Employee Responsibilities in Information Security

Two Women Looking at Laptop

When most people talk about developing an information security program, they are referring to the administrative, physical or technical controls used to protect information. While no information security program can be effective without them, there is one key element that is often underestimated: the employee element. The reality is that employees are responsible for designing, implementing and following all controls put in place to protect sensitive information. One misstep by an employee can spell disaster in terms of information security. And it often does. 

The good news is that by providing effective information security training to end users, we can solve many security issues. According to the Verizon Data Breach Investigation Report, nearly 1 in 3 successful cyberattacks has a social engineering component. Social engineering is nothing more than a hacker psychologically attacking a human rather than a computer. They use their knowledge of human behavior to con a user into giving them information over the phone, online or in person. If organizations can prevent social engineering attacks, they can reduce the number of successful cyberattacks. 

Targeted Cyber Attacks Against Employees 

Raise your hand if you took an information security awareness course for work this year. If that course explicitly trained you to spot and respond to specific social engineering attacks that would be targeted to you, keep your hand up. There likely aren’t many hands still in the air. 

Traditional information security training is failing. 

Attacks are becoming more targeted to companies and individuals. They are coming from groups that have done research into organizations’ people and practices. They have a specific target objective and have been designed specifically for this purpose. 

A Small Number of Security Incidents Can Make a Large Impact 

The Verizon data breach investigation reports that 23 percent of users open phishing emails and more than one in 10 click on links in these emails. This may seem like a small number, but let me put this a different way. One of every 10 users in your company will take a single action that will allow a hacker to compromise your security when presented with the opportunity. In a company of 500 people, a hacker will have 50 or more people who will provide credentials or open a machine to compromise by clicking on a link in an email. Does this paint a different picture? 

Information security training must be more than just a review of regulatory guidelines, company policies and good password selection. It should show users examples of the types of attacks they are facing right now. It must transcend computer use in the office and needs to show how our digital life is connected to both work and personal computer use. How can we expect people to combat digital con artists when they don’t even know how to spot them? Security awareness training is a cost-effective method for fighting back against the onslaught of attacks against your organization. Hackers attacking your organization typically target employees. They know it’s easier to fool a human than to break into a server. 

Enlist Employees and Frontline Defenders 

Successful organizations show employees that they are part of the solution, not part of the problem. Organizations that invest in information security awareness and training activities see strong returns, as fewer employees fall prey to cyber threats and tactics such as social engineering. Well-trained employees take pride in reporting suspected attempts to compromise the organization’s critical assets. Use the following steps as an outline for developing your employee information security training program: 


Writing a specific vision for your security culture will define the training plan to follow. 


Take time to make realistic plans for the resources your company will commit to building a security culture. 

Learning Styles 

Your training program should be flexible enough to reach the wide variety of people in your organization. 


Creating SMART goals for your security program will help track progress and build morale as employees see your security culture maturing. 

Leadership Involvement 

Executives and managers should plan specific ways they can demonstrate their personal buy-in on the information security training plan. 

Persistence and Timeliness 

Your training program should be flexible enough to reach the wide variety of people in your organization. 

Security programs must constantly evolve to handle new threats. 

Feedback and Incentives 

Security programs thrive with the right balance among coaching, rewarding and enforcing the rules. 

Changing your mindset—and building it into your cybersecurity training—provides a solid cornerstone for building a successful awareness and training program that your team will embrace. 

Use our Employee Security Awareness Training Planner to help your organization start developing an effective security awareness and training program today. 

author avatar
Carly Westpfahl