After large-scale incidents of lost information in the federal and private sectors, the Department of Defense (DOD) is still not serious about safeguarding Personally Identifiable Information (PII). Major incidents are not the only threat; small-scale events also have widespread effects. There were "over 100 incidents involving the loss of PII, impacting over 200,000" Navy personnel in the 18 months before July 2007 according to ALNAV 057/07.
For at least the past two years, every uniformed, civilian, and contract member of the Department of the Navy has been required to complete training on protecting PII. This has included a series of presentations: Privacy 100, 101, 102, and 103. The new fiscal year likely signals another round of this so-called training. These "courses" are simple PowerPoint presentations that allow learners to click through the slides until reaching the end, signaled by a course certificate with blanks to fill in one's name and completion date.
Computer security instruction is not much better. DOD Information Assurance Awareness training, a separate annual requirement for all personnel, also misses the mark. In this product, information is presented in a lectured e-learning format with scenario-based questions on various topics. The training is problematic because it also allows clicking through the lecture, and worse, clicking through dialogue boxes, which explain incorrect responses to assessment questions. Also, there is no retesting of missed topics. In fact, an e-learner can advance through the entire curriculum, miss every question, ignore every explanation, and still successfully complete the training.
There's plenty to be said for personal integrity in training completion, but protecting PII and information systems is too important to rely on trust alone. We place numerous training requirements on our personnel and expect them to fit it into already busy schedules. Expecting them to take this training seriously, when the format demonstrates that leadership doesn't, might be a little too much to ask. Not too long ago the Navy ended facilitated General Military Training (GMT) and moved to electronic training. Granted, GMT had become known by a less desirable name (General Misuse of Time sound familiar?), but at least we knew the lecture was given, even if we couldn't guarantee the message was received. Current e-training for privacy and computer security, and likely other topics, is no better.
E-training delivers organization-wide training quickly, but it must do so effectively. Simple presentations with little learner interaction, uncontrolled step-through progression, and no formative assessments to certify comprehension are just not enough. This is not to say that the Navy is not meeting requirements, because it is. The DOD Privacy Program (DoD 5400.11-R) directs the military departments to provide training on protecting PII; there is no requirement for testing the applicable knowledge factors.
The lack of rigor in current training gives the impression that DOD is more concerned with protecting itself if something goes wrong than averting a loss of PII. In this case, the annual requirement, albeit ineffective, protects the department against lawsuits from victims of identity theft as a result of DOD's loss of the information. The blame for a compromise is easily shifted to the responsible employee who completed the training.
Losses of PII are "costly, time consuming, and interfere with the mission" (ALNAV 057/07), so why haven't we developed serious training to avert them? The solution is simple: use current materials in the development of e-learning courses that require demonstrated knowledge of the material. This will force personnel to already know or learn the material.
This is not a revolutionary solution, but it is important. As currently designed, annual training is no more than a hope that something will eventually sink in. If it was effective, it wouldn't need to be completed annually. Passing current courses off as training is absurd, and it begs the question, how much money was spent developing them? Pretending these requirements are serious steps toward protecting PII and our vital computer systems is inexcusable.
Only through effective training development will the Defense and Navy Departments stop wasting training funds, prevent losses of PII, and secure our systems. It's time we get serious about these issues.