Re: Faculty Acceptance of Security Awareness Education?

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Jon,

 

Policy, following the pain of a bunch of very public breaches, and some
topcover as a result from campus and System management, achieved a
reasonable "participation" level I believe at the University of Colorado
at Boulder.  However, that is not the end of the question, as
participation does not indicate result quality, and it wasn't nearly
100% participation, the goal.  Here are some questions to consider:

 

1. Was that training effective?  How do you measure to know?

2. Did it promote changed behavior?  

3. It was one of many trainings that caused a general "we're being
trained to death" complaint from the faculty who generally do not like
any requirement for training.  In fact many general policies and
training requirements were rescinded.  In some cases these were probably
supportable actions, in others it became a barrier to pursuing further
useful training.  I can't competently judge how much truth there is in
the faculty claim - although my gut reaction is to snort at it and
believe it to be a false complaint, given the FAR greater requirements
of this sort I faced in the corporate sector!  I'm willing to believe
that my perspective MAY be a misjudgment because my viewpoint was narrow
along this topic line and my background includes highly "quality"
sensitive business models.

4. What consequences have been levied for non-compliance with the
training/awareness efforts?

5. Is there sufficient follow-on training to capture incoming,
part-time, and outsourced service functions?  Do we keep up with
personnel turnover?  I tend to believe we struggle in these areas, but I
don't have a measured result to validate that belief, only on the job
observations.

6. Highly visible private data search/scanning process.

 

The fourth observation is the biggest one.  The common understanding in
risk functions, internal audit, and our security sources is that if the
most senior of all responsible parties (boards, executive staff,
chancellors, deans, etc.) are not all on board and "demanding"
participation, demonstrating participation,  measuring and enforcing
consequences, most of these "persuasions" have a low-level incremental
impact at best.

 

The most productive thing was to get breached, have a lot of negative
publicity, and to push some of the costs back at the offending
organization, but even that seems to be glossed over by distributing the
costs of the event more broadly perhaps than would be effective to
motivate significant change.  Some of our offenders continue to operate
without the higher degree of diligence their history would suggest
prudent.  The typical "never happened to us, must not be a real risk"
response is still common (at least it was on almost every audit I ever
performed.)

 

My personally most sensitive gripe is that it seems to be the
responsible "technicians" that get the consequences, not the management
level that had been forewarned and that by policy is responsible.  Until
that level is held accountable with consequence, I personally doubt that
any of us will ever be extremely successful in our awareness efforts.

 

In the end, the campus in general is certainly more aware of the topic
than some years ago, has more staff dedicated to it, and there is a
tangible sense of general awareness that training certainly had some
small part in motivating, however it is very hard to assign the result
to the training.  I think the general answer to your question is pretty
common for any organizational activity. 

 

1) Demonstrated commitment and behavior by senior/visible leaders, (new
policies, roles, communications made, demonstrated behavior)

2) relative ease in participation,  (online info and test for us)

3) demonstrated consequence for failure to be "part of the team, (seems
to be a weaker area, we record training in employment record)

4) broad and repetitive communication on the topic,  (largely an IT
initiative, needs more managerial acknowledgement in my opinion)

5) and finally, clear demonstration of benefit (consequence) to the
party being asked to participate.  (The entire industry still struggles
here.)

 

UCB's level of success (participation numbers) seems based in a number
of these attributes being demonstrated in my opinion.  High success
would likely require them all.

 

Best regards,

 

Jim Dillon

 

-----------University of Colorado--------------

Jim Dillon, CISA, CISSP

Program Manager

Administrative Systems and Data Services

jim.dillon () colorado edu        303-735-5682

-------------------Boulder------------------------

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Good
Sent: Wednesday, October 28, 2009 5:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Faculty Acceptance of Security Awareness Education?

 

Researching a question posed by our Academic Senate leadership: 

 

   What approaches have worked at other institutions to persuade faculty
to get on the security awareness bandwagon [take the "training"]? 

 

 

Jon Good
Director, Information Security
Information Resources & Communications
University of California Office of the President
415 - 20th Street, 3rd Floor
Oakland, CA 94612-2901
(510) 987-0518