Training for UsersCopyright (C) 2/95 by Howard Fuhs
Enormous quantities of data are processed every day in commercial enterprises by people with no or very little IT training. The great majority of these operators have been taught how to operate a few programs, and have no or little knowledge of how the underlying hardware or operating system functions. This type of staff is entrusted with a company's most valuable assets, its databases. That this will lead to accidents and problems is predestined.
The primary cause of data accidents is lack of information security training. Many companies have introduced expensive technical data security measures in the last couple of years, but the opinion often still reigns that it is not profitable to give staff information security training. This argument used to be difficult to refute, but more statistical material is becoming available, and it points in the same direction. In 1993 an American survey showed an annual loss of USD 4 bn through loss of data. 80% was caused by errors and negligence by poorly educated staff. A similar survey in the UK indicated that the corresponding loss in the UK was GBP .4 bn. Technical measures are not sufficient to remedy this. These are often precisely as good as the users implementing them. They get incorrectly installed, and their alarms and messages incorrectly interpreted. Consequent security awareness Training is the only answer.
Now, how should this staff training look? Under no circumstances is it a question of training to a professional level. That would load most users with much too much knowledge that would be of little use in the daily work, and consequently quickly forgotten. It is not necessary to be able to repair a car to drive one.
As a first step it is necessary to increase the users' awareness of the importance of the goods he is handling, and how easily it can perish through carelessness. It is not sufficient to take the user through a boring seminar about computer viruses. lt is necessary to demonstrate the destructive effects of the real thing in order to install a realistic feel for the problem. Doing this in its turn paves the way for an understanding and acceptance of security measures.
This can be the next item on the agenda in an awareness training session. Existing security measures are explained, e.g.
- The information security strategy of the organisation
- Individual measures in use (anti-virus system, backup, etc.)
- The purpose of each of these
- How each measure functions
- The correct use of each measure Security-related things to notice
- Who to contact in case of an alarm or a question
The information security tutorial must be supplemented by practical training, where the users have the possibility to "learn by doing" under the supervision of an instructor. This training must be designed to remove uncertainty about the daily use of security measures. In experiments with this type of training results have shown that users subsequently much more readily accept security policies and use security measures even when not directly prompted to do so. The error rate falls considerably.
Users should not be allowed access to computer resources and particularly to computers on networks before completing this type of security awareness training.
The user should be taught about known and serious dangers to information security and appropriate countermeasures. Not only subjects pertaining to the computer itself belong here, but also safe handling of archives, safe destruction of data, access restrictions to buildings housing sensitive data or equipment correct storage of data media and not least the dangers associated with "social engineering".
- What are the dangers?
- How you recognise them?
- Which countermeasures are available?
This part of the training is intended for users handling personal data, e.g. employees of the personnel department. These must know which rules apply regarding handling sensitive information of a personal nature.
Computer-using employees should receive news about information security issues on a more or less regular basis, e.g. via e-mail, a special page in the company newsletter or a brief circular letter. This type of information can be circulated every three or four months without much trouble.
It is particularly important that users receive adequate information in case new information security measures are introduced. Perhaps it is even necessary to introduce new training procedures to explain the use of new security software or new safer procedures.
Experience demonstrates more and more clearly that it is straightforward to reduce the risk of data losses, and make computing much more secure by introducing a suitable training schedule for the computer users in the organisation.
Furthermore, it becomes increasingly evident that there is a positive return on investment in information security awareness training throughout the organisation.