A Cisco-commissioned study found that employees at businesses in 10 countries around the world are often unaware of their companies’ security polices, or the employees ignore the policies because they hinder productivity. When surveyed about whether their companies had security policies, there was a 20 to 30 percent gap between responses from IT professionals and other employees. When asked why security policies are violated, IT professionals pointed to ignorance, while other employees said it was because the policies made it more difficult for them to do their jobs. The study surveyed more than 2,000 employees and IT professionals at companies in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil.
Unfortunately I have seen the same thing in every orginization I have ever worked in. Another unfortunate fact is that no real solution exists to this problem. Most orginizations will do a security awareness program that consists of InfoSec trying to convey the inportance of this information without putting everyone to sleep, and the standard “signing of the security policy every year”.
Neither of these work, but they are better than nothing.
Does anyone else have any unique or effective methods they have used?