A Realistic Approach to Compliance Ensures More for Your Security Spend
Security Director’s Report (11/09) Vol. 2009, No. 11,
Because employee negligence is the cause of so many corporate security breaches, nearly all security researchers are in accord in urging companies to take more time to train workers. Companies are beginning to internalize the message. The 2008 numbers on corporate spending for employee data security awareness training indicate that it accounted for a larger percentage of the IT budget. As observance of security policy is often not compulsory, it is helpful to weigh a management strategy promoted by experts at the University College of London and Hewlett-Packard Labs. They suggest dividing organizational security goals into a “compliance budget” to get a better view of how individuals approach the costs and benefits of following organizational security measures. For instance, if a security policy requires the encryption of data stored on USB devices, an employee will usually examine the policy’s pros and cons using the following approach: individual cost of compliance — time spent copying data due to encryption or unencryption; individual benefit of compliance — no threat of sanctions for failing to follow policy; cost of compliance to organization — more time spent transferring data cuts into productivity; and the benefit of compliance to the organization — no danger of a costly and humiliating data leak as the result of a lost drive. By getting a better hold on their workers’ present “compliance budget,” security executives can use it as a model for budgeting money and spending on areas most likely to impact employees’ weighing of costs and benefits.
