MEASURING TRUST IN PRIVACY AND SECURITY
Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.

...more

Training Is the Strongest Link

December 10, 2009, 3:50 pm

Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro).  Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?

To minimize insider threats within the corporate environment, I believe there is nothing more important that educating the workforce. Despite its importance, our Institute's benchmark results suggest organizations are not doing enough to educate employees, temporary employees and contractors. Here are some of our less than stellar results based on benchmarks of US based multinational organizations:

Only 68% of benchmarked organizations have a formal privacy training program and only 32% of these organizations consider this training event mandatory.

Only 38% of benchmarked organizations provide specialized training for individuals who handling, manage or protect sensitive or confidential personal information such as call center employees.

Only 44% of benchmarked organizations that do privacy training assess the training program for effectiveness, and 25% of companies formally assess or measure program goals.

In general, other benchmarks also suggest substantial privacy training programs are not widely implemented. If you would like to see these benchmarks, give us a call or send an email to research@ponemon.org.

 

 


Add Comment Add Comment (3 comments)

Comments

December 8, 2011 5:02pm
John

Check out reports from the National Highway Traffic Safety Administration on the effectiveness of the "Click it or Ticket" campaign at the Honeytech blog and on Bruce Schneier's blog.

From Honeytech: "The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage."

effectiveness = education + enforcement.


**John's correct in pointing out the need to enforce the rules as a key component of any security strategy. Without enforcement rules will, over time, have no effect.
-- Mike**

December 8, 2011 5:01pm
Mike Spinney

Brian -

Thanks for taking the time to write, but I disagree with your assertion that training and awareness programs are ineffectual elements of a sound security strategy. Our own research shows that organizations that have strong leadership in place managing information security programs have fewer incidents; employees who are aware of data management and usage policies are much less likely to misuse their privileges; and that when organizations suffer a data breach, training and awareness are one of the first programs implemented to address future risk.

December 8, 2011 5:00pm
Brian Darby

One can barely count the number of wretched, misguided, wasteful programs that started with "I believe".

Show me the data.

Show me the data that supports the assertion that training results in fewer security incidents. Not the data that users remember the training, that is easy and pointless.

Show me the data that supports the hypothesis that you know what topics to teach, because teaching them results in fewer security incidents. Not the data of what users enjoyed learning - again pointless.

Show me the data the supports the assertion that the investment in training has a lasting effect on the number of security incidents, so we'll know how much to invest.

Stop believing and show me the data - published, peer-reviewed data.
Categories
Security (23)
Privacy (22)
global security (1)
Providers (1)