It’s an automated world. What are the implications for training the workforce for a secure Information Age? How can an employer educate information technology (IT) users?
This article isn’t about Web-based training, though that topic is worth 1,000 words. This is about an unmet challenge for nearly every CSO:  Has your information security training succeeded? Are you sure?
Today’s enterprise is overwhelmingly automated, and its assets are ensconced in servers and workstations. Most new employees are made trusted users, with access to invaluable information systems, networks and data, on their first day. Yet, few applicants are asked if they ever got in trouble for misusing computers.  Few include their virtual identities on applications in the list of aliases they use. Other than President Barak Obama, few employers ask candidates for executive positions about their social network postings and other Internet activities.
What President Obama gets that few CEOs and CSOs understand today is that almost all U.S. office workers are “wired” – Internet, cell phone and digital gadget users. About 80 percent of Americans of all ages use computers, with higher percentages for the younger, more affluent and better-educated. The Pew Foundation’s Internet & American Life Project has fascinating statistics. Around 30 percent of us are what I call “power users,” i.e. people who spend a substantial part of their lives online. 
Four years of research have proven that almost everyone in the workplace has information about them on the Internet. About 3-6 percent of U.S. workers have derogatory references on the Internet, the kind of information that would indicate illegal, illicit or socially unacceptable behavior. Put another way, they would be ineligible for a clearance, for hiring into most corporations or for collaboration with fellow workers. Examples include people who lied on their application for employment, omitting arrests, government sanctions and serious misbehavior, child molesters, those prone to violence in the workplace, men who have stalked and harassed women online, neo-Nazi thugs, movie and software pirates, embezzlers and a host of others. Some people (both government and privately employed) have been found boldly using their employers’ email addresses for objectionable personal activities on the public Internet.
The Internet is a venue for wonderful diversions, communications, e-commerce, hobbies, games, social activities and many others. It is also a host for child porn, spam, phishing, malicious codes, piracy, counterfeiting, sale of stolen property, frauds and more. Today’s Internet criminal is unlikely to have a police record, because chances are, no arrest has occurred. Their history can be found online, with a thorough, competent Internet vetting.
Surveys have shown that many businesses and government agencies rely on self-taught courses for their personnel in computer topics, including security. Today’s worker understands that digital assets are accessible – to read, copy, print, burn to disk/thumb drive and to take, without ever disturbing the original. Keeping people honest with enterprise data is very difficult when the average worker is not held to strong standards of online behavior, nor taught to consider all company data proprietary.
Companies and agencies are beginning to address this issue. However, in the government, agencies continue to get abysmal marks in assessments of their IT security.  Businesses are mostly successful in keeping IT security breaches private, except where the law requires notification of people whose identities were stolen. Efforts are focused on stronger firewalls, better antivirus and digital rights management, as well as blocking some Internet sites. It seems that the solutions to IT security issues are considered largely technical.
The fundamental educational piece seems to be missing from information security: people’s misbehavior online is simply ignored until it boils over. Enterprises do not scan the Intranet for authorized users’ misdeeds, just as law enforcement is largely absent from the wild west of the Internet unless a major complaint is made. Few employers use pop-ups to remind users of their limits and responsibilities, when they overstep their bounds.
In this context, social norms that changed with the growth of the Internet are often left unaddressed in the workplace. Among these are the ownership of digital property, Netiquette, discretion in social network postings available to the world, confidentiality of work information and Internet “privacy.” The most active Web users are apt to engage in fantasy, long, daily, personal sessions online, continuously updating instant messages to friends and mixing business with pleasure both on work and home computers. Virtually overlooked are the mores of New Millennium employees that are antithetical to their employers.
To improve education, training and awareness of information security norms, the front office must consider changing their personnel and IT security programs. To succeed, employers must teach users that Internet recreation is not allowed on enterprise systems. Prior misbehavior on both personal and work computers is a matter of grave concern, because of the value of IT systems and data. Future misbehavior will be sought out, found, and punished. Those with a prior record of online misdeeds may not be eligible for employment, and the Internet will be searched to verify their backgrounds.
IT systems and networks grow more complex by the minute. Business and government have adopted full-scale automation as vital to productivity and efficiency. Yet, their IT systems remain insecure at best, and fatally flawed when personnel misbehavior online is considered. It only takes one malicious or misguided wired user to do grave damage. In building stronger critical infrastructures, enterprises must remember the most critical part of themselves: their people. Educating the user, to ensure that each one understands the importance of information systems in today’s workplace, is fundamental to security.