Despite understanding privacy and security objectives associated with business operations, end-users often have difficulty connecting the dots between specific protocols and those objectives. This is evidenced by the fact that, according to the Information Risk Executive Council, 62% of security incidents resulting in non-compliance are a product of insider behavior. Simply telling users what they can and cannot do is not sufficient security training. Steps must be taken to provide users with a more thorough knowledge and understanding of the compliance procedures they must adhere to.
Lack of Control is the Root of the Problem
The mistake many organizations make regarding end user training is one of control. Instead of preventing users from having access to items that conflict with the compliance initiative, organizations simply trust their users to adhere to policy. The problem with this approach stems from the fact that users generally do not understand the importance of compliance initiatives and, therefore, do not comply. Consider the following as examples of poor end-user training:
- Telling users not to open e-mails from people they do not know, but not implementing any form of e-mail filtration.
- Telling users not to use Web sites such as Facebook, but not blocking Web site access.