by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : June 15, 2015
President Barack Obama declared cybersecurity a top priority for 2015, which seems timely given the series of high-profile breaches in recent months. The infiltrations of the Energy Department, Army Corps of Engineers, U.S. Postal Service and IRS signal that cybersecurity has truly become an issue of both eco- nomic and national security. With most of the media attention focused on external hackers and cyber criminals, it can be easy to overlook internal risks, yet acciden- tal employee breaches of informa- tion security policies are a frequent and critical threat to data security. CEB research shows that employee error contributes to 48 percent of all security incidents, while malware contributes to 20 percent and hack- ing represents just 11 percent. And according to a recent poll by SolarWinds, 53 percent of federal IT professionals say careless and ill-prepared employees are the great- est threat to their agencies’ security. Take, for example, the July 2013 IRS incident that started with simple human error and ended with nearly 100,000 Social Security numbers compromised in a public database. CEB research shows that although the average organization invests significantly in employee security training and communica- tions campaigns, most fall short of achieving compliance. In fact, we found a complete lack of correlation between spending and compliance. By not considering the mindset of their employees when creating campaigns, chief information secu- rity officers (CISOs) consistently capture the wrong metrics and therefore misdiagnose compliance issues. Our research shows that leading organizations that focus on employee behaviors tend to conduct more effective training campaigns, which can decrease human error by at least two-thirds. CISOs should consider the follow- ing elements when designing and implementing a security program: • Understand employees’ behav- ior. The most effective campaigns identify the “why?” behind employ- ees’ lack of compliance, which can include a lack of awareness of poli- cies or a lack of emotional commit- ment to information security. Cap- turing employee behavior requires a case-by-case assessment of how end users operate, what drives their actions and how they perceive the CISO’s awareness efforts. • Craft different messages for different users. Employees have different patterns of risky behavior, with most of the variability based on role and seniority. Leading CISOs tailor their campaigns for different groups with different risk profiles. They pay special attention to the content being delivered and how it’s delivered. Recognizing a campaign’s “look and feel” can increase the like- lihood that employees will remem- ber and act on communications. • Create an incentive program. Detailed training and communica- tions do not necessarily prompt a change in employees’ risky inclina- tions. Instead, the most effective CISOs incorporate incentives for adopting safer behaviors as well as consequences for failing to do so. Our research shows that incentives, which can be as simple as recogni- tion from a manager, can be just as productive as more costly training or communication efforts. • Benchmark employees’ current awareness level. Leading informa- tion security organizations measure compliance to trace the successes and failures of particular aspects of their awareness programs. Mea- suring employees’ behaviors helps CISOs understand employees’ perceptions and actions in order to address risky behaviors as soon as they arise. Although the federal government faces many challenges in IT security, employee awareness is one area where agencies can quickly and effectively reduce risk. Keeping end users in mind when developing com- pliance campaigns can save agencies time and money while helping them better serve the public. n Boosting employees’ security awareness By designing security training tailored to employees’ behavior, agencies can quickly reduce risk — and save time and money Accidental employee breaches of information security policies are a frequent and critical threat to data security. Commentary | KRIS VAN RIPER AND DYLAN MOSES KRIS VAN RIPER is a practice leader and DYLAN MOSES is a research analyst at CEB. 12 June 15, 2015 FCW.COM 0615fcw_012.indd 12 5/26/15 9:58 AM
May 30, 2015
June 30, 2015