The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While an awareness training program can impart information security knowledge it rarely has significant impact on people’s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
It’s the same issue every time an employee falls victim to social engineering. People’s instincts are to be helpful. We amplify this instinct every time we tell employees about the importance of customer service. And then we wonder why, in that moment of truth, after the social engineer has sounded so friendly and seemed so honest, that the employee disregards the awareness training program and gives up his password.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment