SecureInfo Study Finds Information Security Awareness Training for Government Workers Falls Short

40% Believe Agencies View FISMA As “Compliance Headache.”

Washington, DC, May 29, 2007 – SecureInfo® Corporation, a market-proven provider of Information Assurance solutions, today released the company’s first Information Security Awareness Report™, providing an independent, cross-agency, quantitative analysis on the effectiveness of the Federal government’s Information Security awareness training programs. By focusing exclusively on the Federal government worker’s perspective, the SecureInfo Information Security Awareness Report provides a unique and often overlooked view into the effectiveness of Information Security awareness training. 

According to the Privacy Rights Clearinghouse, 82% of all public sector security breaches in 2006 were attributed to inadvertent acts (e.g., posting personal information on public web sites, lost laptops, throwing sensitive data in the trash), underscoring the need to look more closely at information security awareness.

FISMA’s Mission and Purpose Misunderstood
The Federal government enacted the Federal Information Security Management Act (FISMA) of 2002 and published standards to ensure government workers are aware and trained on pertinent security regulations, policies, and procedures. However, SecureInfo’s Information Security Awareness Report found that there is a significant disconnect between attending awareness training and the actual effectiveness of that training. 

Only 45% of those familiar with FISMA view it as an effective means to improving security posture. Moreover, 40% of Federal government workers believe their agency views FISMA as a compliance headache, disconnected from its true purpose of improving security posture. FISMA states that agency wide Information Security programs are required and shall include “security awareness training.” According to the 2006 FISMA Report to Congress, 91% of Federal government workers participated in IT security awareness training in 2006 and the total cost for providing IT Security training in the Federal government was more than $74 million.

“FISMA must be viewed as a means to securing information systems rather than a compliance headache in order for government workers to embrace and internalize information security awareness training,” said Christopher Fountain, CEO of SecureInfo.  “As articulated by NIST, awareness is the foundational element and critical building block for protecting our nation’s information assets. However, implementing awareness training is not enough.  Awareness programs must be continually measured and tested for effectiveness.”

Making Information Security Work
The Report outlines specific recommendations for measuring the effectiveness of Information Security Awareness training programs.

• Independently test and validate
• Establish ongoing program to challenge and test awareness training
• Include random evaluation of employees to determine retention level of policy and procedures
• Measure and report effectiveness of awareness training programs
• The FISMA Report to Congress should include metrics, which provide a clear indication of the effectiveness of training programs
• Include Information Security awareness measurements in performance appraisals
• Government workers should be held accountable and measured
• Insert specific language regarding Information Security awareness into all performance appraisals

For detailed analysis of the findings and recommendations, please download the complete “SecureInfo Information Security Awareness Report” at www.secureinfo.com/downloads.

About the SecureInfo Information Security Awareness Report
Numerous Information Security surveys and reports have been published focusing on the CISO’s or CIO’s viewpoint. While these perspectives are important for understanding priorities, concerns, and trends, the Federal government worker’s perspective provides a true measure of the effectiveness of Information Security awareness training programs.

Federal government workers participated in an anonymous survey and were asked a series of questions regarding Information Security and FISMA. The survey was conducted in March 2007 after the FISMA Report to Congress on the Implementation of FISMA was published (March 1, 2007) and prior to the publication of the FISMA Report Card (April 12, 2007).

About SecureInfo
SecureInfo Corporation is a market-proven provider of Information Assurance (IA) solutions, enabling Federal organizations to understand, document and mitigate information security risk; assure information systems are secure; reduce security costs and achieve and demonstrate compliance with NIST, DIACAP and FISMA requirements. Since the company’s inception, SecureInfo has specialized in delivering unmatched customer service, deep domain expertise and proven IA solutions. Named as the “US Air Force Information Assurance Organization of the Year” and a “Lockheed Martin STAR Supplier,” among many other awards and recognitions, SecureInfo has a reputation for quality, commitment and results. Customers include U.S. Air Force, U.S. Army, the Department of Homeland Security, U.S. Treasury and NASA, among many others. Further information can be found at www.secureinfo.com.

###

SecureInfo is a registered trademark and SecureInfo RMS and SecureInfo RMS XD are trademarks of SecureInfo Corporate. All other products and brand names are trademarks or registered trademarks of their respective owners.