In many cases, security awareness programs fail because they are not tied to the overall company-wide security policies. In some cases, security policies and therefore security awareness training is not given the proper attention and buy-in required by key stakeholders within the company.
According to a report from Criminal Intelligence Service Canada released Friday, August 20, 26 per cent of Canadians said they'd been approached with a fraud scheme some time last year. That's up from 17 per cent in 2007 and 14 per cent in 2006.
That could mean that fraudsters, with access to social media such as Facebook, are launching more schemes. According to the report, "Securities fraud is becoming increasingly sophisticated,. "Online social networking sites provide fraudsters new fora."
The report said more people admit they've been repeatedly victimized by fraud and the losses incurred by fraud victims have increased. In 2006, only 32 per cent of victims said they'd invested more than $5,000 in a fraudulent scheme. By last year, that figure had grown to 38 per cent. Seventy per cent of fraud victims never get any of their money back. More than ever there is a need for awareness in this area.
Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project. Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document.
Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven't completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:
How sensitive is the information stored, processed, and exchanged outside entities?
What regulatory constraints apply (e.g., HIPAA and SOX)?
What is the company’s security strategy?
What are the company’s security policies? How do they translate to practical, day-to-day activities?
What are the company’s critical business processes?
How does security affect employees’ day-to-day activities?
How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.
Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.
Project Manager functional roles may include:
Communications Champion functional roles may include:
In our experience with hundreds of clients we have found that the project manager can’t provide both the skills as a planning and communications champion successfully. The role is too large for one individual and typically the project manager does not have the time to dedicate to the important messaging and communication momentum required to get both user and management buy-in to the program.
Summer is a great time to take stock of your current awareness program. Review the past year's program and run it through a thorough analysis. Was it relevant to the users? Was the content refreshed with updated security best practices? Is it time to run a quiz and test the current users knowledge base? Perhaps you need to add some videos to the existing program
?
Perhaps it is time to start from scratch and look at a program re-design or a different approach to refresh and revitalize the training program. We recommend looking at new and innovative ways of communicating with your end users. Try getting them involved by running a poster design contest that they can even enroll their kids in with some great prizes and use the posters to really get them involved in the campaign itself. Use large plackards with key anecdotes placed strategically around the building - ie., every minute there are approximately 29 victims of identity theft to increase awareness.
What are you doing to refresh your program this year?
Below is the promised Part 2 of the list of free resources. If you need to “freshen” up your existing training or are looking for potentially new ideas for security awareness, some of these links may be helpful. If you have any more you would like to share, we would love to hear about them.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf - NIST - Information Security Requirements
http://www.iwar.org.uk/comsec/resources/sa-tools/ - Information Warfare Site Resources
http://www.articulate.com/rapid-elearning/9-free-tools-that-help-me-build-better-e-learning/ - great e-learning tools!
http://moodle.org- open source CMS/LMS - if there is anyone out there who still has not discovered this one!
http://elearningtech.blogspot.com/2009/12/elearning-templates-20-resources.html - free elearning templates
http://www.learningsolutionsmag.com - great online magazine with excellent articles and insight
http://www.csoonline.com/article/493941/seven-practical-ideas-for-security-awareness
http://www.csoonline.com/article/221058/ideas-from-security-awareness-survey-respondents - 2006 article which is a bit dated but the ideas still apply today
http://www.gideonrasmussen.com/sectips-full.html - 24 security awareness tips by Gideon T. Rasmussen
When you get it wrong, the signs are painfully clear, but the reasons may not always be obvious. Making that all-important connection with your learners does not happen by accident. When you are putting together a security awareness training solution you need to make it not only interesting but RELEVANT.
If the learner already has knowledge on security topics/issues, why do they then need additional training on the areas they already understand? The mistake often made is that content is developed from the assumption that the learner knows very little and therefore needs to drink from the proverbial "fire hose". This does not have to be the case. Constructing a well thought out quiz delivered prior to content or training to be developed or delivered can eliminate repetitive, boring content that has already been adopted by the learner. A quiz can act as a baseline, identifying gaps in the overall knowledge of the learners. Focus can then be spent on either developing content in the areas of weakness or looking for supplemental online content or reinforcement tools to address the gap. The quiz can then be run again after the training to determine whether or not the learning content was absorbed.
I always love seeing blog entries that contain great resource references. So, I thought I would start one! Here is the start of a list that I decided to start compiling of some really good blogs that contain a ton of resources, tips, tricks and more links. Feel like sharing yours and growing the list?
Corporate eLearning Strategies and Development
Custom Training and eLearning Blog
An ideal way to engage learners is through video. As an example of the popularity of video you only need look as far as the website YouTube, which currently has 15 hours of footage uploaded to it by users every minute. Digital technology whether it is mobile, video or computer games has fundamentally reshaped the way most of us connect with, make sense of and engage with society.
We need to understand that most of the younger generation will expect an entirely new type of relationship with the world around them that does not rely on accessing information but on creating new knowledge, resources and products. While core basic skills remain vital, new developments and the increasingly collaborative nature of learning will challenge our existing educational infrastructure.
e-Learning guru Lord Puttman stated that "only by engaging with these new and at times intimidating challenges for the process of teaching and learning - almost all of which are facilitated by digital technology - will we produce a generation of creative learners with a breadth and a depth of understanding capable of dealing with this new incredibly difficult century”. As part of his call for a rethink of traditional educational models Puttnam has made a film entitled We Are The People. It is available free from www.wearethepeoplemovie.com
eLearning plays an extremely important role in terms of sustainability. For those organizations looking to be more sustainable and save costs in the process, eLearning is the best way to improve and expand employee skill sets without having to incur additional travelling costs.
eLearning helps organizations expand training opportunities to more employees in more places. It’s available on-demand, providing instant learning at a moment’s notice. For organization’s looking to impart new security policies to their staff and educate them on new best practices, eLearning is the most efficient and cost-effective method of deployment.
I was reading Seth Godin’s blog entry today http://sethgodin.typepad.com/ (yes…he is a marketing guru and no he is neither an education psychologist nor does he have a PhD in Education, at least as far as I know). Seth is a best selling author, entrepreneur and agent of change. So what does this have to do with Security Awareness training or any training for that matter? For any corporate training to be adopted by an entire organization you need to understand how to market it effectively.
A sentence that Seth put in his blog today really resonated with me. It is as follows:
If you're having trouble persuading people to buy what you sell, perhaps you should sell something else. Failing that, perhaps you could talk about what you sell in a different way.
This can be applied directly to your security awareness training. Let’s give it a try:
If you're having trouble persuading people to take security awareness training, perhaps it is time to try something else. Failing that, perhaps you could talk about the training in a different way.
Security awareness training is an essential part of an organization’s yearly training regime and if you are facing resistance from end-users in taking the training then perhaps it is time to try some fresh content, videos or even games to make it more enjoyable. If you are currently conducting your awareness training via an instructor-led model, perhaps it is time to look at e-learning or even just add in some video or gaming type exercises into your existing structure.
TerraNova Security Awareness © 2008
