For example, employees sometimes fall for e-mail scams and open attachments that unleash malicious software such as key-stroke loggers that record passwords and rootkits that take control of operating systems. Devlin says the job of security managers is to teach self-defense. Rather than warn employees to watch out for the latest e-mail scam bearing a specific subject line, for example, the idea is to teach people broader lessons about the risks of clicking on unfamiliar URLs, opening attachments or handing over Social Security numbers to anyone online, he says.

"It's not possible with technology to protect every individual from every possible security risk," he says. "Our job is to teach people to think the way we think."

Like Brandeis, more organizations seem to be trying that. This year, 54 percent of survey respondents said they provide employees with security awareness training, up from 42 percent last year.

But there's plenty of work to do. Just 41 percent of those surveyed require employees to undergo training on the corporate privacy policy and practices, up incrementally from last year's 37 percent. Forty-three percent of organizations—slightly higher than last year—don't take the simple step of posting their privacy policies on their internal websites.

Furthermore, what's taught at many organizations provides only a veneer of security, namely, compliance with government or industry regulations.

Checklist Security

Regulations such as the Health Insurance Portability and Accountability Act for medical data, Sarbanes-Oxley for financial data and the Payment Card Industry standard for credit card data continue to move executives to action. The threats of fines and jail time tend to do that. For example, 44 percent of respondents say they test their organization for compliance with whatever laws and industry regulations apply, up from 40 percent last year; 43 percent say they monitor user compliance with security policy, a healthy increase from last year's 37 percent. Assessing internal risks to compliance is something 55 percent are doing, up from 49 percent.

But let's not pass around attaboys too quickly. Note that even with such positive steps, those numbers are far from 100 percent. Many organizations aren't doing much beyond checking off the items spelled out in regulations—and basic safeguards are being ignored, says Karen Worstell, a managing principal at the consulting firm W Risk Group, former chief information security officer at Microsoft, and former CISO and VP of IT risk management at AT&T.

Adhering to regulations and standards doesn't amount to thorough security policy, Worstell says, for many reasons. For one, organizations can sometimes pass compliance audits simply by writing up policies, without demonstrating how they adhere to them. Other times, the standard or regulation may have holes.