Too frequently, discussions about improving security center around technology--from patch management to security template deployment. In my experience, the biggest security-related Return on Investment (ROI) comes from end user and administrator training and education. The bad news, of course, is that people are more difficult to configure than software. The good news is that well-trained and educated users and administrators are the single most effective security measure an organization can possess. I've seen the following three methods succeed for security training and education, and companies could extend these methods to other IT areas. Each method has different costs and organization buy-in levels.
Inexpensive: Posters and Propaganda
People are busy, and classroom training is expensive and often forgotten after the class ends. These are valid criticisms of traditional instructor-led training and education. As alternatives, posters and propaganda can be inexpensive yet effective training vehicles if appropriately used. When creating posters, be sure to include the following elements:
- Trigger--the key word or symbol that attracts attention to your poster (e.g., Attention or Warning). Don't overstate the trigger.
- Source--describes the poster's subject. For security training, the source will likely illustrate the vulnerability or threat about which you want to educate users.
- Consequence--informs the viewer what will happen as a result of inaction or compliance with the directions provided. The consequence should be easily understood and accurate. Avoid scaring people.
- Direction--tells the person viewing the poster what he or she needs to do to avoid or comply with the consequence. The directions should be simple and should provide examples if appropriate.
I've successfully used posters to educate users about creating strong passwords. Figure 1, shows a sample password-education poster.
Hang posters in areas where users and administrators spend idle time, such as near elevators and in break rooms, copy rooms, and other common areas. Laminated one-page tip sheets and window decals are also effective propaganda media. Even with professional printing services, you can create this type of training for less than $500. Although compliance that calls for self-directed action isn't ideal (it's often difficult to enforce and to evaluate the outcome), by measuring the change in behavior (e.g., password changes) that the poster calls for, you'll get some idea of your organization's security health and the training's ROI. For example, if you used the poster in Figure 1 and later found that 20 percent of the organization's 6000 employees changed their password in the week after the posters appeared, the approximate immediate ROI would be successful completion of the training for less than $0.42 per employee in the 20 percent subset ($500 / 1200 employees). Although exact calculations are more complicated, this example gives you a general idea of how to calculate the ROI for successful training completion.
Moderately Expensive: The Film Festival
Last year, Microsoft's MSN division hosted the MSN Privacy and Security Film Festival. Over 3 nights, staff members showed three feature films in general release that covered different areas of information privacy and security. A panel of internal and external subject matter experts discussed the privacy and security concerns in each film. The experts talked about which aspects of the film were accurate, which were unrealistic, and how the circumstances of the film might be present in the MSN division.
The idea was to create a safe environment in which to start conversations about privacy and security within the business unit. Many attendees found it easier to analyze privacy and security holes in the film than in their networks; analyzing the film didn't invite recrimination from the division's systems administrators. The expert panel did an excellent job of relating the events in the films to MSN's network and services. (For the record, the three films shown were: Sneakers, Minority Report, and Enemy of the State.)
The key to such an educational effort is to ensure that attendees integrate what they learn from the film and the expert panel into improving, in this case, security and privacy in their job role. If nothing else, the film festival is an excellent way to drive awareness and dispel myths. The cost of this type of an event will vary depending on the number of attendees, whether you pay the experts an honorarium, and the costs of renting equipment or facilities if needed, but in general is less than $1000.
Expensive: The Contest
During a presentation about the value of security training, one company's CIO offered this challenge: How would I provide security training to his entire company on an annual budget of $60,000 with only one or two people working part-time on the project. I responded that I would spend $15,000 to develop solid content about the most important security policies, $10,000 to develop a Web site and Web-based assessment tool, and $35,000 on a BMW.
After I nearly was laughed out of the room, I explained my idea. The BMW is the prize, completion of the assessment is how one becomes eligible for the prize, and the Web site holds the answers to the assessment questions. Employees must correctly answer 25 out of a pool of 100 scenario-based security questions. Each question would have a tip that links to the Web site, which of course contains the crucial information about the company's security policy.
To my surprise, the CIO took me up on my idea, although his company chose to give several smaller prizes, including a trip to Hawaii, a TV, and several gift certificates. He later told me the company had better than 97 percent compliance and anecdotal evidence of behavior change within a month of the contest rollout. The key to this education effort is to create a resource that people will use to respond to the assessment questions and to develop behavior-based scenario questions that target elements of the policy that the company most wants compliance with.
These three training examples are anything but conventional or traditional, but regardless of the method you use to educate employees, keep in mind the following guidelines.
1. Position training and education as a program, not a one-time event. Providing training and education as a one-time event has limited value. Structuring training and education as a program will help drive continual process improvement and establish a culture of training and education within your organization. A strong culture of training and education will increase employee compliance and information-retention rates.
2. Use training and education appropriately. Training and education are distinctly different, but most people use the terms interchangeably. Training equips people to perform tasks; education equips people to make decisions based on knowledge. Neither technique is fundamentally better, but each has its appropriate use, and often both are necessary. For example, you train users how to change their passwords; you educate them to create strong passwords.
3. Make sure that the program fits your organization's culture and structure. For example, mandatory classroom training might be more effective than online training in organizations that have less technically savvy end users, whereas an organization with a highly mobile staff might find that the logistics of mandatory classroom training exclude them from participating.
4. Develop a plan to measure the program's effectiveness. Such measurement, whether quantitative or qualitative, will show management the value of training and education. Hence, it will not only help you obtain resources for the program in the future, but will also quantify your value to the organization as an employee. Because compliance rather than performance is probably what you want to measure, consider giving a skills or knowledge assessment before the training to focus the employee on what you want him or her to take away from the program.