T 2.102 Insufficient awareness of IT security
The awareness-raising activities for issues relating to information security must be oriented towards the business processes and the IT environment of the respective organisation in order to address the right areas. Under certain circumstances, it may be necessary to touch on a number of subject areas for this purpose. The training activities therefore need to be planned and organised carefully. Experience has shown that it is not enough just to require that certain awareness-raising measures be implemented. The following pitfalls often make it more difficult to raise and maintain awareness:
- There is a lack of support from management at various levels, which can then lead to the following:
- Employees not being released from various departments for training in IT security
- Participation is not taken seriously by the employees or their superiors because the superiors do not communicate the importance of IT security for the organisation's success or even regard IT security as being unimportant
- The awareness-raising measures are poorly planned.
- The goal of the awareness-raising programme is not defined clearly or not defined at all.
- Success is not monitored. If there are no reports of success or general feedback on the awareness-raising activities, then management will quickly withdraw their support for such projects or assign such projects lower priority.
- Campaigns and training programmes for information security are only held sporadically. If they have no relationship to the other security safeguards, then they can do more harm than good under some circumstances. For example, employees could become confused or lose motivation in this case.
- Not enough financial or personnel resources are provided to conduct campaigns on information security. In many cases, expensive security components are purchased or highly complex and expensive security designs are created without training the users in their application and implementation. This can make even the best-designed security solutions completely pointless.