BlogLegislating Social Privacy When Privileged Access is no longer a Privilege Information Governance in the Cloud |
RSS Feed
RSS Feed
Training Is the Strongest LinkDecember 10, 2009Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro). Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements? To minimize insider threats within the corporate environment, I believe there is nothing more important that educating the workforce. Despite its importance, our Institute's benchmark results suggest organizations are not doing enough to educate employees, temporary employees and contractors. Here are some of our less than stellar results based on benchmarks of US based multinational organizations: Only 68% of benchmarked organizations have a formal privacy training program and only 32% of these organizations consider this training event mandatory. Only 38% of benchmarked organizations provide specialized training for individuals who handling, manage or protect sensitive or confidential personal information such as call center employees. Only 44% of benchmarked organizations that do privacy training assess the training program for effectiveness, and 25% of companies formally assess or measure program goals. In general, other benchmarks also suggest substantial privacy training programs are not widely implemented. If you would like to see these benchmarks, give us a call or send an email to research@ponemon.org.
Posted by Dr. Larry Ponemon at 3:50 pmAdd Comment (3 comments) Comments
(Sr. Privacy Analyst) - April 8, 2010 9:07am Mike Spinney
Brian - Thanks for taking the time to write, but I disagree with your assertion that training and awareness programs are ineffectual elements of a sound security strategy. Our own research shows that organizations that have strong leadership in place managing information security programs have fewer incidents; employees who are aware of data management and usage policies are much less likely to misuse their privileges; and that when organizations suffer a data breach, training and awareness are one of the first programs implemented to address future risk. Anecdotally, given that human error is the leading factor behind most data breach incidents, it just makes sense that better training and awareness, translating into a more informed and vigilant workforce, can only have a positive effect on an organization's overall security posture. You demand peer reviewed research to support our position, which is completely research based, yet you offer none to support your own claims that training and awareness are ineffective? Show me *your* data. Mike
April 28, 2010 9:45am John
Check out reports from the National Highway Traffic Safety Administration on the effectiveness of the "Click it or Ticket" campaign at the Honeytech blog and on Bruce Schneier's blog. From Honeytech: "The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage." effectiveness = education + enforcement. **John's correct in pointing out the need to enforce the rules as a key component of any security strategy. Without enforcement rules will, over time, have no effect. -- Mike** |
One can barely count the number of wretched, misguided, wasteful programs that started with "I believe". Show me the data. Show me the data that supports the assertion that training results in fewer security incidents. Not the data that users remember the training, that is easy and pointless. Show me the data that supports the hypothesis that you know what topics to teach, because teaching them results in fewer security incidents. Not the data of what users enjoyed learning - again pointless. Show me the data the supports the assertion that the investment in training has a lasting effect on the number of security incidents, so we'll know how much to invest. Stop believing and show me the data - published, peer-reviewed data.