Welcome to the SecAware blog

I spy with my beady eye ...

3 Jun 2007

Awareness survey raises more questions than it answers

An assessment of the state of information security awareness by US Federal agency employees, based on the Federal Information Security Management Act 2002 (FISMA), found that:
"FISMA is not widely known and its mission and purpose are often misunderstood. When known, FISMA is often viewed as a compliance headache rather than a framework for improving information security.
Protecting information assets can only be accomplished if organizations implement a sustainable information security program, of which awareness training is an essential and foundational component. However, implementing awareness training is not enough. [The] results demonstrate that awareness programs must be continually measured for effectiveness."

The report repeatedly links measurement of security awareness with improving its effectiveness, without providing any theoretical or empirical evidence of that link. I would agree that measurement is one important element in the effectiveness of a security awareness program, but it is not the only factor by a long chalk. By analogy, I can measure the height of a tree all I like without making any impact whatsoever on the tree's growth rate. The report is somewhat light on suggestions for how to improve security awareness.
The report also frequently uses the phrase "awareness training" although it does acknowledge (by reference to the definitions in NIST SP 800-50) that awareness and training are different albeit related concepts.
Most damning of all, the survey was based on responses from just 85 people. The report doesn't say how the respondees were selected or surveyed - it is entirely possible, for example, that they self-selected by responding to an online survey having already expressed an interest in information security, awareness and/or training. Questions of this nature on the experimental methods are only partly answered in the report. Speaking as a reformed scientist, I would challenge the validity of the report on this basis alone. The fact that it was released and promoted by a vendor active in the security market ultimately seals its fate for me.

No comments:

Post a Comment