The following is an excerpt of Robbie Craig's thesis for the MSc Degree in Information Security of the University of Westminster, entitled: "Security awareness and training programme design: a case study at Luton Borough Council". The excerpt is published with permission of the author.
In this first part we will examine why security awareness programmes fail and how we can avoid these pitfalls. We will then examine options for the high level structure of the programme. These structures will identify roles, responsibilities and essential processes. As motivation and effective communication are critical elements to a security awareness programme we address these two issues in some detail.
Security awareness is described in some dictionary definitions as "a means of focusing attention on security issues". Whereas a programme is "an overall effort, not a specific briefing, training session or activity" (Roper, Grau & Fischer, 2005).
In defining their own security awareness programme, the University of Pittsburgh (University of Pittsburgh, 2003) recognised these simple definitions fail to consider that focusing attention is limited in effectiveness if the target audience have no interest or desire to help address the problem. They consequently defined security awareness programmes as "focusing attention on security issues and control solutions, allowing individuals to recognize concerns and respond accordingly".
This definition still falls short for me. It fails to fully address motivation. Why should individuals wish to respond to a security issue; they need a reason? In some cases, the reason might be as stark as failure to comply may lead to dismissal. In other cases, motivation can be far more complex, based on degree of individual support for the organisations objectives, based on the personal relevance of the security issue to the individual, based on financial recognition of support or a complex mixture of these points plus many others. A better definition of security awareness might therefore be "Awareness programs that focus attention on security issues and control solutions, allowing individuals to recognize conerns, understand their relevance and respond accordingly."
Reasons security awareness programmes fail
"...In most organisations security awareness is very poorly addressed. There are many security professionals who see it as a lightweight issue or add-in" (Bicknell, 2004).
There are a number of reasons why a security awareness programme may fail. A common problem is that security awareness is often seen as a quick, simple, low cost or knee jerk response to a current threat, consequently they may be launched with inadequate preparation resulting in problems, a few of which are bulleted below:
- Programme is driven by one group (e.g. the IT dept) and as a consequence lacks widespread support.
- The wrong person is in charge, so the programme lacks credibility, relevant skills or teeth to enforce compliance where needed.
- No budget or resource available to support the programme in the longer term.
- Programme fails to communicate its objectives in an effective manner.
- There are limited or no means of judging the programme's effectiveness.
- The Programme is driven by available, content or management directive rather than business needs.
Even with time for proper planning there are plenty of pitfalls that can undermine the programme, these include:
- Arguments over where funding should come from
- Inappropriateness of a one size fits all approach
- Target audience is too narrow
- Omission of any strategy to maintain and develop the programme
- Lack of feedback mechanisms regarding problems, successes and queries
- Limited or ineffective access to the key decision makers
- Insufficient visible support from the senior management
- No disciplinary policies or procedures to support the programme
- Poor integration of programme components
- Lack of novelty
Information security is often seen as the preserve of the Computer Department, operating distinct and separate from the physical security or financial/internal audit teams. This provides opportunity for confusion or conflict over territory and responsibility.
If a number of teams share a building, then an initiative by one team directing co-tenants to beef up visitor handling or prevent tailgating may fail if the cotenants regard this as draconian or not pertinent to them.
If the Information security team may want to promote awareness of measures to counter identity theft, but its ideas might run contrary to or exceed the controls already specified by the internal audit team.
A simple approach to these problems might be for IT security to engage in consultation with affected parties and where possible agree a co-operative approach before they act. Others see this sort of problem as resulting from inappropriate organisational structures and may make information security the responsibility of the internal audit function as opposed to IT. Others still employ a chief security officer responsible both for physical and information security (Dalton, 1995). This last option if done properly can bring with it added credibility for security as a whole. Traditionally many workers in physical security have a background with the Armed forces or police and consequently lack relevant business expertise, while employees in IT security may be technically adept, but have limited person management skill. A business orientated Chief security officer aligning physical and information security with corporate business objectives is more likely to hold credibility in the boardroom.
Consultation and co-operation are essential pre-requisites that cannot be overlooked, regardless of the organisational structure. A steering committee with representation from information security, physical security, HR, training, audit, user groups and the internal marketing team can provide a number of advantages. They can promote debate on the prioritisation of issues, the nature of the message and selection of communications channels. They also give the representatives more ownership of the subject and provide a channel for feedback on the success or otherwise of the programme.
Three common approaches that are used to address security awareness programmes are requirements driven, means driven and needs driven approaches. (Roper, Grau & Fischer, 2005). Requirements driven programmes tend to be of two types; either they address standards and regulations set by an outside authority or they take the form of a corporate directive addressing a current issue within the organisation. Means driven programmes are driven by a "what have we got to hand?" approach, while needs driven programmes are driven by the security needs of the business. Many programmes will be a combination of all three.
The UK's Data Protection Act 1998 and th Financial Services Authority (FSA) or the United States' Sarbanes-Oxley legislation and the Securities and Exchange Commission (SEC) effectively impose security requirements on the organisation. Problems with the requirements driven approach is that the drivers are all either external or top down and don't take account of reality on the ground, e.g. other local threats or the amount of work and money required to provide sufficient education and training to the employees to meet the directive. Problems will arise where the cost of meeting compliance eats up money in the security budget that the organisation should really use to address more pressing threats.
A problem with teh means drive approach is that "what we have to hand" may bear little or no relevance to what needs to be done. This can be a potential problem in large or multi-national organisations where security materials are centrally resourced, unless there are sufficient feedback mechanisms to centre highlighting local security needs and the effectiveness of materials being provided. Security awareness programmes should be primarily driven by the security needs of the organisation, issues such as compliance, corporate directives and limited resources must all be considered, but the security officer must ensure do not prevent the key security needs being addressed.
Lack of novelty is another issue that can reduce the effectiveness of awareness programmes. Something that's new is more likely to get noticed than something that's become familiar. (Roper, Grau & Fischer, 2005). Renewal of posters and messages will also indicate activity within the security team. It is often better to structure expenditure to produce multiple low cost items each with a limited life, than to purchase a single batch of a higher value item that has an extended life. We will examine the various ways of delivering effective messages in a novel manner later on in part one of the paper.
Awareness Programmes may also fail, if they provide unclear or conflicting messages, or if they fail to properly identify or understand their audience. This point is covered later in part one, but research into audience demographics and opinions must influence the choice of message and communications channel that are used. Such research takes time, and failure to undertake it will undermine the effectiveness of your programme (Smith & Mounter, 2005).
If you wish to secure the continuation of the security awareness programme in the longer term then you need to be able to demonstrate that it is effective. This means choosing the right metrics. Firstly the metrics must mean something to the persons that hold your budget (Dalton, 1995) but just as importantly you need them to be relatively unambiguous. Unfortunately this is easier said than done. It may be easy to demonstrate that an employee's awareness has been raised, by virtue of periodic surveys or post training course evaluations, but proving a causal relationship between an awareness programme being in place and decreased laptop thefts is more problematic due to the number of other factors that come in to play (Roper, Grau & Fischer, 2005). Metrics of laptop thefts are still useful, but having both sets of metrics whereby you can demonstrate that not only have thefts decreased, but awareness of how to look after laptops has generally been raised will provide a more compelling argument. You can then make a more valid claim that you are actually saving the organisation money.
Another means of proving the effectiveness of your awareness programme is in demonstrating that other teams value it within the organisation. At Luton, a screen advising employees that they had been blocked from accessing an inappropriate Internet site was redesigned. The new screen was personalised to display the employee's name, the name of the site visited, and why the site was deemed inappropriate (e.g. adult or pornographic). It also included a hyperlink to Internet policy. In the 12 months after its introduction, there were no cases of Internet misuse that required employee suspension, whereas in the 3 years there were 6 cases that required formal disciplinary action. In two of these cases, employees were suspended on full pay for a combined total of 18 months prior to dismissal. One case required the purchase of a forensic investigation and HR spent an average of 70 hours on each case. The cost of developing the new screen was minimal. Management were uninterested in how many suspicious events occurred every month when employees used the Internet, they were however interested in how the HR workload had been reduced and that employees were no longer being suspended on full pay for prolonged periods. If canvassed it is likely that HR would deem the work of the IT security team to be of significant value to them.
Another way of assessing the effective of your awareness programme (or any internal campaign) is through feedback. Employees should be actively encouraged to let you know what they do or don't like about your training or awareness activities or what they would like to be done instead. Whether it's an article in the staff newspaper, an item on the intranet a poster or an all employee e-mail bulletin, feedback must be requested. If you don't have any channels available for obtaining feedback, you'll never know if anyone was reading your messag in the first place or even whether they believed you. Kevin Thomson (Thomson 1998) quotes from a survey by the US Council of Communication management where 64% of employees didn't believe what they were being told by senior management. If you don't obtain any feedback, you'll never have the opportunity to critically address issues such as lack of trust. Feedback will also help you determine whether the message is in anyway offensive, irritating, irrelevant, contradictory or confusing.
Often the feedback will reveal that certain groups are being overlooked or bring to light security issues you didn't know existed. You will also find it useful to know whether your message generates a demand for more information or whether it creates a positive or negative impression of the security team, or of management? By providing feedback channels all this information can be gleaned (Roper, Grau & Fischer, 1995).
About the author:
Robbie Craig is ITSO (Systems Assurance Officer) at Luton Borough Council.