On the subject of failed awareness.
By Eh’den (Uri) Biber, CISM, CISA, CISSP, CRISC
Yesterday I was given a link to a recording of a famous expert who talked about the subject of information security awareness training. What you are about to read are very bold claims, I find his claims fascinating, though I am sure they might upset some readers. Please don’t shoot me, I’m just transcribing 🙂
Before you ask – I will disclose the expert’s name the minute I will get his approval to do so.
The best kind of learning…requires the learner to do most of the talking. It’s an active process of making sense of ideas.
I wish to start with a research study that surprised some people
It featured a bunch of information security experts who were given an awareness training to teach. The experts were divided into two groups – the first group was told that they will be held accountable for raising the awareness standard of their colleagues. They were told that their success will be judged on the basis of how well their colleagues will succeed in a test which they were required to pass at the end of the training it. The second group of experts were given the same awareness training subject, but were told “see if you can facilitate your colleagues so they will understand the material”. That’s it – no reference to test or accountability or standards.
The experts returned to their work, and train their colleagues, and at the end the test was conducted. The results were striking – people who were thought by the accountability and standards did significantly worse than the other group, of those who were not focused on accountability and standards. The training material was a standard awareness training material – think how big the diversion could have been if people were requiring deep thinking and self-analysis of new types of attacks.
When accountability and standard are the only currency an organization have it is no wonder organizations fail.
The second study tried to see the impact of the training on the experts themselves, and how they thought the material. They found out that the experts in the accountability and standards group turned into drill sergeants, removing almost any opportunity for the people whom they thought to play an active role in their own learning.
In other researchers it was shown that the less people are able to make decisions about their learning, the lower the quality of the learning itself.
Sadly, there are experts who were not been forced to follow a standards and accountability trail yet they choose to do so (generating bad results), and there are experts who wish to use a more open approach of information security awareness training, who would like to bring people into the process of thinking and making sense of ideas who find it increasingly difficult to do that in this climate with prescriptive standards and tests and the like. In effect, the experts felt being controlled, and they responded by becoming controlling.
It may make sense for experts who feel micro-managed, deskilled, disrespected to say “I know what it feels like to be treated that way, so I’m going to do everything in my power to treat other people that I need to educate the way I wish I was being treated, not the way I am being treated.”
Yet sadly, again, all the way down the information security food chain we find that managers and directors, board members and other experts end up passing along this control, and it end up with people doing to the people below them what those above them are doing to them.
Until someone has this brainstorm and he says “NO, I’m going to be a buffer, I’m going to absorb as much control as possible, you will not see me doing “behavioral management programs” on other people that treat them like pets, that try to demand compliance rather than eliciting initiative.
Expert say “They do not give me that much autonomy” but not “I don’t have in this terrible corporate climate of controlled information security awareness reform much leeway, but I’m going to share what leeway I do have with my colleagues rather than insisting that we do it by the numbers. If control doesn’t work for me, it doesn’t work for my colleagues.”
Not everybody is there yet.
I will transcribe more and update the blog…