Offering security training isn't enough to curtail breaches-employees must follow through.
Most travelers know what to do at an airport security checkpoint: Pull out the quart-size, zip-top plastic bag filled with 3-ounce containers of liquids; take off shoes; place folded coat in a bin; remove laptop from its bag. It's almost second nature.
Go to any agency, however, and you likely will find many people who rarely change their passwords, who download sensitive documents to thumb drives, or who click on dubious embedded links in e-mails. Knowing what not to do when working on a computer should be just as ingrained in employees' psyches as knowing what to do at an airport security checkpoint.
But that isn't how it works. The answer, you might think, is to offer training. That can drive some changes in behavior, and agencies offer a slew of security courses. But the number of high-profile security breaches over the years proves that providing training doesn't cut down on such mishaps. "Compromises in security continuously arise where an employee is the cause," says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission. He joined NRC in March, after holding the same position at the Housing and Urban Development Department. "A lot is human nature. People just don't think, or they rationalize, 'What I have to do today is more important than following security rules.'
"There has not been a culture of security established where [precautions have become] automatic, because agencies are too focused on getting the required box checked. Existing legislation is fine-it's the implementation that might be out of kilter."
The 2002 Federal Information Security Management Act requires agencies to provide training to ensure that employees are aware of their security responsibilities. The law also requires specialized training for employees whose jobs involve processing or managing sensitive information. Every year, agencies must file reports to the Office of Management and Budget on their security awareness and training programs.
The Information System Security Line of Business, part of the President's Management Agenda, directs agencies to provide by Sept. 30 security awareness training from the Defense Department, Office of Personnel Management or from a joint program developed by the State Department and the U.S. Agency for International Development. These agencies operate shared service centers that specialize in security awareness training.
The line of business encourages agencies to take advantage of specialized services, which include courses tailored to particular work roles. This training is voluntary, but OMB likely will require it once the program has been established. A volunteer cross-agency workgroup is developing standards for the program.
But employees aren't lining up to enroll. A little more than 138,500 employees from large agencies-only 4 percent of the governmentwide workforce-took security awareness training at a shared service center in 2007, according to OMB.
The key to training more employees, says Robert Howard, the Veterans Affairs Department's chief information officer, isn't more legislation. What's needed, he said, is to communicate to federal managers that security training is important. "We do not lack for guidance and direction," he says. "Just putting out programs and asking people to take them is not good enough. You've got to keep beating the drum."
In May 2006, a laptop was stolen from a VA employee's home, exposing the names, dates of birth and Social Security numbers of 26.5 million veterans and their family members. In response, the department revamped its information security program, focusing on consistent and customized training. All VA employees now sign a document that details the rules of behavior for security. They must enroll in two online training programs at least once a year-one on privacy and one on security-which are customized by each VA organization and focus on individual security responsibilities.
The department mandates a series of role-based courses that IT and security professionals must take within the first 90 days of being hired. The more an employee works with sensitive information and networks, the more advanced the security course. An intern program for new information security professionals augments the Web-based training with hands-on classroom instruction. VA assigns trained mentors to employees who need individual attention.
"You don't want everyone to become aware of information security after a VA-type of breach happens, but there needs to be a balance," says Karen Evans, OMB administrator for the Office of
E-Government and Information Technology. "If an agency wants to take advantage of a particular capability, some degree of risk might be necessary. It's up to agencies to analyze backdoor vulnerabilities that exist and ask, 'Is this a risk we're willing to live with?' Then either sign off, or set the threshold higher."
Agencies should consider emerging threats that could infect their systems and incorporate lessons on how to thwart those attacks into their training programs, NRC's Howard says. Then they should test employees to see whether they retained the information and rework the content they failed to learn. "There's a temptation to say, 'That worked last year, so it's probably good this year,' but a lot changes," he says. "The bad guys, more than ever before, are taking advantage of those failures of human nature-the opening of e-mail attachments, clicking on embedded links. It's difficult to expect users to automatically not fall for that. People are basically trusting, even when they shouldn't be."