Press Release

Are Employees Really to Blame?
A New Look at Who is at Fault For Breaches of Personal Information


More than 244 million private records have been lost by companies and government agencies since 2005 with almost all of these losses being blamed on employees' risky behavior. However, before assigning blame, organizations might want to take a look in the mirror, according to a new, first-of-its-kind study by the Information Risk Executive Council (IREC), a program of the Corporate Executive Board (NASDAQ: EXBD).

"The irony here is that employees actually want to do the right thing, they just need a little help," says Jeremy Bergsman, Ph.D., the lead author of the study. "Our study shows that most companies either don't do much to educate employees about information security, or the training is not based on what actually works to help employees do the right thing."

This study shows that more than a third of risky employee behavior is caused by security guidelines and procedures that are too hard to follow according to the 57,000 employees from 60 global corporations included in the survey. Moreover, 46% of risky behavior can be addressed with proper training and incentives - something companies rarely do effectively, wasting millions of dollars in training costs.

The research identifies three key insights to consider when designing information security "awareness" efforts. First, do not focus on scare tactics or technical explanations, but instead provide clear instructions about what employees should do in a way that is relevant to employees' actual jobs. Second, incentives--as simple as token gifts or a word from a manager--are just as effective as more costly training efforts. Third, while security professionals tend to think first about punishments for misbehavior, rewards for good behavior are just as effective. Positive incentives allow companies to reach the majority of employees that tend to do the right thing, rather than waiting for something bad to happen before they can act.

IREC, the leading consultancy for Chief Information Security Officers and other senior Information Risk executives, took this research beyond measuring employee behavior related to security, to include the psychology behind those behaviors and what companies should do to change risky behavior. This unique focus and the large sample size make it the best information available to guide information security awareness efforts.

The survey used in the study is available on an ongoing basis to organizations that would like to assess their current awareness efforts and learn how best to create a culture of security. It is available in English, Spanish, French, and other languages.

Dr. Bergsman says, "Our work allows companies to take an understanding of employee psychology and turn it into a huge reduction in risky employee behavior -- often without increasing spending. In fact, in most cases spending on employee behavior gets you more bang for the buck than the technology solutions that IT people usually gravitate to."

About the Information Risk Executive Council

IREC ( provides pragmatic and actionable best practices research, data, networking, executive education, benchmarking tools, and decision-support services to a global network of over 350 CISOs. Drawing on the power of the Corporate Executive Board's cross-functional network from around the executive suite, IREC focuses on topics that are most critical for senior information risk executives such as: risk management, policy development and communication, business engagement, governance and portfolio prioritization, security process management, security architecture design, and regulatory compliance.

About the Corporate Executive Board

The Corporate Executive Board (NASDAQ: EXBD) provides analysis and authoritative guidance to the world's most successful organizations. With a member network of over 80% of the Fortune 500, the Corporate Executive Board delivers indispensable resources for timely decision-making on all issues related to strategy, operations and general management. For more information, visit

Source: Corporate Executive Board