In many cases, security awareness programs fail because they are not tied to the overall company-wide security policies. In some cases, security policies and therefore security awareness training is not given the proper attention and buy-in required by key stakeholders within the company.
Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project. Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document.
Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven't completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:
How sensitive is the information stored, processed, and exchanged outside entities?
What regulatory constraints apply (e.g., HIPAA and SOX)?
What is the company’s security strategy?
What are the company’s security policies? How do they translate to practical, day-to-day activities?
What are the company’s critical business processes?
How does security affect employees’ day-to-day activities?
How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.
Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.
Project Manager functional roles may include:
Communications Champion functional roles may include:
In our experience with hundreds of clients we have found that the project manager can’t provide both the skills as a planning and communications champion successfully. The role is too large for one individual and typically the project manager does not have the time to dedicate to the important messaging and communication momentum required to get both user and management buy-in to the program.
Below is the promised Part 2 of the list of free resources. If you need to “freshen” up your existing training or are looking for potentially new ideas for security awareness, some of these links may be helpful. If you have any more you would like to share, we would love to hear about them.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf - NIST - Information Security Requirements
http://www.iwar.org.uk/comsec/resources/sa-tools/ - Information Warfare Site Resources
http://www.articulate.com/rapid-elearning/9-free-tools-that-help-me-build-better-e-learning/ - great e-learning tools!
http://moodle.org- open source CMS/LMS - if there is anyone out there who still has not discovered this one!
http://elearningtech.blogspot.com/2009/12/elearning-templates-20-resources.html - free elearning templates
http://www.learningsolutionsmag.com - great online magazine with excellent articles and insight
http://www.csoonline.com/article/493941/seven-practical-ideas-for-security-awareness
http://www.csoonline.com/article/221058/ideas-from-security-awareness-survey-respondents - 2006 article which is a bit dated but the ideas still apply today
http://www.gideonrasmussen.com/sectips-full.html - 24 security awareness tips by Gideon T. Rasmussen
Consistent updates will assist you in managing change throughout the yearly life cycle of your security awareness program. It is imperative that you update your program to ensure that training/ awareness/education deployments do not become stagnant and therefore irrelevant to real emerging issues faced by the organization. A planned and consistent update program will also allow you to address changes in security policy, directives and procedures driven from new threats, technologies or legislation. The following 5 steps we hope will assist you in managing program changes:
1. The awareness program should be continuously updated as new technology and associated security issues emerge. Typical program refresh time is every 12 months but changes in an organization’s policies or new emerging threats might dictate a shorter refresh cycle.
2. New training requirements will emerge as new skills and capabilities become necessary to respond to changes in technology and the overall security landscape. Look at implementing role-based e-learning – ie., manager training for new and existing managers, IT admin training, etc.
3. Changes to the organization’s objectives and/or mission can also affect how to best design training content and methods. Review resources and determine what mix of e-learning/seminar and/or outsourced training is required and balance training methods on both your current resources and budget.
4. Emerging trends and regulations/laws will also impact the type and extend of security awareness activities necessary to keep users educated about the latest threats and best practices.
5. New security directives will also drive the need to update and or explore additional training methods or components.
To win the gold...a corporate security awareness program aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences in case these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness program can be a huge headache - especially in a large enterprise.
How do you plan correctly when implementing a security awareness program? How do you determine what tools will be effective in your organization? And...how do you create a winning program that wins a gold in terms of making everyone aware?
A couple of simple rules:
1. Do the training yourself - ensure that you do your research. Understand how employees use the syetms and for hat purposes, who has access to what and why? Understand the dynamics of your organization. Be well versed on the policies, goals and initiatives within your organization that might impact the program.
2. Get executive buy-in - without the right buy-in you will not succeed...period.
3. Create a focus group - get individuals from each department involved in the process so they can help you to build the right messaging and communicate effectively to the different groups within the organization.
4. Communicate, communicate, communicate again - use different techniques to get the message across. Be succinct and clear in all communications used and ensure that a regular frequency is maintained throughout the year.
5. Above all...make it FUN! In general, people are frightened about security breaches and risks. Try to remove the scary aspect by getting them involved.
6. Lead by example. Act swiftly and communicate rapidly if a security incident occurs. Ensure you are adhering to the policies within the organization and take every opportunity to communicate and reinforce the awareness message.
We would welcome your input into this conversation. Let us know what methods you have used to get that additional "edge" to create a wining program.
A relatively easy way to start ensuring that your employees have a fundamental base of security awareness knowledge is to embed it in the orientation and new hire process. Having the new hire go through a security awareness training program that is linked to corporate policy knowledge ensures that the employee understands not only the policy itself but the risks and consequences of not adhering to that policy. Security awareness training during the orientation stage also makes the new employee more likely to recognize and detect potential breaches. Mike Rothman provides some guidance to CSO's on how to incorporate security awareness into orientation training in his post http://tinyurl.com/y93vdrd.
The challenge of course is ensuring that the HR department is in sync with the IT department or with the organization's CSO to ensure that this type of training gets included, the delivery method that is most effective and how to reinforce the behavior once initially learned. Does your organization include security awareness in its new hire training program? Is it effective?
I had dinner with a good friend last night and the discussion, as usual, lingered toward work-related topics. The company that she works for (a large multi-national company) recently decided to enforce a clean desk policy for security purposes. Nothing wrong with that, except; this company did it to the extreme. Employees can not have even a small amount of anything on their desk. If they do happen to leave an item on their desk, a note goes into their employee file and points are taken off of their quarterly employee assessment which is directly tied to bonus and payment increases. Obviously, this has all employees grumbling and complaining and wondering if next they will be subject to body searches in order to go use the washrooms.
Had the company instead, communicated effectively with their employees through perhaps a well constructed campaign employees would have been able to understand and even, dare I say it...embrace the policy with the understanding that they are assisting the organization in maintaining a stellar level of security protection. Instead, the drastic measures of affecting their personal performance indicators has only led to an employee based frustrated and angry with their employer. How would you have handled it?
I purchased a new pair of runners for my 7 year old and these had laces. I had taught him to tie his shoes in Kindergarten but with most of the shoes and boots having velcro, I did not realize that the lesson taught in Kindergarten did not stick. I was both shocked and dismayed to realize that my Grade 2 child did not know how to tie his shoes! As a parent I also had that wonderful "guilt" feeling that goes along with realizing that I probably didn't do a very good job initially as I was in a rush (as always) and should have probably spent more time having him practice so that he retained the knowledge. I also should have bought him more shoes with laces!
So...how does this relate to security awareness? Like any type of training or learning, if a person does not practice what has been learned it does not get retained. Security awareness is even more difficult since we are ultimately trying to change behavior. Individuals are already set in their ways of performing various job tasks throughout the day. Security awareness is about changing the way in which those tasks are performed. Teaching a security awareness class once a year and providing no other reinforcement or communication on the subject will not sufficiently change behavior of your end users.
Not putting aside enough time as an educator to ensure that your security awareness program is planned and supported properly will lead to additional stress, guilt and ultimately to the failure of the awareness program.
So...what do we do? We must ensure that awareness is done in small bite sized amounts that are easily digestible and then follow up with reinforcement tools or methods - ie., posters, newsletters, video clips, spot checks or walkabout reminders that catch people doing what was taught correctly or not correctly. Providing continuous training throughout the year will aid in retention. Providing rewards and or encouragement for the training being accomplished and for a change in behavior will provide you with a better and more widely accepted security awareness program.
At schools and colleges across the country and around the world, the use of the Internet and Web for learning and teaching is causing a major change in the landscape of education. Building upon decades of computer networking activities (e.g. e-mail and bulletin board systems), the Internet has produced phenomenal growth in the extent and scope of online education.
Online education has created a new paradigm for teaching and learning different from the traditional classroom experience, and also different from earlier attempts at computer-based instruction. instructional methods and strategies employed in online courses are essentially the same as those used by instructors in their traditional classes, with the exception of student interaction and collaboration.
While online education certainly has it benefits from an ROI perspective over traditional classroom methods, what is inherently missing is the "interaction and collaboration" part. As social media and online communities continue to expand and grow in popularity, educators will need to be able to tap into this new method of communication and adapt online education to fit with the new bite-sized, instantaneous learning methodology. How can we use tools like twitter to get the message through and make it stick? Here is our opportunity to build social education communities and interact with each other regardless of distance to share and learn in a community fashion. How inspiring is that? How are you going to use this new medium in your training plans?
I have talked quite a bit in this blog about successful awareness training program factors, yet, I keep hearing stories from clients and friends about awareness training programs that are just not able to deliver.
The success of a security awareness program really depends upon the delivery of the information and how it is tailored for each audience. Security awareness training should be delivered to end users in each department as well as incorporated into new employee orientation. This can be administered using an online training format in small learning bites that are easily digestible and delivered per month or quarter or through instructor-led sessions or smaller, informal lunch and learn's. For managers and executives it may be more receptive if delivered in an instructor-led session format or online but with lessons geared toward IT risks that managers/executives need to be aware of.
When considering training options for your employees you will need to consider both instructor led and online learning formats. In security awareness training there are instances when both are required. If you need to conduct general end user security awareness training, online training options have certain efficiencies and cost advantages. Cost factors include course development, instructor time, instructor salaries, preparation time, classroom costs, travel expenses, material costs and employees time.
Other factors that are not included when looking at costs are the speed of delivery of the training and the instructional efficiency. Instructional efficiency is where all of the information delivered leads to learning that improves performance (reference - Moran, J.V. 2002 - ROI for E-Learning http://wwwlearningcircuits.org/2002/feb2002/moran.html). Online learning's advantage over instructor-led training is that it can be delivered in a timely, consistent way with the ability to easily update materials.
In the second part of this series, we will look at the advantages and disadvantages for the learner from both a delivery and efficiency factor. Stay tuned!
TerraNova Security Awareness © 2008
