Continuing coverage of the International Forum on eLearning for Defence and Security
I chaired a session on raising levels of security awareness, both amongst employees and the general public.
This is a timely topic. Two weeks ago two disks containing financial and health information on 25 million UK citizens were lost in the mail. The t.v. show 60 Minutes drove past retail stores with a wireless laptop, tapping in credit information from stores with dated security protocols. The director of CIA, George Tenant. was caught taking classified information to his home.
An MIT professor suggested that a better name for the Department of Homeland Security would be the Department of Homeland Statistics.
My session’s three presenters described eLearning solutions for financial institutions, universities, and the general citizenry. None of them struck me as making any difference. Instead of calling for questions, I called for discussions: ten minutes in small groups to discuss what each was doing to increase awareness of security. A few people came up with suggestions or examples.
Twenty minutes later a panel of session chairpersons convened for brainstorming and dialog. I said I security awareness was a complex problem and therefore was inherently unpredictable, defied logical solution, and would not be solved by eLearning. Changing behavior will require visceral learning and emotional involvement.
2 comments ↓
I’m interested by your observation that the ’security awareness problem’ will not be solved by eLearning. I agree in the sense that eLearning *alone* will not raise security awareness to the extent necessary to change behaviors, but still I feel eLearning is a useful tool in the security awareness, training and education toolbox.
It seems to me that awareness, per se, of security is an interim stage not a final goal. Making employees aware of their obligations under security policies, laws etc. is only half the battle. Making them fulfil their obligations, i.e. actually changing their behaviors to improve security, is a separate issue. As you say, ‘visceral learning and emotional involvement’ are techniques heading in the right direction, but so too are many other communications and audience participation/engagement methods, like for example repetition, practise and habituation. This is precisely why I prefer the term “disaster recover exercise” over “disaster recovery test”, for essentially identical processes. ‘Exercise’ implies that people will learn by doing (in a safe, controlled environment) what they are anticipated to do after a genuine disaster. That way, when the Big One hits, they have instinctive cues about what to do next. In security awareness programs that I have designed and delivered, I also make use of periodic repetition of key messages around confidentiality, integrity and availability of valuable information assets, tackling the same core themes from different directions each month. So, while I accept that security awareness is complex, I don’t necessarily accept that it is therefore a problem or inherently unpredictable. There *are* ways to make it work, if one is creative enough in approach and has a basic understanding of human psychology, motivational techniques etc.
Kind regards,
Gary
Gary, the name of the topic was dictated by the conference organizers. None of the speakers suggested eLearning plus something; they recommended eLearning period. I don’t think security awareness is impossible or unpredictable; I do think many forms of terrorist activity are unpredictable. Thanks for chiming in.
jay
Leave a Comment