Educate your users? Now there’s a novel idea.

I’ve audited organizations which boasted 20 or 30 information security personnel. That’s a decent-sized group. And, when I get to asking them about their User education program, it’s not surprising to hear that they have maybe allocated one-half of a Full time Employee (FTE) to user education. User Education isn’t sexy, stimulating, or fun (usually). However, educating your users is part of COMMUNICATING your policy. You can’t expect people to go the speed limit if you don’t post signs letting them know what the speed limit is.

A well-educated populace can serve as a human IDS, alerting you to possible problems within your network. User education also highlights your security group as the enforcers of the rules. Cars tend to drive closer to the speed limit when they see a police car on the horizon. It’s the same with corporate information security. I try to reach each user at least 4 times a year. This isn’t necessarily a physical act. That is, you can reach your users through snail mail, posters, email, a recorded message, web meeting, interactive demo, a java security game, etc. Primary user education goals would include:

1) VISIBILITY – Simply put, let them know who you are.
2) ASSISTANCE – make the security group available to help the users (your clients, btw) be more secure and productive
3) REWARD – Reward users who have not only adhered to the policies but also helped to make the environment more secure
4) DELEGATE – Appoint a security liason. I choose one per remote location as well as one per business Unit.
5) ACCOUNTABILITY – Remind them of their responsibilities and the Security teams capabilities.
6) SOLICIT – Users aren’t passive participants in Security. Solicit their feedback and suggestions. What suggestions do they have for making the environment more secure? There should be a mechanism which allows *any* user to give feedback. Allow them to give this feedback anonymously, if they wish. You’ll be surprised at what you get.
7) WARN – Tell them what they should be on the lookout for (Phishing, email attachments, malicious sites, etc.)

I delegate 15% of my staff to User Education. It’s *that* important. We sponsor events, give away prizes, give yearly awards, maintain a 24×7 message board, etc. Your dedicated User Education staffers should be highly creative. Don’t tuck them off in a corner. Make yourselves visible and approachable, it’ll pay off in big ways.


  • Ravi Char

    What is the best way to convince management about the importance of user education? Many fortune 500 companies does not seem to impart “Security Awareness Training” on a regular basis!

  • dmitryc

    Use data from Gartner, I-4, and your peers (i.e. other Fortune 500 companies. Often, the latter is the one that does the trick). As you grow your User Education, show your bosses the ROI. And, if you are just starting out, look for organizations or speakers that will come in and lend a hand for free (local security associations, vendors, FBI, local Law Enforcement). Align yourself with Corporate Security, Legal, and HR. Keep adding to the program, reporting successes, repeat…