Security awareness training shapes information security management initiatives

Changing the behavior of users towards better security is tough. This is the first topic in our series of 12 MSc thesis articles on security from Royal Holloway University, London.

Everyone engaged in information security will know the look of boredom that the mere mention of security awareness programmes can evoke.

And yet, changing the behaviour of users – from senior management to the lowest clerk – can go a long way to averting the worst security breaches. Alert and well-trained users will know the value of information and provide a vital component in any organisation's security strategy. The big challenge for the information security professional, however, is how to get their attention and persuade them to buy into the idea.

One person who has given the problem a good deal of thought is Monique Hogervorst, a Senior Information Security Consultant with APACS, the company that manages payments between the UK's financial institutions. She has come up with a detailed plan and a set of tools that she says will help to "overcome aversion against information security" and help to measure the impact of security awareness training.

 The outcome strongly indicated that information security training and awareness has a positive impact on the overall security of an organisation.
Monique Hogervorst
Senior Information Security ConsultantAPACS

The work is the subject of her recently completed MSc thesis at Royal Holloway College, and is the first in a series of Royal Holloway MSc papers that will be publishing over the coming weeks.

Hogervorst's approach is to analyse both the forces that drive security and those that restrain it, and then to look at ways to boost the first and the lower the second. Her concept of the Information Security Force Field Model (ISFFM) allows the security professional to visualise the opposing forces and then measure how they are changed over time.

By working with the different areas of the business and understanding current business processes , she says, the security professional can identify a list of driving forces (such as legislation, reduction of downtime, business opportunities) and restraining forces (business culture, time pressures, poor awareness of risks). Those forces can then be assigned a score – for instance 1 for very weak, to 4 for very strong) – and enable the security professionals then to target their efforts, and measure progress.

"In order to use the method over a period of time it is paramount that the reasoning behind the assignment of a strength value is repeatable," she says. "Using metrics for analysis and reasoning creates a basic tool to assess strength of forces in a reasonably objective way."

By periodically repeating the exercise, it is then possible to measure how the force fields have altered and see where security training and security awareness have had an impact.

As Hogervorst admits, the model has only been piloted in a limited way at one organisation (a report on this case study is contained in the full body of her thesis), and that it still needs further development and more guidelines for its use. But the feedback from the pilot has been encouraging.

She says that management and employees find it hard to see the return on investment from security awareness programmes, and security professionals struggle to target their efforts where they will have maximum effect.

As she concludes: "The outcome strongly indicated that information security training and awareness has a positive impact on the overall security of an organisation. This impact can take the form of a reduction in information security incidents (and the time information security professionals invest in investigating these), savings in project turn around times and project costs, and increasing (timely) involvement in business projects."

To download a fuller explanation of the Information Security Force Field Model, written specially for by Monique Hogervorst, and based on her MSc thesis, click here.

Read more on IT risk management