SecureInfo Report Finds Government Workers Frequently Violate Information Security Policies

Only 20% of Respondents Believe Information Security Policies are Consistently Followed – Accountability Needs to be Improved

Washington, DC, December 10, 2007 – SecureInfo® Corporation, a market-proven provider of Information Assurance solutions, today released its second Information Security Awareness ReportTM, providing an independent, cross-agency, quantitative analysis on the impact of Information Security awareness on the government’s security posture. By focusing exclusively on the Federal government worker’s perspective, the Report provides a unique and often overlooked view into the effectiveness of Information Security awareness programs.  

The report found that although 80 percent of government workers believe that Federal information systems face significant threats and that information security is important to agency leadership, government workers continue to violate information security policies. Twenty two percent of government workers believe their co-workers follow Information Security policies and procedures half the time or less. Furthermore, the majority of government workers are not held accountable for understanding information security policies and procedures. According to the Report, only 36% of government workers are held accountable for knowing Information Security policies and procedures via their annual performance evaluation.

“The nature of threats to our nation’s information assets has changed,” said Christopher Fountain, CEO of SecureInfo. “Modern day attackers have adopted stealthier techniques designed to exploit user trust. People, not technology, represent the most significant potential vulnerability to the information systems on which the government depends to fulfill its mission.”

“The good news is government workers and their leadership understands the importance of information security. The bad news is workers seem to lack an understanding of the critical role they play in protecting information assets.  There needs to be more accountability across the government workforce and a greater sense of urgency on the part of the Federal government to directly address this vulnerability,” added Fountain.

The report had also found that Information security awareness training is not effective and not adequately measured for effectiveness. Among the 97 percent of government employees required to take information security training, only 48% of employees were tested throughout the year on what they learned in awareness training, and only 33% of those attending training remembered most (95% to 100%) of the material covered in training. More than half (54%) of government workers believe they would benefit from additional Information Security awareness training throughout the year.

In addition to the findings, the SecureInfo Information Security Awareness ReportTM outlines specific recommendations for increasing Federal employee accountability, awareness and understanding of information security awareness:

Independently Test and Validate

1. Establish an ongoing program to challenge and test awareness training.
2. Include random evaluation of employees to determine the retention level of information security policy and procedures.

Include Information Security Awareness Measurement in Performance Appraisals

1. Provide specific language regarding information security awareness into all performance appraisals.
2. Hold government workers, not just the agencies, accountable for information security awareness effectiveness.

Measure and Report Effectiveness of Awareness Training Programs

1. Measure government workers for information security awareness effectiveness.
2. Require agency leadership to publicly report on the effectiveness of training programs.

For detailed analysis of the findings and recommendations, please download the complete “SecureInfo Information Security Awareness Report” at www.secureinfo.com/downloads.
  
About the SecureInfo Information Security Awareness Report
Numerous Information Security surveys and reports have been published focusing on the CISO’s or CIO’s viewpoint. While these perspectives are important for understanding priorities, concerns and trends, the Federal government worker’s perspective provides a true measure of the effectiveness of Information Security awareness programs.

Federal government workers participated in an anonymous survey and were asked a series of questions regarding Information Security and training. The survey was conducted in September 2007.  

About SecureInfo
SecureInfo Corporation is a market-proven provider of Information Assurance (IA) solutions, enabling Federal organizations to understand, document and mitigate information security risk; assure information systems are secure; reduce security costs and achieve and demonstrate compliance with NIST, DIACAP and FISMA requirements. Since the company’s inception, SecureInfo has specialized in delivering unmatched customer service, deep domain expertise and proven IA solutions. Named as the “US Air Force Information Assurance Organization of the Year” and a “Lockheed Martin STAR Supplier,” among many other awards and recognitions, SecureInfo has a reputation for quality, commitment and results. Customers include U.S. Air Force, U.S. Army, the Department of Homeland Security, U.S. Treasury and NASA, among many others. Further information can be found at www.secureinfo.com.

###

SecureInfo is a registered trademark and SecureInfo RMS and SecureInfo RMS XD are trademarks of SecureInfo Corporate. All other products and brand names are trademarks or registered trademarks of their respective owners.