Eric Vanderburg

Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. In order to do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.

This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.

The problem with policies alone

Companies are learning that they need to have policies in place that establish top management support for security initiatives. However, many of these policies lack effectiveness because end users have no knowledge of them or they do not care. Companies need to take the next step and educate users on the policies. A study by the Ponemon Institute found that 58% of those surveyed said their employer did not provide adequate security awareness training. This figure clearly identifies where improvements are necessary.

SIDE NOTE:Companies should use internal surveys to measure the actual security awareness of persons in their organization. All too often companies conduct awareness training but remain in the dark about actual awareness levels. Numbers like the ones from this study shed light on this disturbing truth.

Awareness of the policies needs to address why the policy is important to the users. Many policies require users to take additional steps that may slow or impede the work they do. At the bare minimum, security policy adherence will require users to change their routines. Users will not be motivated to change their routines and they will resist attempts to impede their work unless they understand how these policies benefit them.

Users need to be brought “on board” so that they agree with the policy and are motivated to comply with it. The first part of this initiative is to educate users on the value of the information they possess and the importance of their position within the company. The second step is to show them how this information can be compromised and finally, how they can protect that information by adhering to the policy.

Awareness research findings

Current research has identified some concerning statistics in regards to unsecure employee practices. The table below summarizes a portion of the findings from a Ponemon survey and shows areas where security awareness is lacking.

Routine actions performed by users Percentage
Storing data on insecure mobile devices 61%
Downloading Internet applications on workplace computers 53%
Using web-based personal email in the office 52%
Divulging passwords to others 47%
Losing equipment with privileged or confidential data 43%

These five activities were routinely performed by roughly half of those surveyed. Each activity is potentially harmful to a company. Storing data on insecure mobile devices could allow unauthorized individuals access to company data if those devices were stolen. The last item in the table above shows that equipment containing privileged or confidential data is routinely lost. This exposes the company to potential privacy litigation, a loss of reputation, or a loss of competitive position in the marketplace if the data contained trade secrets, proprietary processes, or customer lists.

The downloading of Internet applications could infect company computers with malware including root kits, Trojan horses, viruses, and backdoors into company systems. These applications can also cause incompatibilities with supported software making it difficult for employees to perform their jobs. Many employees are aware of how easy it is to make a computer unusable by downloading software from the Internet as the practice is very prevalent for home users. Awareness programs should educate users on how downloading Internet applications can impact their ability to perform their job.

Using personal web-based email in the office brings risks similar to downloading applications. Awareness programs should educate users on how using web based email can impact their ability to perform their job. Many attacks are email based and while organizational email is often screened by equipment to filter out malicious email, web based email may not be as secure.

Divulging passwords to others gives them the ability to perform any action the user can perform. This could make it appear that the user who shared his or her password committed crimes or misused their authority. Users who are aware of this may be less likely to share their passwords with others. Awareness programs can stress that even if another person is trusted they may not adequately protect a username or password allowing it to fall into a malicious user’s hands. Passwords should not be shared with even trusted users. For more information, see the article “Guidelines for Username and Password Risk Management”.


As can be seen from this data, users routinely take actions that could be harmful to organizational information systems. Many companies already have policies that restrict such activities but users are unaware of them as is reflected in the low rating of awareness training. Until users know of the policy and are motivated to follow it, trends like these will continue and organizations will still be vulnerable. It is imperative that users be educated on the role of policy and be motivated to adhere to these policies once they are established.

For further reading

Ideas to Promote Information Security Awareness

JURINNOV, a Cleveland based firm, offers information security consulting services to give you more confidence in your information systems. Contact us today and bring your security to the next level.