The Problem with End User Security Training, Part Two: The Personal Privacy Angle
By James Stanger, PhD
In my previous article for TechieCrossing, I looked into why end user security training doesn't occur on a regular basis. I concluded that end user training fails — is just plain not conducted — because of the following simple fact: CIOs and IT managers have failed to understand what motivates end users.
Act Now! Activate a FREE three days trial to InformationTechnologyCrossing.com, because you know how important it is to know about all the jobs.
''Forget the IT-oriented motivations for justifying end user security and cut to the chase: appeal to the individual.''
One Company, Two Cultures
At the risk of sounding overly dramatic, a cultural cold war exists between end users and their IT departments. To one side (the end users), it's an ''all about me'' proposition. Do you remember the ''I Love My PC'' stickers that employees used to stick on their computers back in the 80s and 90s? The stickers may not be popular anymore, but the spirit behind them is alive and well; people consider company computers to be their computers.
Computing Is Personal for End Users
By extension, when it comes to learning about security, it's a personal thing for end users. This may not seem like much of an insight, but when was the last time you saw any company approach end user security training from the ''What's in it for you'' perspective? Remember, to most end users, security measures are usually perceived as impediments to be overcome. End user security training is no different. How many times have you heard the following from an end user or end user's manager: ''My computer worked fine before those security measures; now I can't do my job''?
You see, when it comes to end users, their computers, and security, it's very personal. Their ability to work on their computers affects their reputation. By extension, the information on those computers is their information, not the companies. The end user expects total control over the information in the computer, and expects to be able to use that computer in pretty much the way they want to use it. Anything that even begins to impede that ability appears arbitrary, draconian, and silly.
Don't underestimate how deeply the end user's very work identity is involved with his or her computer. If you, as the security or IT manager, threaten to change end user behavior, you'll experience resistance, because your reasonable changes appear to be tampering to almost everyone else.
Does Management Understand the ''Personal'' in ''Personal Computer''?
For soldiers on the other side of the company-culture cold war — the CIOs and IT employees — that ''personal'' remains a distraction. Costs are never justified in this way. Neither is training. The following quote from a CIO living in Arizona presents one of the more common reasons for training:
''With Sarbanes-Oxley and HIPAA regulations, it has been much easier to prioritize security and motivate employees to comply with associated policies and procedures.''
In other words, we do it because the government tells us to. I can't think of any less inspiring thought than this. How many people do you know who get excited to learn something new because the government told them to? Other less inspiring motivations include:
It's the law.
The company mandates it.
The company needs protection.
These are legitimate reasons. These are reasons that make sense from a business perspective, in board rooms and server rooms across the world. But at best, the above reasons are boring. At the worst, end users could silently resent having to devote their time helping you do your job.
In short, you have two wildly diverging perspectives. The result? Most CIOs lack faith that employees will comply in significant numbers and see end user security training as a waste of time. Those who actually conduct end user security training fail to realize that end users love their PCs and see them as their own. It's personal with end users. Yet most CIOs and security professionals forget this.
The Key: Make It About Them
If it's true — and I've argued that it is in Part 1 of this series — that almost 75% of the company is full of people who are at best marginally engaged in achieving the company's goals, then any training based on making the company safer is almost bound to be ignored by the majority of the company. Even those who are truly engaged in the company's goals will see security measures as unnecessary impositions inspired by alpha techno-geeks and bureaucrats.
This is why end users don't like VPNs or no USB device rules. They seem arbitrary, imposed from outside. This is the culture war. Your job is to eliminate this divide by making seemingly arbitrary, artificial impositions appear as changes that are smart, natural, and helpful to them personally. Sometimes, it's better to capitulate to an idea rather than fight it. But you can choose your own terms.
So, instead of saying, ''This is what the company requires,'' position the training as ''Here is a way you can communicate securely in a modern work environment.'' Position the training as portable life skills, rather than as procedures required by some theoretical, bureaucratic set of rules.
End users generally feel that it's their right to continue behaviors that have traditionally allowed them to get their job done and contribute to the company. Your training efforts will at best be seen as interesting adjuncts to their behavior or interesting tidbits about computing, or at worst as proposals for making sure workers never get their work done.
Conclusion
My advice to you is to forget the IT-oriented motivations for justifying end user security and cut to the chase: appeal to the individual. The individual is the key — it's all about me, as they say. I'm convinced that nothing else will give your company the proper security foundation it requires. For Part 3, I'll take a look at specific approaches you can take to motivate not only end users, but also executives and middle management.
Uchrin, Mike, Chief Operating Officer, Health Choice Arizona, INCNews Release. Personal email correspondence, October 23, 2007.
About the Author
Dr. Stanger is an accomplished security consultant, writer, curriculum designer, and web designer. As Chief Certification Architect for VCampus Corporation, he manages the CIW, CTP, and CCNT certifications. He is also Chair of the Linux Professional Institute (LPI) Advisory Council and has helped design certifications and curriculum for Symantec, CompTIA, and the Telephony Industry Association (TIA).
An award-winning author, Dr. Stanger has written titles for O'Reilly, IBM, McGraw-Hill, Wiley, Elsevier, and ComputerPREP. His writings have been translated into over a dozen languages. James has spent the last two decades writing, lecturing, and consulting about network security, web design, open source, Linux system administration, and convergence networking (e.g., VoIP). Past clients include Securify, The Association of Corporate Council, the University of California, and Brigham Young University. He regularly gives presentations on security, web development, and open source worldwide, from Edinburgh to Beijing to San Francisco. He lives and plays near the Puget Sound in Washington State.
Linda , Brownsvelle, TX
On InformationTechnologyCrossing it's easy to access the vast variety of jobs on offer. The search engines are superb!
Allison , Chicago, IL
The best thing about InformationTechnologyCrossing is that you can upload your resume and also have the option to apply online.
Pamela , Chicago, IL
InformationTechnologyCrossing has more jobs on its pages, than any other similar websites. Amazing!
Antonio , North Hollywood, CA
InformationTechnologyCrossing works fine, and is very easy to use.
Melissa , New York, NY
I am very happy with the services provided by InformationTechnologyCrossing. I will surely use it again in future.
To compare InformationTechnologyCrossing with other job sites
Bring Order and Structure to Your IT Job Search
You have perseverance and can accomplish anything you put your mind to and finding the ideal IT job is no exception. We have a tradition of helping our members accomplish anything they set their mind to. With complete information about every IT job in the market at your fingertips you are going to go far.
You have very high standards for the sort of employer you are working for and also for yourself. You are not afraid to work hard to fulfill your duties because you value security and peaceful living. We give you the tools to pursue your dreams for you and your family.
Become part of a tradition of research excellence that has elevated the careers of countless IT professionals just like you.
Complete the sign up process today and become part of our site today.
Tell us where to send your access instructions:
Total Jobs on InformationTechnologyCrossing
248,525
New Information Technology Jobs This Week
66,868
Jobs on EmploymentCrossing Network Available to Our Members
SQL Developer -- The Knot Inc. United States-TX-Austin
--Jo Ann Miller, Local Account Executive
employee since 2002
There is a lot of opportunity to work on a variety of projects for a variety of brands...
If you are one of the people out there looking for a new job, you are not alone. However, instead of that being a comforting fact, many people who are looking for IT jobs in York are fearful because they are afraid that there will not be enough work to go around.
EmploymentCrossing is a very user friendly website and has a fantastic search engine. I always got quick responses to my search criteria.
Richard , Baltimore, MD
The number of jobs listed on InformationTechnologyCrossing is great. I appreciate the efforts that are taken to ensure the accuracy and validity of all jobs.
Richard , Baltimore, MD
The number of jobs listed on InformationTechnologyCrossing is great. I appreciate the efforts that are taken to ensure the accuracy and validity of all jobs.
See Every Information Technology Job We Can Find on the Internet!
Unlike other sites, InformationTechnologyCrossing works for you and does not charge employers to post jobs and actually goes out and researches jobs for you. The jobs you see are the jobs we find for you and not the ones employers are paying us to post.
To compare InformationTechnologyCrossing with other job sites
Start doing things the way they should be done.
Make objective career decisions with unbiased research, facts and information about IT jobs. Your perseverance, follow through and dependability will all pay off when you have access to:
IT jobs from every company employer career webpage we can find.
IT jobs from every professional job source we can find.
IT jobs from every job board we can find.
IT jobs from every newspaper classified ad we can find.
IT jobs from every specialized IT publication we can find.
IT jobs from every federal, state and local government career page we can find.
IT jobs from every public interest, nonprofit and other career page we can find.
Tell us where to send your access instructions:
Today at InformationTechnologyCrossing
13,311 - Jobs found in last 24 Hours66,868 - Jobs found in last 7 Days248,525 - Total Jobs Found
Your privacy is guaranteed. We will never give out, lease, or sell your personal information.
InformationTechnologyCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
InformationTechnologyCrossing is the first job consolidation service in the employment industry to seek to include every job that exists and not charge employers to post jobs on its site.
InformationTechnologyCrossing uses sophisticated technology and manual work to comb employer websites and other job boards for jobs and bring them all to its site.
