In 2007, HSBC Actuaries lost an unencrypted disk. HSBC Life faced a similar loss in 2008. Investigations by the UK Financial Services Authority led to fines of about 3.1 million pounds, and also revealed that "the staff was not properly trained to identify risks". Following this, the companies "improved" staff training with security awareness programs.
Recently in India, in the aftermath of the Shadow network disclosure, when it was revealed that sensitive government data had been stolen, media reports indicated that the Ministry of External Affairs started a "sensitization program". This has been mainly due to the realization that the weakest infrastructure link is the bureaucrat. The Ministry started this initiative by addressing the security awareness levels among clerks and personal secretaries—to be followed by senior officials.
Over the past decade, the role of information security (IS) in any IT-enabled organization has seen an increase. This means that it's important for everyone to adopt good practices and safeguard themselves from the various threats that abound in cyberspace and on the networks.
Security awareness levels among users has been recognized as the single most important control in any IS enablement. Unfortunately, security awareness is the one practice (or control) that is given the least importance in most IS initiatives. Every standard, framework and guideline emphasizes the importance of security awareness in the large-scale mitigation of security risks. In every forum and presentation, both presenters and listeners pay lip service to the requirement of security awareness—and then go back to their desks without action.
Security awareness programs, as they exist in IS establishments and implementations, are largely boring presentations that one is made to attend for the sake of achieving compliance with one clause in the organization's security policy. The metrics (usually) capture the number of people who attended and the number of sessions in the year. The number of security awareness training sessions is usually recorded in man-hours, and this is offset against the organization's training hours. Therein lies evidence of systemic failure, and the reason why the exercise is ineffective.
Information security awareness cannot be considered part of a corporate training program. Training programs are devised to provide skills-based knowledge and are usually run by the HR department. By contrast, the objective of a security awareness program is not skill enhancement, but awareness. The security awareness program exposes participants to the expectations of the organization, industry guidelines, and best practices in approaching IT-related tasks in their day-to-day work.
Security awareness programs start when a new employee or vendor is introduced to the policies and procedures of the organization in an induction program. It is important for all to understand and accept the responsibilities of compliance, and the penalties for non-compliance with the organization's expectations.
It is necessary to build security awareness into the organization work culture to get good ROI. This is possible only if the security awareness programs are:
[a] Designed and delivered in a friendly and non-obtrusive manner.
[b] Updated, based on feedback and changing organization requirements.
[c] Accepted as a necessity by the management at all levels, and not clubbed with training programs.
[d] Witnessing management participation at all levels as trainers and trainees.
[e] Yielding meaningful value metrics, which are then used for security awareness program's enhancement.
[f] Recruiting managerial, functional and non-functional volunteers to champion the security awareness message across the organization.
Getting a security awareness program kick-started by the CXO or Board will be a good way to begin. It is important to have buy-in from managers across all business lines. Employee participation and contribution to the security awareness programs must be included in individual key review areas (KRA).
The security program must be designed by professionals in a manner which encourages user participation via questions and answers. Concepts, risks, threats and vulnerabilities discussed must be supported by real-life examples and case studies. The sharing of media reports of incidents which have occurred in the same line of business will enhance learning. The duration of each security awareness session must be between half to one hour in order to capture audience attention and ensure retention of learning.
Ensure that each security awareness session is restricted to only one or two security concepts in order not to confuse the participants with information overload. It will also be good to follow up sessions with stuff like updated messages on screen savers and new posters in the workplace. If possible, run inter-department competitive quizzes on the subject(s) of the previous security awareness program.
Vanilla metrics provide a numerical representation of the training and security awareness program, and, when benchmarked against a plan, can help one to arrive at a compliance level percentage. This number will fly for satisfying compliance-based reporting, but is of no help to management. Accompanying metrics will show the number of man-hours expended by trainees and trainers, and one can hear gasps at the 'waste' due to 'free' trainings (security awareness sessions).
It is therefore important to move from a robotic exercise of collecting numbers which provide no value for analysis and decision-making. Sample metrics which provide value can include:
* Change in the number of help desk calls for password changes (convert to effort saved in time and money terms) in the month after a password safety session is conducted.
* Variations in the number of virus outbreaks due to email attachments, file transfers over P2P, and file copying from media (convert to effort saved in cleaning and restoration) in the month after sessions on hygienic habits in email and data/file sharing and copying.
It is time to move to value statistics – that which will provide business value to all stakeholders. The security awareness metric must be tailored for each level of delivery (top management, line managers, functional team member) and must provide food for thought and action to the level it is delivered. Only then will the metric have achieved the purpose it had been devised for. In summary, it is necessary to conduct regular security awareness training programs which are interestingly designed and delivered.
About the author: Dinesh O Bareja (dinesh AT opensecurityalliance DOT org) works on information security awareness, research and training. He provides consulting and advisory services for simple and effective security practices in a professional capacity.