EIGHTY PERCENT OF EUROPEAN INFORMATION SECURITY managers responding to a recent PricewaterhouseCoopers (PwC) survey view information security as a high priority. According to the study, most information security efforts in these organizations are driven by a need to assure customers that their sensitive data is protected from identity theft.

[ILLUSTRATION OMITTED]

The PwC study, Information Security Awareness Initiatives: Current Practice and the Measurement of Success, analyzes how organizations and governments in the European Union are approaching information security awareness. More specifically, the report discusses the importance of information security efforts and the different techniques organizations are using to raise information security awareness and measure the effectiveness of information security initiatives. The study, which was commissioned by the European Network and Information Security Agency (ENISA), represents 67 government departments and private companies with headquarters in nine European countries.

Although different methods are used to measure the success of information security initiatives, the most widely used source of information on actual behavior is auditing--nearly 70 percent of respondents use policy breaches highlighted in internal or external audit reports to measure the effectiveness of information security activities. "Internal audit findings are a key source of information on the actual state of information security awareness," says Chris Potter, the PwC partner who led the study for ENISA. "Security-related points that internal auditors raise in their routine audits shed light on actual staff behaviors, which are often hard for management to measure by other means."

Respondents also recognize that while organizations are heavily dependent on technology, its use is exposing organizations to more information security threats. "People are often the weakest link when it comes to security," Potter explains. "Most businesses invest in programs to raise staff awareness of security issues, but many of these are haphazard or immature."

Key topics raised during initiatives to build staff awareness of information security include e-mail, physical access points, passwords, and the Internet, the study reports. Furthermore, almost every organization in the study has a defined security policy, either in its staff handbook or as a separate written policy that is communicated to employees as a means of increasing awareness, and 85 percent have an intranet site that provides guidance on information security matters. Finally, 72 percent of organizations say training is the most effective technique to change staff behavior and increase information security awareness.

"As technology becomes more complex and interconnected, the impact of security threats on a company can be severe," Potter says. "As a result, the majority of senior management now treat security as a high priority, and most internal audit plans include security as an important risk to address."

For a copy of the information security awareness report, visit the PwC Web site, www.pwc.com.

ILLUSTRATIONS BY TIMOTHY COOK