by Daniel J. Solove
According to a recent report by Enterprise Management Associates, 56% of employees are not receiving any sort of data security awareness training.
This is a rather distressing statistic. It is particularly distressing because according to another study, “when specific employee behaviors are addressed in a meaningful way to bring about a security-aware culture, the incidence and cost of non-compliance plummets.”
Quantifying the ROI
Coming up with a quantifiable return on investment (ROI) for training is challenging because the treats are constantly changing, so it is tough to measure from one year to the next.
No matter how good a training program might be, there are always people who won’t learn. The risk of incidents from the workforce can only be reduced to zero when the workforce is reduced to zero.
And it isn’t just the existence of training that matters, but the quality of that training. A lot of existing training isn’t very effective. Merely telling people to do something doesn’t mean that they will do it.
What’s the ROI of Training?
So why does good training have a positive ROI?
1. Training Is Key to Creating a Culture of Compliance
Training helps to create a culture of compliance. This culture isn’t built instantaneously, but over years of repeated training. Training emphasizes that protecting data security matters. Employees are more likely to care if the organization cares. A large component of training isn’t just educating, but motivating. People don’t do what they’re supposed to do because they fail to appreciate why it matters.
2. All It Takes Is One
All it takes is one person to create an incident, and so if training can reduce the number of people who might cause an incident, then it is doing good work. Training can’t reduce incidents to zero, but if each employee poses a risk, then the more employees that training helps educate, the better.
3. It’s the Law
Training is increasingly a requirement in laws, regulations, and industry codes and standards (such as PCI). When a regulator comes knocking after an incident, that regulator is going to be looking for any weaknesses and problems, and inadequate training is often low hanging fruit for a regulator to target. Suppose an employee does something really bad and causes an incident.
If the training isn’t adequate, the narrative regulators establish won’t be: The incident isn’t the organization’s fault because an employee went rogue.
Rather, the narrative will be: The incident is the fault of the organization for failing to train its employees.
4.Training Is Cheap Compared to the Cost of the Risks
Training is cheap preventative medicine compared to the expense an incident. An incident can be extremely costly. One incident can cost millions of dollars and cause severe reputational damage. It can tie up a tremendous amount of time. Training is a preventative measure that is not expensive when compared to the costs of the risks it is addressing. And training is good for the organization’s reputation.
In short, I cannot think of any cases where organizations suffered because they had data security training. But I can think of many cases where organizations suffered because they lacked it.
As one influential dissertation has concluded, studies have demonstrated that “gaining senior management support and ensuring a security-trained workforce are arguably the two most critical issues to obtain effectiveness in organizational information security.”
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter