Best practices for creating 'the human firewall'

In a global survey conducted by consulting firm PwC, fewer than one-third of the surveyed executives say they are very confident they've instilled effective information security behaviors into their organization culture. It's time to build "the human firewall."

Clearly there is a need to do a better job educating workers about IT security risks and threats and to teach them how to be part of the security solution rather than the security problem.

GOBBLE GOBBLE: Top IT Turkeys of 2012

CIO and CSO magazines recently joined the consulting firm PwC to conduct a global survey and publish the report Global State of Information Security 2013. More than 9,300 executives in 128 countries provided input about the state of IT security in their organizations. The report reveals a real weakness when it comes to employee security awareness and practices. Consider:

• Only 29% of the surveyed organizations say their employees (at all levels) are very aware of cyber risks.

• Only 29% are very confident they've instilled effective information security behaviors into the organizational culture.

• 68% of the respondents said their organization had one or more security incidents last year.

• 22% of the organizations had 10 or more security incidents in the previous year.

• It's estimated that in 37% of these incidents, employees were the source of the security breach.

This last statistic is upheld by the Ponemon Institute, which noted in its 2011 Cost of a Data Breach Report (U.S. edition) that 39% of breaches are caused by negligent insiders.

Traditional approaches to employee education just aren't working when it comes to IT security training. When workers sit in a classroom and view one PowerPoint slide after another, they aren't really learning the subject as they need to. The lesson is out of context with the real work environment. The class is often boring and too long. When there's no active participation or interaction with real computing situations, the lessons don't sink in. Seminar-style classes also offer little to no measurement of what was learned, no feedback to workers on how well they've done, and no continuous improvement process.

The key to effective employee security training is to use learning science principles. In other words, throw out the boring slideware and use tools and techniques that let people learn in a way that is scientifically proven to allow them to absorb and retain more of the content.

Wombat Security Technologies Inc., a provider of cybersecurity training and filtering solutions, offers up the following best practices that have proven successful in making people aware of security risks and motivating them to change their behaviors and be more security conscious.

Prioritize and Focus

Successful security training is a process, not a one-time event. Security training platforms that include analytics help organizations assess human risk factors across multiple attack vectors including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.

Make it Digestible

Effective security training is about quality, not quantity. Training is better received when it is woven into daily work routine -- using learning science principles to build incremental success using "teachable moments." In just 10 minutes, interactive software training sessions can measurably reduce employee susceptibility to attacks. With administrative tools that allow security managers to schedule and deploy mock cyberattacks, security training can be presented in the context that a person will most likely be attacked. When an employee fails to follow security policies, a quick, on-the-spot training session can help him/her better understand the importance of the policies and learn how to put them into practice.

Keep Them Coming Back for More

As the mobile gaming app explosion demonstrates, people love games. The best security training platforms use this fact to their advantage. With games featuring memorable characters and engaging story lines, employees actually look forward to training. The gaming approach allows employees to self-pace learning, practice concepts in multiple contexts and master skills through repetition. When employees correctly respond to game prompts (such as identifying a phishing scheme, creating a strong password or other essential cybersecurity behaviors), the game rewards them for doing the right thing. Over time, active involvement in the learning process helps employees feel more invested, which ultimately translates to better understanding and adherence to security policies.

Measure the Results

Cloud-based security training platforms collect user data to help training administrators monitor completion of training assignments, assess individual employee performance and measure improvement, in terms of people's behaviors and awareness, across the entire organization. Armed with in-depth training intelligence and easy-to-read reports, security officers can track compliance, measure the effectiveness of their security awareness programs and demonstrate positive return on investments.

Continue to Adapt

As long as security breaches yield financial or political gains for perpetrators, cyberattacks will continue to proliferate. Security awareness training programs must be designed to address the current spectrum of email, mobile device, social networking and password-related attacks, as well as keep pace with evolving threats. Cloud-based training platforms that feature a wide array of modules and offer new releases in response to shifting cyberattack trends can help security officers create flexible and sustainable security awareness programs.

Research shows that organizations with well-understood security policies and with an ongoing security awareness program suffer fewer breaches. Security training helps to create "the human firewall," which is just as important (if not more so) than technology-based security solutions.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.