Six Myths of Information Security (cont'd)
Myth #5 – Classroom-format employee security education works
This is another well-documented "fact" found in security textbooks that turns out to be largely false. No one would argue that its bad thing for employees to know the basics about compliance with state, federal, and enterprise regulations and policies. But what most practitioners don't realize is that basic classroom-format training has little measurable effect on employee-driven data loss rates.
What we see
We've run hundreds of DLP risk assessments at large enterprises. In many of these engagements, we've scheduled the assessment in tandem with employee privacy training in an attempt to measure changes in behavior that the training might elicit. Amazingly, we've never seen a single case of measurable decrease in the rates of data loss perpetrated by well meaning insiders after classroom-format security and compliance training. In fact, in some cases we even see an increase in data loss rates after training.
What's going on here?
Given the evidence we've collected, we don't have enough insight to understand why this training is ineffective, but our customers seem to think it’s hard to communicate these messages in a classroom setting, especially when the issues are largely hypothetical.
On the other hand, if you use a DLP solution to identify specific incidents of data loss performed by an employee and then automatically bop them an email notification of their error; at that point you have a definite teachable moment. In this latter sense of education, a case-by-case intervention, employee education does in fact work. This kind of capability produces big changes in employee behavior and precipitous declines in the rates of data loss.
As far as traditional classroom-based privacy and compliance training, I think this is another myth that's been pretty thoroughly busted by DLP.