Educause Security Discussion mailing list archives
Re: Faculty Acceptance of Security Awareness Education?
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 29 Oct 2009 12:59:28 -0600
Jon, Policy, following the pain of a bunch of very public breaches, and some topcover as a result from campus and System management, achieved a reasonable "participation" level I believe at the University of Colorado at Boulder. However, that is not the end of the question, as participation does not indicate result quality, and it wasn't nearly 100% participation, the goal. Here are some questions to consider: 1. Was that training effective? How do you measure to know? 2. Did it promote changed behavior? 3. It was one of many trainings that caused a general "we're being trained to death" complaint from the faculty who generally do not like any requirement for training. In fact many general policies and training requirements were rescinded. In some cases these were probably supportable actions, in others it became a barrier to pursuing further useful training. I can't competently judge how much truth there is in the faculty claim - although my gut reaction is to snort at it and believe it to be a false complaint, given the FAR greater requirements of this sort I faced in the corporate sector! I'm willing to believe that my perspective MAY be a misjudgment because my viewpoint was narrow along this topic line and my background includes highly "quality" sensitive business models. 4. What consequences have been levied for non-compliance with the training/awareness efforts? 5. Is there sufficient follow-on training to capture incoming, part-time, and outsourced service functions? Do we keep up with personnel turnover? I tend to believe we struggle in these areas, but I don't have a measured result to validate that belief, only on the job observations. 6. Highly visible private data search/scanning process. The fourth observation is the biggest one. The common understanding in risk functions, internal audit, and our security sources is that if the most senior of all responsible parties (boards, executive staff, chancellors, deans, etc.) are not all on board and "demanding" participation, demonstrating participation, measuring and enforcing consequences, most of these "persuasions" have a low-level incremental impact at best. The most productive thing was to get breached, have a lot of negative publicity, and to push some of the costs back at the offending organization, but even that seems to be glossed over by distributing the costs of the event more broadly perhaps than would be effective to motivate significant change. Some of our offenders continue to operate without the higher degree of diligence their history would suggest prudent. The typical "never happened to us, must not be a real risk" response is still common (at least it was on almost every audit I ever performed.) My personally most sensitive gripe is that it seems to be the responsible "technicians" that get the consequences, not the management level that had been forewarned and that by policy is responsible. Until that level is held accountable with consequence, I personally doubt that any of us will ever be extremely successful in our awareness efforts. In the end, the campus in general is certainly more aware of the topic than some years ago, has more staff dedicated to it, and there is a tangible sense of general awareness that training certainly had some small part in motivating, however it is very hard to assign the result to the training. I think the general answer to your question is pretty common for any organizational activity. 1) Demonstrated commitment and behavior by senior/visible leaders, (new policies, roles, communications made, demonstrated behavior) 2) relative ease in participation, (online info and test for us) 3) demonstrated consequence for failure to be "part of the team, (seems to be a weaker area, we record training in employment record) 4) broad and repetitive communication on the topic, (largely an IT initiative, needs more managerial acknowledgement in my opinion) 5) and finally, clear demonstration of benefit (consequence) to the party being asked to participate. (The entire industry still struggles here.) UCB's level of success (participation numbers) seems based in a number of these attributes being demonstrated in my opinion. High success would likely require them all. Best regards, Jim Dillon -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Good Sent: Wednesday, October 28, 2009 5:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Faculty Acceptance of Security Awareness Education? Researching a question posed by our Academic Senate leadership: What approaches have worked at other institutions to persuade faculty to get on the security awareness bandwagon [take the "training"]? Jon Good Director, Information Security Information Resources & Communications University of California Office of the President 415 - 20th Street, 3rd Floor Oakland, CA 94612-2901 (510) 987-0518
Current thread:
- Faculty Acceptance of Security Awareness Education? Jon Good (Oct 28)
- <Possible follow-ups>
- Re: Faculty Acceptance of Security Awareness Education? Then, Keri (Oct 28)
- Re: Faculty Acceptance of Security Awareness Education? Jim Dillon (Oct 29)
- Re: Faculty Acceptance of Security Awareness Education? Patria, Patricia (Oct 30)
- Re: Faculty Acceptance of Security Awareness Education? Allison Dolan (Nov 17)
- Re: Faculty Acceptance of Security Awareness Education? Matthew Wollenweber (Nov 17)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Nov 17)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 25)
- Re: Faculty Acceptance of Security Awareness Education? Raymond, Jessica (Nov 25)
- Re: Faculty Acceptance of Security Awareness Education? Delaney, Cherry L. (Nov 25)
- Re: Faculty Acceptance of Security Awareness Education? Hugh Burley (Nov 25)
- Re: Faculty Acceptance of Security Awareness Education? randy marchany (Nov 27)
- Re: Faculty Acceptance of Security Awareness Education? Ozzie Paez (Nov 27)
(Thread continues...)