Information Security management: Security Awareness

February 24, 2008

Security Awareness

Although this section is our last for this chapter, it is not the least important. Security awareness is often an overlooked element of security management, because most of a security practitioner’s time is spent on controls, intrusion detection, risk assessment, and proactively or reactively administering security.

It should not be that way, however. People are often the weakest link in a security chain, because they are not trained or generally aware of what security is all about. Employees must understand how their actions, even seemingly insignificant actions, can greatly impact the overall security position of an organization.


Employees must be aware of the need to secure information and to protect the information assets of an enterprise. Operators need training in the skills that are required to fulfill their job functions securely, and security practitioners need training to implement and maintain the necessary security controls.

All employees need education in the basic concepts of security and its benefits to an organization. The benefits of the three pillars of security awareness training - awareness, training, and education - will manifest themselves through an improvement in the behavior and attitudes of personnel and through a significant improvement in an enterprise’s security.

The purpose of computer security awareness, training, and education is to enhance security by:

  • Improving awareness of the need to protect system resources

  • Developing skills and knowledge so computer users can perform their jobs more securely

  • Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps:

  1. Identify program scope, goals, and objectives.

  2. Identify training staff.

  3. Identify target audiences.

  4. Motivate management and employees.

  5. Administer the program.

  6. Maintain the program.

  7. Evaluate the program.

Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, because without the knowledge of the necessary security measures and how to use them, users cannot be truly accountable for their actions.


Awareness

As opposed to training, security awareness refers to an organization’s personnel being generally, collectively aware of the importance of security and security controls. In addition to the benefits and objectives we previously mentioned, security awareness programs also have the following benefits:

  • They make a measurable reduction in the unauthorized actions attempted by personnel.

  • They significantly increase the effectiveness of the protection controls.

  • They help to avoid fraud, waste, and abuse of computing resources.

Personnel are considered “security aware” when they clearly understand the need for security, how security impacts viability and the bottom line, and the daily risks to computing resources.

It is important to have periodic awareness sessions to orient new employees and refresh senior employees. The material should always be direct, simple, and clear. It should be fairly motivational and should not contain a lot of techno-jargon, and it should be conveyed in a style that the audience easily understands. The material should show how the security interests of the organization parallel the interest of the audience and how they are important to the security protections.

Here’s a few ways that security awareness can be improved within an organization without a lot of expense or resource drain:

  • Live/interactive presentations - Lectures, videos, and computer-based training (CBT)

  • Publishing/distribution - Posters, company newsletters, bulletins, and the intranet

  • Incentives - Awards and recognition for security-related achievement

  • RemindersLogin banner messages and marketing paraphernalia such as mugs, pens, sticky notes, and mouse pads


Image from book
THE NEED FOR USER SECURITY TRAINING

All personnel using a system should have some kind of security training that is specific either to the controls employed or to general security concepts. Training is especially important for those users who are handling sensitive or critical data. The advent of the microcomputer and distributed computing has created an opportunity for serious failures of confidentiality, integrity, and availability.

Image from book

One caveat here: It is possible to oversell security awareness and to inundate personnel with a constant barrage of reminders. This will most likely have the effect of turning off their attention. It is important to find the right balance of selling security awareness. An awareness program should be creative and frequently altered to stay fresh.

Training and Education

Training is different from awareness in that it utilizes specific classroom or one-on-one instruction. The following types of training are related to InfoSec:

  • Security-related job training for operators and specific users

  • Awareness training for specific departments or personnel groups with security-sensitive positions

  • Technical security training for IT support personnel and system administrators

  • Advanced InfoSec training for security practitioners and information systems auditors

  • Security training for senior managers, functional managers, and business unit managers

In-depth training and education for systems personnel, auditors, and security professionals are very important and are considered necessary for career development. In addition, specific product training for security software and hardware is vital to the protection of the enterprise.

A good starting point for defining a security training program could be the topics of policies, standards, guidelines, and procedures that are in use at an organization. A discussion of the possible environmental or natural hazards or a discussion of recent common security errors or incidents - without blaming anyone publicly - could work. Motivating the students is always the prime directive of any training, and their understanding of the value of security’s impact to the bottom line is also vital. A common training technique is to create hypothetical security vulnerability scenarios and then to get the students’ input on the possible solutions or outcomes.

Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Get free blog up and running in minutes with Blogsome | Theme designs available here