Forget Something?

Offering security training isn't enough to curtail breaches-employees must follow through.

Most travelers know what to do at an airport security checkpoint: Pull out the quart-size, zip-top plastic bag filled with 3-ounce containers of liquids; take off shoes; place folded coat in a bin; remove laptop from its bag. It's almost second nature.

Go to any agency, however, and you likely will find many people who rarely change their passwords, who download sensitive documents to thumb drives, or who click on dubious embedded links in e-mails. Knowing what not to do when working on a computer should be just as ingrained in employees' psyches as knowing what to do at an airport security checkpoint.

But that isn't how it works. The answer, you might think, is to offer training. That can drive some changes in behavior, and agencies offer a slew of security courses. But the number of high-profile security breaches over the years proves that providing training doesn't cut down on such mishaps. "Compromises in security continuously arise where an employee is the cause," says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission. He joined NRC in March, after holding the same position at the Housing and Urban Development Department. "A lot is human nature. People just don't think, or they rationalize, 'What I have to do today is more important than following security rules.'

"There has not been a culture of security established where [precautions have become] automatic, because agencies are too focused on getting the required box checked. Existing legislation is fine-it's the implementation that might be out of kilter."

The 2002 Federal Information Security Management Act requires agencies to provide training to ensure that employees are aware of their security responsibilities. The law also requires specialized training for employees whose jobs involve processing or managing sensitive information. Every year, agencies must file reports to the Office of Management and Budget on their security awareness and training programs.

The Information System Security Line of Business, part of the President's Management Agenda, directs agencies to provide by Sept. 30 security awareness training from the Defense Department, Office of Personnel Management or from a joint program developed by the State Department and the U.S. Agency for International Development. These agencies operate shared service centers that specialize in security awareness training.

The line of business encourages agencies to take advantage of specialized services, which include courses tailored to particular work roles. This training is voluntary, but OMB likely will require it once the program has been established. A volunteer cross-agency workgroup is developing standards for the program.

But employees aren't lining up to enroll. A little more than 138,500 employees from large agencies-only 4 percent of the governmentwide workforce-took security awareness training at a shared service center in 2007, according to OMB.

The key to training more employees, says Robert Howard, the Veterans Affairs Department's chief information officer, isn't more legislation. What's needed, he said, is to communicate to federal managers that security training is important. "We do not lack for guidance and direction," he says. "Just putting out programs and asking people to take them is not good enough. You've got to keep beating the drum."

In May 2006, a laptop was stolen from a VA employee's home, exposing the names, dates of birth and Social Security numbers of 26.5 million veterans and their family members. In response, the department revamped its information security program, focusing on consistent and customized training. All VA employees now sign a document that details the rules of behavior for security. They must enroll in two online training programs at least once a year-one on privacy and one on security-which are customized by each VA organization and focus on individual security responsibilities.

The department mandates a series of role-based courses that IT and security professionals must take within the first 90 days of being hired. The more an employee works with sensitive information and networks, the more advanced the security course. An intern program for new information security professionals augments the Web-based training with hands-on classroom instruction. VA assigns trained mentors to employees who need individual attention.

"You don't want everyone to become aware of information security after a VA-type of breach happens, but there needs to be a balance," says Karen Evans, OMB administrator for the Office of

E-Government and Information Technology. "If an agency wants to take advantage of a particular capability, some degree of risk might be necessary. It's up to agencies to analyze backdoor vulnerabilities that exist and ask, 'Is this a risk we're willing to live with?' Then either sign off, or set the threshold higher."

Agencies should consider emerging threats that could infect their systems and incorporate lessons on how to thwart those attacks into their training programs, NRC's Howard says. Then they should test employees to see whether they retained the information and rework the content they failed to learn. "There's a temptation to say, 'That worked last year, so it's probably good this year,' but a lot changes," he says. "The bad guys, more than ever before, are taking advantage of those failures of human nature-the opening of e-mail attachments, clicking on embedded links. It's difficult to expect users to automatically not fall for that. People are basically trusting, even when they shouldn't be."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.