The Public Eye with Eric Chabrow

Value of Awareness Training Questioned

CIOs Don't Show Much Enthusiasm for Employee Education
Value of Awareness Training Questioned

Ask federal chief information officers about the effectiveness of employee awareness training to reduce cyber-vulnerabilities, and you'll get a big shrug of the shoulders, at least from half of them.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

That's a takeaway from a survey of U.S. federal CIOs released this month by TechAmerica, the trade group representing IT manufacturers. Half of the CIOs surveyed say education and training is neither effective nor ineffective; about 40 percent contend it's effective or very effective; only 8 percent rate it as ineffective. And none say it is very ineffective.

The numbers don't tell much except that reliance on training needs to be beefed up if it's to be an effective tool to battle the growing cyberthreat facing organizations in and out of government.

Comments sprinkled through the report furnish a bit of insight on how some CIOs think about their approaches to cybersecurity. Of particular note are the anonymous responses from CIOs on how they manage IT security risk, especially the role of training and educating employees about cybersecurity.

Click-Through Training

One CIO pooh-poohs cybersecurity training: "Employees just click through the training and are not really paying attention. It is just a check-the-box exercise." That CIO, though, suggests the way to engage employees in the training is to improve graphics and animation in the training. Really?

One government agency phished its own employees, and nearly one in five receiving a tainted e-mail took the bait. "Those who fell for it were directed to a page and told they had been phished," the CIO says. "Then we provided some on-the-spot training and education. The reaction was actually very positive."

Another CIO locked out employees who failed to complete their training. "The system lockout is effective in terms of getting the users' attention, but if a person with a high case load, administrative rights, sensitive information processing rights, highly time-sensitive duties etc. gets locked out, it may cause problems and interruptions to daily duties. Also, executives who get locked out are not especially pleased when this happens."

That's one thing you don't want your education and training program to do: exacerbate those who provide the funding for cybersecurity training initiatives.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.