Beyond awareness

According to Domain-B, Deloitte's information security of 60+ Indian organizations raised an interesting point:

"Optimistically, information security awareness and training is among the top three security initiatives indicated by the resspondents [sic]. However, most security awareness programmes start with an e-learning module, which raises awareness and knowledge, but does not necessarily alter behaviour."

It amuses me that so many organizations think they can just splash out some money on an e-learning package about information security, and that's it.  Compliance box ticked.  Management off the hook.  They've 'done something'.  Let's all live happily ever after.

I'm not saying that e-learning packages are worthless, quite the opposite in fact.  They are a valuable part, supplement or addition to a comprehensive security awareness program, the point being that, taken in isolation, watching a somewhat stilted video session and maybe answering ten lame security questions is only good for compliance with equally lame laws, regulations and contractual commitments that don't specify an effective awareness program.  It will not magically make your employees act more securely overnight, making a big splash in their lives.  Without the support of other suitable security awareness activities and materials, it will barely create a ripple.

The e-learning packages I've seen on the market are not cheap, and the costs escalate further if you want customized content specific to your organization rather than the purely generic, bland and often out-dated stuff usually provided.  If this purchase sucks the guts out of your security awareness budget, you're in trouble.

Mind you, if your idea of security awareness was a stern once-a-year lecture to staff by A Big Nob, then e-learning would definitely be a step up.  So would creating a security incident just to make people aware that they are vulnerable, or forcing everyone to sign a piece of paper that says they know of the existence of the security policies.  If you are purely doing this for compliance reasons, these are all probably good enough.  They won't, however, actually make your information assets any more secure in a real sense.

The thing that is desperately missing from e-learning packages is the human interaction that comes from putting a decent presenter/teacher/trainer/awareness expert up in front of a class of adults - or a team meeting - or a board meeting - or whatever.  They can not only spout the stuff on the slides but react to the audience, take questions and comments, and most of all turn those little sparks of interest and enjoyment into the flames of passion.  Motivation is a very personal thing.  Think about this the next time you see an evangelist on any topic doing his/her thing on stage.  Their energy and ethusiasm is infectious, and the central message is memorable.  If they're good, people will be thinking and talking about the experience for days if not weeks afterwards.  Would you be quite so excited about having completed an e-learning module?

As a profession, I'm sure we could learn much more from the evangelists, sales people, motivational speakers and even passionate politicians.

PS  I would have preferred to cite the Deloitte report directly if only I could locate it on the web ... sorry.