here are some of our less than stellar results based on benchmarks of US based multinational organizations:

Only 68% of benchmarked organizations have a formal privacy training program and only 32% of these organizations consider this training event mandatory.

Only 38% of benchmarked organizations provide specialized training for individuals who handling, manage or protect sensitive or confidential personal information such as call center employees.

Only 44% of benchmarked organizations that do privacy training assess the training program for effectiveness, and 25% of companies formally assess or measure program goals.

In general, other benchmarks also suggest substantial privacy training programs are not widely implemented. If you would like to see these benchmarks, give us a call or send an email to research@ponemon.org.

 

 

Posted by Dr. Larry Ponemon at 3:50 pm


Add Comment (3 comments)

Comments

(Senior Analyst) -  March 3, 2010 1:09pm Brian Darby

One can barely count the number of wretched, misguided, wasteful programs that started with "I believe". Show me the data. Show me the data that supports the assertion that training results in fewer security incidents. Not the data that users remember the training, that is easy and pointless. Show me the data that supports the hypothesis that you know what topics to teach, because teaching them results in fewer security incidents. Not the data of what users enjoyed learning - again pointless. Show me the data the supports the assertion that the investment in training has a lasting effect on the number of security incidents, so we'll know how much to invest. Stop believing and show me the data - published, peer-reviewed data.

(Sr. Privacy Analyst) -  April 8, 2010 9:07am Mike Spinney

Brian - Thanks for taking the time to write, but I disagree with your assertion that training and awareness programs are ineffectual elements of a sound security strategy. Our own research shows that organizations that have strong leadership in place managing information security programs have fewer incidents; employees who are aware of data management and usage policies are much less likely to misuse their privileges; and that when organizations suffer a data breach, training and awareness are one of the first programs implemented to address future risk. Anecdotally, given that human error is the leading factor behind most data breach incidents, it just makes sense that better training and awareness, translating into a more informed and vigilant workforce, can only have a positive effect on an organization's overall security posture. You demand peer reviewed research to support our position, which is completely research based, yet you offer none to support your own claims that training and awareness are ineffective? Show me *your* data. Mike

April 28, 2010 9:45am John

Check out reports from the National Highway Traffic Safety Administration on the effectiveness of the "Click it or Ticket" campaign at the Honeytech blog and on Bruce Schneier's blog. From Honeytech: "The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage." effectiveness = education + enforcement. **John's correct in pointing out the need to enforce the rules as a key component of any security strategy. Without enforcement rules will, over time, have no effect. -- Mike**