Forget Something?

Offering security training isn't enough to curtail breaches-employees must follow through.

Most travelers know what to do at an airport security checkpoint: Pull out the quart-size, zip-top plastic bag filled with 3-ounce containers of liquids; take off shoes; place folded coat in a bin; remove laptop from its bag. It's almost second nature.

Go to any agency, however, and you likely will find many people who rarely change their passwords, who download sensitive documents to thumb drives, or who click on dubious embedded links in e-mails. Knowing what not to do when working on a computer should be just as ingrained in employees' psyches as knowing what to do at an airport security checkpoint.

But that isn't how it works. The answer, you might think, is to offer training. That can drive some changes in behavior, and agencies offer a slew of security courses. But the number of high-profile security breaches over the years proves that providing training doesn't cut down on such mishaps. "Compromises in security continuously arise where an employee is the cause," says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission. He joined NRC in March, after holding the same position at the Housing and Urban Development Department. "A lot is human nature. People just don't think, or they rationalize, 'What I have to do today is more important than following security rules.'

"There has not been a culture of security established where [precautions have become] automatic, because agencies are too focused on getting the required box checked. Existing legislation is fine-it's the implementation that might be out of kilter."

The 2002 Federal Information Security Management Act requires agencies to provide training to ensure that employees are aware of their security responsibilities. The law also requires specialized training for employees whose jobs involve processing or managing sensitive information. Every year, agencies must file reports to the Office of Management and Budget on their security awareness and training programs.

The Information System Security Line of Business, part of the President's Management Agenda, directs agencies to provide by Sept. 30 security awareness training from the Defense Department, Office of Personnel Management or from a joint program developed by the State Department and the U.S. Agency for International Development. These agencies operate shared service centers that specialize in security awareness training.

The line of business encourages agencies to take advantage of specialized services, which include courses tailored to particular work roles. This training is voluntary, but OMB likely will require it once the program has been established. A volunteer cross-agency workgroup is developing standards for the program.

But employees aren't lining up to enroll. A little more than 138,500 employees from large agencies-only 4 percent of the governmentwide workforce-took security awareness training at a shared service center in 2007, according to OMB.

The key to training more employees, says Robert Howard, the Veterans Affairs Department's chief information officer, isn't more legislation. What's needed, he said, is to communicate to federal managers that security training is important. "We do not lack for guidance and direction," he says. "Just putting out programs and asking people to take them is not good enough. You've got to keep beating the drum."

In May 2006, a laptop was stolen from a VA employee's home, exposing the names, dates of birth and Social Security numbers of 26.5 million veterans and their family members. In response, the department revamped its information security program, focusing on consistent and customized training. All VA employees now sign a document that details the rules of behavior for security. They must enroll in two online training programs at least once a year-one on privacy and one on security-which are customized by each VA organization and focus on individual security responsibilities.

The department mandates a series of role-based courses that IT and security professionals must take within the first 90 days of being hired. The more an employee works with sensitive information and networks, the more advanced the security course. An intern program for new information security professionals augments the Web-based training with hands-on classroom instruction. VA assigns trained mentors to employees who need individual attention.

"You don't want everyone to become aware of information security after a VA-type of breach happens, but there needs to be a balance," says Karen Evans, OMB administrator for the Office of

E-Government and Information Technology. "If an agency wants to take advantage of a particular capability, some degree of risk might be necessary. It's up to agencies to analyze backdoor vulnerabilities that exist and ask, 'Is this a risk we're willing to live with?' Then either sign off, or set the threshold higher."

Agencies should consider emerging threats that could infect their systems and incorporate lessons on how to thwart those attacks into their training programs, NRC's Howard says. Then they should test employees to see whether they retained the information and rework the content they failed to learn. "There's a temptation to say, 'That worked last year, so it's probably good this year,' but a lot changes," he says. "The bad guys, more than ever before, are taking advantage of those failures of human nature-the opening of e-mail attachments, clicking on embedded links. It's difficult to expect users to automatically not fall for that. People are basically trusting, even when they shouldn't be."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.