The Problem with End User Security Training: Part One
By James Stanger
If you were to get any CIO, IT administrator, or manager to sit down and discuss the common causes of security problems on their networks, you'd get the standard litany of worries. You'd hear about improperly configured systems. We've all seen an improperly configured firewall open up security holes. Just as often, we've seen a problem firewall make it impossible for authorized workers to do their jobs, thus bringing legitimate, time-sensitive projects to a halt. Another big contributor to security problems is improperly written software. Carelessly or rapidly-written applications can introduce buffer overflows, the possibility of zero-day attacks, and dreaded enterprise-wide worm attacks. However, problems created by end users — what I often refer to as “wetware,” likely contribute the majority of problems on a network. We all know how often the beleaguered IT worker loves to sit down and tell tales about the latest adventure they had with an end user or, even worse, a group of end users.
Act Now! Activate a FREE three days trial to InformationTechnologyCrossing.com, because you know how important it is to know about all the jobs.
Teaching end users how to keep security is an essential task for any IT administrator who wants to keep the company secure.
Some Numbers to Explain the Problem
In April 2006, the MSP Alliance conducted a report of a survey it conducted concerning wetware-based problems. The survey revealed that 59.2% of the security-related incidents that occurred in companies that year were due to human error. However, the same survey revealed that only 36% of these companies had any sort of end user security training program. So, it would seem that even though wetware causes the majority of our problems, relatively few people are interested in doing anything about it.
Why Don't Companies Do It?
So, why doesn't end user security training occur more often? Teaching end users how to keep security is an essential task for any IT administrator who wants to keep the company secure, after all. End user security training is also problematic, because the administrator is faced with several key problems. At CIW, we were able to poll a few CIOs, as well as gather together some thoughts from across our worldwide network. The following are responses to why end user security training is often not a priority.
Lack of Time. Any IT department has limited resources, and often end-user security training is the first casualty as departments trim projects. After all, most training is conducted in-person, as it's difficult to use a purely online training option.
Lack of Employee Motivation. Most end users are either intimidated by the very concept of networking, or they simply don't care enough about the topic to actively learn.
End Users Won't Get It: Typical IT administrator is to assume that end users wouldn't understand the training, anyway.
Employee Indifference. One of the most frustrating things to any CIO — or anyone for that matter — is spending time to create a useful information exchange, only to have that time wasted by employees who simply refuse to comply. Therefore, many IT managers and executives have lost faith that their employees will comply.
Lack of Managerial Support. It's often a struggle for IT managers to get fellow department managers to provide time for employees to receive security training.
Undue Focus on Technology to Solve the Problem. Many IT administrators have equipment they need to justify. The CIO might have difficulty justifying a new firewall or intrusion detection device if the story gets out that end user training has increased security so much.
Training as a 'Culture War'
One CIO, in his response to our question about why end user training is such a struggle, pointed out that employees generally resist any rules given to them.
"Employees, who refuse to implement reasonable security at home before establishing a VPN connection to the office, believe that a 'no USB device' rule is 'Draconian,' and feel they have a 'right' to continue to download unauthorized software and content (often spyware — and/or virus-infested). Security training may seem like wasted effort."
Is the problem, then, the fact that people increasingly work from home? No. That USB has become truly ubiquitous? Not really. Or that software is freely available? Strike three. According to this quote, it's that end users have a sense of entitlement about "their" PCs and how they access information on them.
In short, to get any end user security training going at all, the IT administrator is faced with a task no less daunting than changing a company's culture. After all, a simple end user security training request might be perceived as an attempt to interfere with time-honored practices concerning how the company transmits and stores information. Even worse, your attempts will be construed as a way to monitor how an individual works. After all, security measures are often inherently inconvenient. Security training is at least that inconvenient.
More Information: The Employee Perspective
To get some perspective on these issues, consider what motivates your employees. While some are truly interested in helping the company, most are, well, much more ambivalent. Consider the following unwritten rules in companies.
A fairly well-known study conducted by the Gallup Management Journal in 2007 provides some useful insights into how to approach end user security training. This survey has been conducted for several years now, I should note. While the 2007 study doesn't discuss security per se, it does give insight concerning the thought processes of the employees you will be instructing. The survey focused on the extent of employee interest in accomplishing company goals. Specifically, the survey was designed to determine how engaged employees were in accomplishing company goals. The following are the results of the survey.
26% of the employees are actively involved in accomplishing their company's goal.
55% are basically "fence sitters." They're effectively just putting in their time.
19% of the employees in a company are actively involved in actually resisting the company's goal, and are unhappy, spreading discontent.
Earlier surveys, such as in January 2006, had slightly different statistics (27% actively engaged, 59% not engaged, 14% actively disengaged). The most important points to consider from these results are the following.
You will need to make an extra effort to even begin communicating with over half of your company.
Even if just over a quarter of the people in your company are actively engaged in accomplishing its goals, only a fraction of those people have any real knowledge of how to keep the company secure, outside of "common sense computing steps." And many don't even know those steps.
Will All These Users Attack the Company? Not Directly, at Any Rate
The above statistics hardly state or even imply that 19% of the employees are actually trying to subvert the company's security. Obviously, it would make sense to estimate that the potential "internal hackers" who defeat company security probably belong to that 19%. Yet, as a corporate manager or director, it would make sense for you to consider that you don't just have to worry about a portion of the 19% of the people in your company. You actually have to worry about at least 80% of the company because the last thing that fence sitters and discontented employees are going to do is worry about maintaining or improving company security.
But a percentage of these users will be responsible for indirect attacks. Through carelessness or sheer ignorance, they'll take steps that will cause critical security problems for you. Some might even actively try to introduce a security problem, but that's not the main concern here. You want to figure out how to motivate your employees to reduce risky behavior and to compute securely.
Motivating Employees: The Key
If you wish to increase the security level of your company through end user training, then find a way to motivate employees. Successful teaching implies the ability to motivate. So, in future articles, we'll be discussing ways to motivate and train individuals to improve security in your company. In future articles in this series, we'll look at ways to motivate employees, for example, and also why legislation over the past few years (Sarbanes-Oxley, anyone?) has driven the need for end user security training at the corporate level.
Next in this series will be an article entitled "The Personal Privacy Angle," which is where we give end users specific steps that help them secure their own online identities. The angle is, effectively, finding a way to get people to act in their own self interest in such a way that it helps your company secure itself at the same time.
Dr. Stanger is an accomplished security consultant, writer, curriculum designer, and web designer. As Chief Certification Architect for VCampus Corporation, he manages the CIW, CTP, and CCNT certifications. He is also Chair of the Linux Professional Institute (LPI) Advisory Council and has helped design certifications and curriculum for Symantec, CompTIA, and the Telephony Industry Association (TIA).
An award-winning author, Dr. Stanger has written titles for O'Reilly, IBM, McGraw-Hill, Wiley, Elsevier, and ComputerPREP. His writings have been translated into over a dozen languages. James has spent the last two decades writing, lecturing, and consulting about network security, web design, open source, Linux system administration, and convergence networking (e.g., VoIP). Past clients include Securify, The Association of Corporate Council, the University of California, and Brigham Young University. He regularly gives presentations on security, web development, and open source worldwide, from Edinburgh to Beijing to San Francisco. He lives and plays near the Puget Sound in Washington State.
InformationTechnologyCrossing Fact #99: Smart job seekers utilize every available resource -- and InformationTechnologyCrossing puts them all together for YOU!
Danielle , Hartford
InformationTechnologyCrossing has a huge quantity of jobs. Amazing website!
Mary , Philadelphia, PA
InformationTechnologyCrossing has a great number of jobs and that too at one place. Good work!
Gregg , Tampa, FL
I was greatly surprised at the number of postings I found for my profession. It gave me the possibility to search in other cities, as I was considering a move to other locations in the country. I was very happy with the service and will recommend to everyone I know looking for employment prospects.
Barry , Reno, NV
My friend told me about EmploymentCrossing. I was able to locate several job positions that I may not have found other wise. This was well worth the one-month membership fee. I tell everyone I know about the possibilities of this site.
Julie , Chicago, IL
EmploymentCrossing is too good and very user friendly. The best feature is the submission of the resume and cover letter online. The search engines are also very fast.
To compare InformationTechnologyCrossing with other job sites
Bring Order and Structure to Your IT Job Search
You have perseverance and can accomplish anything you put your mind to and finding the ideal IT job is no exception. We have a tradition of helping our members accomplish anything they set their mind to. With complete information about every IT job in the market at your fingertips you are going to go far.
You have very high standards for the sort of employer you are working for and also for yourself. You are not afraid to work hard to fulfill your duties because you value security and peaceful living. We give you the tools to pursue your dreams for you and your family.
Become part of a tradition of research excellence that has elevated the careers of countless IT professionals just like you.
Complete the sign up process today and become part of our site today.
Tell us where to send your access instructions:
Total Jobs on InformationTechnologyCrossing
262,358
New Information Technology Jobs This Week
72,511
Jobs on EmploymentCrossing Network Available to Our Members
Web Designer United States-OR-Merlin
The company is strongly committed to its web presence. Attractive graphics and a satisfying user experience are important parts of that goal. The ...
A Google job search may not be a preferred alternative, as all Google job descriptions are available at the Google website, and one can apply for jobs directly through Google. However, actual experiences suggest that most candidates called for interview at Google were directly contacted by a Google recruiter, and quite unexpectedly, without having ...
See Every Information Technology Job We Can Find on the Internet!
Unlike other sites, InformationTechnologyCrossing works for you and does not charge employers to post jobs and actually goes out and researches jobs for you. The jobs you see are the jobs we find for you and not the ones employers are paying us to post.
To compare InformationTechnologyCrossing with other job sites
Start doing things the way they should be done.
Make objective career decisions with unbiased research, facts and information about IT jobs. Your perseverance, follow through and dependability will all pay off when you have access to:
IT jobs from every company employer career webpage we can find.
IT jobs from every professional job source we can find.
IT jobs from every job board we can find.
IT jobs from every newspaper classified ad we can find.
IT jobs from every specialized IT publication we can find.
IT jobs from every federal, state and local government career page we can find.
IT jobs from every public interest, nonprofit and other career page we can find.
Tell us where to send your access instructions:
Today at InformationTechnologyCrossing
15,723 - Jobs found in last 24 Hours72,511 - Jobs found in last 7 Days262,358 - Total Jobs Found
Your privacy is guaranteed. We will never give out, lease, or sell your personal information.
InformationTechnologyCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
InformationTechnologyCrossing is the first job consolidation service in the employment industry to seek to include every job that exists and not charge employers to post jobs on its site.
InformationTechnologyCrossing uses sophisticated technology and manual work to comb employer websites and other job boards for jobs and bring them all to its site.
