While most efforts at training on information security focus on what not to do, the IBM report examines how to encourage employees to take positive actions to improve collective security.
For example, research shows that individuals who believe that they will be gone for less than 10 minutes will purposefully not lock their systems, because they perceive that is not enough time for potential security threats to occur, the report notes.
Organizations should let their employees know that workstations should always be locked when they leave the workspace, regardless of estimated time of absence from the workstation. And an automatic logout feature should assist in limiting unauthorized access by individuals, according to the IBM report.
In addition, organizations should communicate to employees that software updates must be applied as soon as possible on workstations. It should also be emphasized that employees should only apply updates if the appropriate personnel within the agency have instructed them to do so, because hackers are now utilizing software update notifications as a way to infiltrate private organizational systems.
To ensure that employees receive the proper information security training, the report recommends that organizations design training programs so that employees are informed about the security dangers both inside and outside of the organization. Training should communicate to frontline employees that the suggested response to security threats is effective and that they will be effective if the suggested response is carried out.
The IBM report concludes that information training programs should encourage employees to expand their view on security issues by exploring the consequences and actions to events that could happen.