Workplace Ethics: Information Security Threat Prevention

In the Information Technology (IT) Department every issue is depicted on its priority and it is weighted from one being the highest to three being the lowest. The misunderstanding of importance of priority is when users believed whatever problem that they have is always a priority one. Sadly, most problems that they feel is dire are computer literacy issues and malware. Most malware are contracted through poor ethical behavior and lack of security awareness. Companies must incorporate both computer literacy training and security awareness to minimize cyber threats. This would educate employees through increasing awareness for security and reduce unethical behavior.

Problem Statement

Company employees that are well educated and trained on current information security issues and policies will be more effective in preventing security incidents in a workplace. According to Corporate Technology Group (2008) one of the greatest threats to information security could actually come from within your company or organization. End users are said to be “the weakest link” in information systems (IS) security management in the workplace. They often knowingly engage in certain insecure uses of IS and violate security policies without malicious intentions (Guo, Yuan, Archer, & Connelly, (2011). This source gives my research creditability on the issue because it describes how end-users are the link in malicious behaviors with any knowledge of how they violate security policies. If training was implemented on security and polices these threats could have been prevented.

Workplace Age Groups and Technical Literacy

Older users are stuck in the past comparing what they use to do to current situations. Advances in technology outpaced Generation X resulting in a lack of basic understanding of functionality.  Most Generation X lack technical literacy which I personally feel is the most dangerous threat today.. In the workplace it has been a battle between Millennial which ages 18-35 and Generations X which ages 35-50.  I discover through my research that the current population of employed older adults has been forced to become familiar with new technology, particularly the computer, during their working years, as opposed to the younger generation who became familiar with computers before or at the beginning of their working years (Breakwell & Fife-Schaw, 1988). According to (Baldi, R)  The number of computer-illiterate older adults in the workplace in expected to increase as the number in that age group grows, creating a need for computer training. Negative stereotypes of the incompetent older adult have not been supported by research. Older adults' attitudes toward the computer do improve with positive experiences with the computer. Also, training studies show that older adults can learn how to use the computer, but need approximately twice as long to complete training as young adults. Given the proper training it can bridge the gap on computer literacy and give Information System technicians a break from human error threats. This pertain to my search because the focus is the users and correcting human error threats and you have to understand every user to know how to get the best results to train each employees . Plus it shows why training is important because of the technology literacy gap.

Advantages and Disadvantages of Training

So, what are the advantages and disadvantages of on the technical training?  The advantage of onsite training is that the employee within their own working environment can gain more confidence and the trainer can give a comfortable one-on one environment. This leads the employee to give feedback, ask questions, and tell them where they may need improvement. Furthermore off-site training can also give an employee the same comfortable feel and they might enjoy traveling. Below is some Research discovery of advantages and Disadvantages of training.

Advantages

A major advantage for organizations is that they can ensure that all trainees receive the same training regardless of where they are situated. This allows an organization to deliver standardized and consistent training to a large number of employees across the organization and even worldwide. Another advantage is that a large number of employees can be trained within a short period of time. This is because there is no limit to the number of employees who can be trained, as there are no constrictions on such things as instructors or classroom space. (Saks, A, & Haccoun R, 2011)

Computer-based training also makes it possible to track employee’s performance on learning exercises and tests. This is important when a company is dealing with training programs that are mandatory and completion, certification, or attaining a certain level of performance is legally mandated. This allows an employer to be able to provide proof of training should it be required at a later date. (Saks, A, & Haccoun R, 2011)

The greatest advantage to an organization is the reduction in the cost of training. Eliminating travel costs, training facilities, hotel rooms, meals, and travel times save companies money. In addition, the high overhead costs of traditional training make computer-based training especially advantageous to companies with national or international employees. (Saks, A, & Haccoun R, 2011)

Disadvantages

Some disadvantages for a company include selecting a skilled technical training company. Time must be allocated to research the most qualifying training company to properly educate employees. Onsite training can feel rushed; trainee has grasped a particular skill or concept and/or doesn’t allow sufficient time for feedback, and Cramming too much information into too short a period of time is one of the biggest mistakes a trainer can make. Also how a company decides to train their employee can differ from company to company. Depending upon the size of the company and the various skills and knowledge needed to carry out particular jobs. Many companies will use a combination of strategies to enable them to have a workforce which has the necessary job training to carry out the full range of job functions which the company requires. 

     One disadvantage could be that some employees will be uncomfortable with computers and might resist the training. This could be especially likely for older workers who have less experience using computers. Another problem that could arise is if the employee does not have access to a computer, making it difficult to engage in computer-based training. (Saks, A, & Haccoun R, 2011)

  The major disadvantage to organizations is the cost of development, especially for sophisticated multimedia programs. Although the cost to design and develop computer-based training is considerably higher than traditional classroom training, once a program has been developed there is the potential for considerable cost savings given the elimination of variable costs such as travel, lodging, meals, materials and instructor’s salaries. The point of cost saving especially comes into play when there are a large number of employees to be trained and they are geographically dispersed. (Saks, A, & Haccoun R, 2011)

        This pertains with my research because advantages of training overcome the disadvantages, from my sources this is an on-going concern in any workplace Computer literacy and security awareness is a benefiting factor no matter the cost. Information security training has the ability to protect clients and contractual obligations and protects the company reputation

Causes of Information Security Breaches

Statistics show that 80 percent of identified information security breaches are caused by human error. This is due to lack of information assurance knowledge and proper training, as well as the failure to follow security procedures. The Computer Security Institute and the FBI recently reported that an insider attack against a large company could cause an average loss of $2.7 million in damages. In fact, earlier this year the My Doom virus, which was noted as the fastest spreading Internet virus to date, caused $22.6 billion in damages in its first 72 hours. (Tucker, 2004) According to Galea, (2015) when addressing cyber security threats, human error is a factor that is often overlooked. However, according to the 2014 IBM Cyber Security Intelligence Index, over 95% of all incidents investigated involved human error. Although human error can never be eliminated entirely, incidents can be reduced by establishing clear cyber security guidelines and providing regular employee trainings.  According to Mackenzie, (2006) deploying a powerful firewall or maintaining up-to-date software patches on thousands of desktop machines is easy compared with raising employees' awareness of their own risky behavior. According to Brodie, C. (2009) organizations are starting to realize there really is a need for security awareness training.

Unethical Behaviors

Information technology professionals face increasing security concerns such as external threats to organizations or internal espionage. However, unethical behavior by the information technology personnel within an institution can potentially be a more formidable threat than a curious or nosy hacker who has no ties to the company or hard access to its computer network. (Page, D)

According to a study conducted by McAfee in 2005, the following statistics revealed a rather startling necessity:

• “One in five workers (21%) let family and friends use company laptops and PCs to access the Internet”(Schneier, 2005).
• “More than half (51%) connect their own devices or gadgets to their work PC... a quarter of who do so every day”(Schneier, 2005).
• “One in ten confessed to downloading content at work they should not” (Schneier, 2005).
• “Two thirds (62%) admitted they have a very limited knowledge of IT Security” (Schneier, 2005).
• “More than half (51%) had no idea how to update the anti-virus protection on their company PC” (Schneier, 2005).
• “Five percent say they have accessed areas of their IT system they should not have” (Schneier, 2005).

According to  Kizza, (2014) without a strong security policy to which every employee must conform, the organization may suffer a loss of data and employee productivity all because employees spend time fixing holes, repairing vulnerabilities, and recovering lost or compromised data, among other things. Dilemmas are usually caused by advances in technology Kizza, (2014).

 These sources prove that companies are aware of the problem. Implementing security awareness training is a viable factor within the workplace. Security awareness training can teach would end-users about threats and inform them on their unethical behavior.

In conclusion, many companies should start Information Security training for users to better educate them on the dangers of cyber-threats. Training can stop unethical behavioral and establish a standard of “Due Care” to increase awareness for security. Reduce using the word and more than once. Maybe: Information security training has the ability to protect clients, contractual obligations, and protects the company’s reputation. According to Galea, (2015) when addressing cyber security threats, human error is a factor that is often overlooked. However, according to the 2014 IBM Cyber Security Intelligence Index, over 95% of all incidents investigated involved human error. Although human error can never be eliminated entirely, incidents can be reduced by establishing clear cyber security guidelines and providing regular employee trainings. According to Mackenzie, (2006) deploying a powerful firewall or maintaining up-to-date software patches on thousands of desktop machines is easy compared with raising employees' awareness of their own risky behavior.

References

Brodie, C. (2009). The Importance of Security Awareness Training. Retrieved September 26, 2015, from https://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013

Computer Ethics. (2013). In D. Downing, Barron's business guides: Dictionary of computer and internet terms. Hauppauge, NY: Barron's Educational Series. Retrieved from http://library.capella.edu/login?url=http://search.credoreference.com.library.capella.edu/content/entry/barronscai/computer_ethics/0

Corporate Technology Group (2008). The threat within: is your company safe from itself? Retrieved September 22, 2008, from Corporate Technology Group Web site: http://www.ctgyourit.com/newsletter.php

Galea, D. (2015). 10 Things to Include in Your Employee Cyber Security Policy [Article]. Retrieved from https://www.opswat.com/blog/10-things-include-your-employee-cybersecurity-policy.

Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal Of Management Information Systems, 28(2), 203-236.

Kemp, T. (2005, December 5). Security‘s shaky state. Tech Portal. Retrieved from http://informationweek.com/

Kizza, J. M. (2014). Computer Network Security and Cyber Ethics (4th Edition). Jefferson, NC, USA: McFarland & Company, Incorporated Publishers. Retrieved from

 Meso, P., Ding, Y., & Xu, S. (2013). Applying protection motivation theory to information security training for college students. Journal of Information Privacy & Security, 9(1), 47-67. Retrieved from http://search.proquest.com.library.capella.edu/docview/1350244208?accountid=27965

MORRIS, M. G., & VENKATESH, V. (2000). Age differences in technology adoption decisions: Implications for a changing work force. Personnel Psychology, 53(2), 375-403. doi:10.1111/j.1744-6570.2000.tb00206.x

References

Page, D. (n.d.). What Negative Impact Does Unethical Behavior Have in Information Technology? | Chron.com. Retrieved from http://smallbusiness.chron.com/negative-impact-unethical-behavior-information-technology-34387.html

Saks, A. M., & Haccoun R. R. (2011). Managing Performance Through Training and

            Development: Fifth Edition. Nelson Education Press.

Schneier, B (2005). Insider threat statistics. Retrieved September 23, 2008, from Schneier on Security Web site: http://www.schneier.com/blog/archives/2005/12/insider_threat.html.

Tucker, M. (2004,September 28). Press releases. Retrieved from Knowledge Limitless: http://www.newhorizons.com/content/pressReleases.aspx?id=355&sub=3&did=1 25&more=1

VALLADARES, C. (2013). The Role of Security in Creating a Standard of Due Care | The State of Security. Retrieved September 24, 2015.