An Information Security Awareness Report was released today by SecureInfo, providing an independent, cross-agency, quantitative analysis on the effectiveness of the Federal government's Information Security awareness training programs. By focusing exclusively on the Federal government worker's perspective, the report provides a unique and often overlooked view into the effectiveness of Information Security awareness training.

According to the Privacy Rights Clearinghouse, 82 percent of all public sector security breaches in 2006 were attributed to inadvertent acts (e.g., posting personal information on public Web sites, lost laptops, throwing sensitive data in the trash), underscoring the need to look more closely at information security awareness.

The Federal government enacted the Federal Information Security Management Act (FISMA) of 2002 and published standards to ensure government workers are aware and trained on pertinent security regulations, policies, and procedures. However, the report found that there is a significant disconnect between attending awareness training and the actual effectiveness of that training.

Only 45 percent of those familiar with FISMA view it as an effective means to improving security posture. Moreover, 40 percent of Federal government workers believe their agency views FISMA as a compliance headache, disconnected from its true purpose of improving security posture. FISMA states that agency wide Information Security programs are required and shall include "security awareness training." According to the 2006 FISMA Report to Congress, 91 percent of Federal government workers participated in IT security awareness training in 2006 and the total cost for providing IT Security training in the Federal government was more than $74 million.

"FISMA must be viewed as a means to securing information systems rather than a compliance headache in order for government workers to embrace and internalize information security awareness training," said Christopher Fountain, CEO of SecureInfo. "As articulated by NIST, awareness is the foundational element and critical building block for protecting our nation's information assets. However, implementing awareness training is not enough. Awareness programs must be continually measured and tested for effectiveness."

The report outlines specific recommendations for measuring the effectiveness of Information Security Awareness training programs.

• Independently test and validate
• Establish ongoing program to challenge and test awareness training
• Include random evaluation of employees to determine retention level of policy and procedures
• Measure and report effectiveness of awareness training programs
• The FISMA Report to Congress should include metrics, which provide a clear indication of the effectiveness of training programs
• Include Information Security awareness measurements in performance appraisals
• Government workers should be held accountable and measured
• Insert specific language regarding Information Security awareness into all performance appraisals