Security-Awareness Training
The management’s directives pertaining to security are captured in the security policy, and the standards, procedures, and guidelines are developed to support these directives. However, these directives will not be effective if no one knows about them and how the company expects them to be implemented. For security to be successful and effective, senior management on down to the rest of the staff must be fully aware of the importance of enterprise and information security. All employees should understand the underlying significance of security and the specific security-related requirements expected of them.
The controls and procedures of a security program should reflect the nature of the data being processed. A company that sells baseball cards would not need the level of structured controls and security procedures required of a company that develops heat-seeking missiles. These different types of companies would also have very different cultures. For a security-awareness program to be effective, these considerations must be understood. The program should be developed in a way that makes sense for that environment.
For an organization to achieve the desired results of its security program, it must communicate the what, how, and why of security to its employees. Security-awareness training should be comprehensive, tailored for specific groups, and organization-wide. The goal is that each employee understands the importance of security to the company as a whole and to each individual. Expected responsibilities and acceptable behaviors must be clarified, and noncompliance repercussions, which could range from a warning to dismissal, must be explained before being invoked. This can best be achieved though a formalized process of security-awareness training.
Because security is a topic that can span many different aspects of an organization, it can be difficult to communicate the correct information to the right individuals. By using a formalized process for security-awareness training, you can establish a method that will provide you with the best results for making sure security policies and procedures are presented to the right people in an organization. This way you can make sure everyone understands what a corporate security policy is, why having the security policy is important, and how it fits into the individual’s role in the organization. Taking this approach will also allow you to address any individuals that may feel they do not have any security responsibilities in their current work role. It is also an ideal time to impress upon them the need to comply with the security policies as well as lay out what the penalties for noncompliance will be. Issues such as how the new policies and procedures will affect the organization and what types of things employees should be looking for can also be properly explained.
Like other training or planning, the higher levels may be more general and deal with broader concepts and goals, and as it moves down to specific jobs and tasks, the training will become more situation-specific as it directly applies to certain positions within the company.
Different Types of Security-Awareness Training
I want my training to have a lot of pictures and pop-up books.
A security-awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations. If technical security training were given to senior management, their eyes would glaze over as soon as protocols and firewalls were mentioned. On the flip side, if legal ramifications, company liability issues pertaining to protecting data, and shareholders’ expectations were discussed with the IT group, they would quickly start a game of hangman or tic-tac-toe with their neighbor.
Members of management would benefit the most from a short, focused security-awareness orientation that discusses corporate assets and financial gains and losses pertaining to security. They need to know how stock prices can be negatively affected by compromises, understand possible threats and their outcomes, and know why security must be integrated into the environment the same way as other business processes. Because members of management must lead the rest of the company in support of security, they must gain the right mind-set about its importance.
Mid-management would benefit from a more detailed explanation of the policies, procedures, standards, and guidelines and how they map to the individual departments for which they are responsible. Middle managers should be taught why their support for their specific departments is critical and what their level of responsibility is for ensuring that employees practice safe computing activities. They should also be shown how the consequences of noncompliance by individuals who report to them can affect the company as a whole and how they, as managers, may have to answer for such indiscretions.
The technical departments must receive a different presentation that aligns more to their daily tasks. They should receive a more in-depth training to discuss technical configurations, incident handling, and indications of different types of security compromises so they can be properly recognized.
Each group needs to know to whom it should report suspicious activity and how to handle these situations. Employees should not try to combat an attacker or address fraudulent activities by themselves. Each employee should be told to report these issues to upper management, and then upper management should determine how to handle the situation.
The presentation given to staff members must demonstrate why security is important to the company and to them individually. The better they understand how insecure activities can negatively affect them, the more willing they will be to participate in preventing such activities. This presentation should have many examples of acceptable and unacceptable activities. Examples of these activities can include questioning an unknown individual in a restricted portion of the facility, appropriate usage of Internet and e-mail, not removing company-owned material, and intellectual property issues. It is usually best to have each employee sign a document indicating they have heard and understand all the security topics discussed, and that they also understand the ramifications of noncompliance. This reinforces the policies’ importance to the employee and also provides evidence down the road if the employee claims they were never told of these expectations.
Security training should happen periodically and continually. We learn mostly by repetition, and this training should take place at least once a year. The goal is to get individuals to understand not only how security works in their environment, but also why it is important. The main reason to perform security-awareness training is to modify employees’ behavior and attitude toward security.
Various types of methods should be employed to reinforce the concepts of security awareness. Things like banners, employee handbooks, and even posters can be used as ways to remind employees about their duties and the necessities of good security practices. Refresher courses should be performed annually to reemphasize the importance of the security policies and practices of their organization. This also provides an ideal situation to remind people about the policies, standards, baselines, and guidelines they should be adhering to, as well as practices for incident reporting, and how they can be affected by malware, social engineering, and other hazards.
Evaluating the Program
Security-awareness training is a type of control, and just like any other control it should be monitored and evaluated for its effectiveness. There is no reason to spend money on something that is not working, and there is no reason not to improve something if it needs improvement. Therefore, after employees attend awareness training, a company may give them questionnaires and surveys to gauge their retention level and to get their feedback about the training, to evaluate the program’s effectiveness. Unfortunately, some people will be resistant and negative because they feel as though they are being forced to do something they do not want to do, or are being talked down to. Just expect this attitude here and there and use your wonderful wit, charm, and communication skills with them.
A good indication of the effectiveness of the program can be captured by comparing the number of reports of security incidents made before and after the training. If the reports increased after the training, this means people were listening and followed through on the information provided to them.
Note
| For online training, capture individuals’ names and what training modules have or have not been completed within a specific time period. This can then be integrated into their job performance documentation. |
Security-awareness training must repeat the most important messages in different formats, be kept up-to-date, be entertaining, positive, and humorous, be simple to understand, and—most important—be supported by senior management. Management must allocate the resources for this activity and enforce its attendance within the organization.
Specialized Security Training
Companies today spend a lot of money on security devices and technologies, but they commonly overlook the fact that individuals must be trained to use these devices and technologies. Without such training, the money invested toward reducing threats is wasted and the company is still insecure. Many individuals seem to agree that people are the weakest link in security, but not enough effort goes into educating these people.
Different roles require different types of training (firewall administration, risk management, policy development, IDSs, and so on). A skilled staff is one of the most critical components to the security of a company, and not enough companies are spending the funds and energy necessary to give their staffs proper levels of security education.
Degree or CertificationAwareness training and materials remind employees of their responsibilities pertaining to protecting company assets. Training provides skills needed to carry out specific tasks and functions. Education provides management skills and decision-making capabilities. Table 3-9 provides more information on the difference between awareness, training, and education. |
| Awareness | Training | Education | |
|---|---|---|---|
| Attribute | “What” | “How” | “Why” |
| Level | Information | Knowledge | Insight |
| Learning Objective | Recognition and retention | Skill | Understanding |
| Example Teaching Method | Media
| Practical Instruction
| Theoretical Instruction
|
| Test Measure | True/False Multiple Choice (Identify learning) | Problem Solving—i.e., Recognition and Resolution (Apply learning) | Essay (Interpret learning) |
| Impact Timeframe | Short-term | Intermediate | Long-term |
References
Free practice quizzes www.LogicalSecurity.org
CISSP and SSCP Open Study Guides www.cccure.org
Information Technology Security Training Requirements: A Role- and Performance-Based Model, Dorothea de Zafra et al., NIST Special Publication 800-16 (April 1998) http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
CSRC Awareness, Training, and Education links http://csrc.nist.gov/ATE/