https://www.computerweekly.com/news/2240037191/Security-awareness-tips-Making-programmes-more-effective
Security awareness programmes have a mixed track record of success, to put it mildly.
While many security paradigms emphasise the importance of people, process and technology in every security strategy, in practice, the people and process parts tend to receive only grudging attention.
If the risk and compliance culture of an organisation is poor, then awareness alone won't result in good security.
Adrian Wright, managing director, Secoda Risk Management
As a research study by mail security company Clearswift found last November, few organisations tackle the awareness agenda with enthusiasm. Half of the employees polled said they had never received any awareness training, and two-thirds had never had training in their current role. That led the researchers to conclude that most workers were “IT freestyling:” working with little or no guidance about what was and was not permitted.
So what are the keys to making an awareness programme effective, and ensuring it produces a long-term impact on the behaviour of the people using systems?
The best way is to ask security pros who have been through the process. And what better way to find out than to ask members of security groups on the LinkedIn social networking site? We at SearchSecurity.co.UK recently did just that, and, within hours, professionals from around the world began to offer up their suggestions.
Here is a summary of some of their security awareness tips:
Targeting
A corporate security policy can be long and complicated, and much of it will be irrelevant to individual workers, so security pros suggest tailoring training to each group of users.
“The message and the language must be crafted to the audience: Speak in the audience's language. Never use ‘security-speak’ except to other security folk,” wrote Brook Schoenfield, a senior security architect for US-based Cisco Systems.
Nick Baskett, managing director of Matta Group in London, echoed that view: “Teaching someone something they don't see as relevant to their job is a sure way to encourage amnesia. Security awareness to the [Personal Assistant] for the CFO has different elements than training someone in a call centre.”
Michael Krausz, an information security consultant based in Austria, made the point that training has to be engaging if it is to register with people. “The training should be inspiring and interesting. There's nothing worse for increasing awareness than a boring training session,” he wrote. “What usually works is to include practical elements that contain an element of surprise to keep a class interesting.” In one session, Krausz showed people the source code of a virus, for example, and in another, he showed a hardware keylogger and asked people to think about how much of their typing such a keylogger could hold in its 2GB of memory.
He also emphasised the need for face-to-face sessions in addition to any computer-based training (CBT). “Using CBT neither creates nor increases awareness. If people do not have in-person training sessions, they will simply learn the answers, but their awareness will not change,” Krausz said.
Interactive training can also help get people engaged with security by having them take on roles in certain threat situations. For instance, this can be especially effective when explaining how social engineering works. “Acting it out works very well,” wrote Colin Wright, a CLAS consultant (with clearance to work on government contracts) based in Milton Keynes. “Give them all a role and a scenario with 'placed' individuals to take it forward to whatever conclusion or point you need to make. They'll feel foolish at first, but it does work.”
Senior management backing
Any awareness programme needs to have the full and genuine support of senior management. It’s no good, security pros say, if the managing director merely signs the security policy, but ignores it for his or her own use.
“If the risk and compliance culture of an organisation is poor, then awareness alone won't result in good security,” wrote Adrian Wright, managing director of Secoda Risk Management in London. “Awareness needs to be delivered in concert with measures that confer responsibility and accountability on individuals, and ensure there is a senior mandate for managing risk and compliance, well communicated from the top down.”
Repeat, repeat
As the Clearswift study showed, if companies do any training at all, it tends to be done at induction to the organisation and then quietly forgotten about.
Nick Baskett succinctly summarised the issue: “An awareness course is pretty useless if it's a once-a-year event that stands in isolation from the actual practices and culture in the organisation.”
Roger Killick, information security manager for Siemens plc, agreed: “In my opinion, little and often (i.e. business as usual) is a better approach than a one-off campaign, although such a campaign could be used to start the process off.”
And Randall Lozano, president of the Phillipines Internet Society, said awareness training activities should take place at least twice year, backed up with posters and reminders in the organisation to keep the message in people’s minds. Creating the culture can be difficult at first, he admitted, but once the message is imprinted in users, they can become a powerful line of defence against any kind of intrusion.
Enforcement and testing
Many contributors to the LinkedIn discussion underlined the need to follow up on the training, to reinforce the message on a regular basis, and to make sure the message has been absorbed and retained by users.
This can sometimes involve drastic measures. David Simmons, an IT security administrator based in Ohio, said he requires users to take a CBT program by a certain date, and, if they fail to do it, he disables their Active Directory account, and then they have to take the test from a designated terminal to get reinstated.
“Yes, everyone in the company hates me, but you do not enter the world of security to make friends!” he wrote. He supplements the CBT courses with a range of other measures including:
Ben Klein, a networking security specialist working for Spectra Energy in Houston, Texas, also underlined the need for regular testing. “Most security awareness training wears off very quickly, something like 4-6 weeks if you are lucky. Daily and weekly reminders, posters, knick knacks for the desk, etc., also start becoming background noise and glazed over,” he wrote.
He cited one effective and ongoing security awareness campaign where users are randomly subjected to re-testing and must take a refresher if they do not respond correctly. This could involve, for example, the security team sending a dodgy looking attachment to a user to see if he or she opens it, or a phishing message to see if the user replies.
Measure effectiveness
One sure way to gain and keep management’s interest in security awareness programmes is to demonstrate a clear improvement in the performance of users.
Michael Paisley, head of information risk at Santander UK, highlighted three possible goals for an awareness programme, and suggested ways of measuring their success.
And finally…
For those who need more detail on how to plan a complete awareness programme, Robbie Craig, an information security officer with Luton Borough Council, has made available a section of the dissertation he wrote for his Master’s course at the University of Westminster.
This thesis provides a complete case study of the programme he helped to introduce in Luton, and includes full details of techniques used and a breakdown of costs.
22 Jun 2011