Are Employees Really to Blame?
Tuesday, September 30, 2008 12:29 PM
Symbols: EXBD

A New Look at Who is at Fault For Breaches of Personal Information

More than 244 million private records have been lost by companies and government agencies since 2005 with almost all of these losses being blamed on employees’ risky behavior. However, before assigning blame, organizations might want to take a look in the mirror, according to a new, first-of-its-kind study by the Information Risk Executive Council (IREC), a program of the Corporate Executive Board (NASDAQ: EXBD).

“The irony here is that employees actually want to do the right thing, they just need a little help,” says Jeremy Bergsman, Ph.D., the lead author of the study. “Our study shows that most companies either don’t do much to educate employees about information security, or the training is not based on what actually works to help employees do the right thing.”

This study shows that more than a third of risky employee behavior is caused by security guidelines and procedures that are too hard to follow according to the 57,000 employees from 60 global corporations included in the survey. Moreover, 46% of risky behavior can be addressed with proper training and incentives – something companies rarely do effectively, wasting millions of dollars in training costs.

The research identifies three key insights to consider when designing information security “awareness” efforts. First, do not focus on scare tactics or technical explanations, but instead provide clear instructions about what employees should do in a way that is relevant to employees’ actual jobs. Second, incentives—as simple as token gifts or a word from a manager—are just as effective as more costly training efforts. Third, while security professionals tend to think first about punishments for misbehavior, rewards for good behavior are just as effective. Positive incentives allow companies to reach the majority of employees that tend to do the right thing, rather than waiting for something bad to happen before they can act.

IREC, the leading consultancy for Chief Information Security Officers and other senior Information Risk executives, took this research beyond measuring employee behavior related to security, to include the psychology behind those behaviors and what companies should do to change risky behavior.


Next Page >>
More Options



Subscribe to Email Alerts rss feed or RSS feeds rss feed for articles from more than 300 contributors and press releases, SEC filings and full text news from thousands of sources.


 
Rate :  Rate this Commentary  


 Number of Comments (0) Post Comment
 
  
Good Rating(+1)    Bad Rating(-1)
No Data Found

 
Enter Symbol
Enter Search String
Bookmark This Article
Email Article

Send this article by email


Recipient's Name
Recipient's E-mail
Your Name
Your E-mail
Related Quotes

 
  Home | Login |Research | Earnings | Scans | Chat Rooms | Charts | Submit Article | Join Blog Network | Contributors | Subscribe to RSS

copryright 2008 all rights reserved		  

Fundamental data is provided by Zacks Investment Research, market data is provided by AlphaTrade. , and Commentary and Press Releases provided by Quotemedia