This snapshot, taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 26 July 2008
Department for Innovation, Universities and Skills (DIUS)
 
You are here:
 

Education and Awareness

A well-trained, well-informed workforce is one of the most powerful weapons in an information security manager's arsenal. There are many reasons why, including:

  • People are very good at spotting irregularities; much better than machines
  • A significant proportion of information security incidents occurs through staff not knowing or understanding
  • Well-motivated staff will report (and act upon) trends and incidents that no mechanised process could realistically hope to detect

The key word is motivation. Without sound motivation, no amount of knowledge or understanding will change staff behaviour. What is needed is appropriate knowledge and understanding accompanied by appropriate action.

Any information security initiative should be accompanied by a parallel education and awareness initiative. How this is done depends on many different factors, including:

  • The level of perceived risk
  • Available budget - often dependent on the level of perceived risk
  • The technical infrastructure of the organisation affected
  • Geographic spread
  • Corporate culture

The issue of education and awareness has been addressed in a number of ways, some successful and others blatantly not so. Many initiatives fail because they are unstructured. There is a growing trend to treat them as objective-driven projects.

The core result from such initiatives should be a change in behaviour.

© Crown copyright 2008