When learning about information security, we become broadly aware of general risks to information plus basic controls through a gradual and widespread educational process, sometimes supplemented with more intensive training in specific areas (such as how to respond to security warnings, and how to recognize and handle privacy issues). This kind of security awareness training is certainly useful for us personally, but why is this important for the companies we work for?
The importance of the human element in information security
Information is an extremely valuable, yet vulnerable business asset. Securing (as in ensuring the confidentiality, integrity, and availability) of information is therefore critically important, just as we need to secure other business assets such as buildings, plants, and machinery.
Despite investments in security technologies, such as antivirus software, significant information risks remain due to the reliance on employees’ always “doing the right thing and doing things right.” Inattention and ignorance are human vulnerabilities that can be reduced but not eliminated through technology.
Some employees, and outsiders in general, may not have the organization’s best interests at heart. Year by year, deliberate threats to information are increasing. Furthermore, most organizations today are utterly dependent on information, particularly computer data, IT systems and networks, and intellectual property. Therefore, the consequences of information security incidents can be devastating in terms of business interruption and additional costs, such as reputational damage.
In short, facing substantial and growing information risks, we ignore the human element of information security at our peril.
The business benefits
Security awareness and especially training are not (always) free though, so how do we justify the expense? Let’s examine the business benefits in five groups.
1) Reducing resistance to information security
Given sufficient awareness and/or training, employees make better, more effective, and more efficient use of security controls. For (Read more...)
*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/