Making awareness work#
Problem#
Not all security problems within an organisation are suited for addressing in a security awareness program. Determining what problems are suited for a security awareness program or workshop can require too much time and research.
Solution#
Many service companies provide security awareness programs. But the truth is that 80% of the training and programs are and should be generic and only 20% must be tailored for a specific organisation context.
Most common topics for security awareness campaigns are:
Topic |
Messages |
|---|---|
Passwords |
- Do not share User IDs or passwords |
Viruses |
- Beware of viruses, particularly in e-mail attachments |
Physical security |
- Keep premises secure |
E-mail and Internet use |
- Don’t send sensitive information over the Internet without taking suitable precautions to protect it |
Incident response |
- Recognise security incidents |
Information handling |
- Classify information correctly |
Common problems can and should be addressed by a security awareness program:
Problem |
Description |
|---|---|
Achieving a culture change |
It is difficult to effect a cultural change or achieve a common value across the organisation where the culture does not value security. |
Cultural and departmental variations |
Differences across large, distributed organisations cause problems achieving consistency between departments and countries. |
Distributed security management |
Organisations with a distributed or decentralised security function face difficulties in developing and managing awareness when the team is spread across divisions and countries. |
Legal and regulatory issues |
Organisations consider legal and privacy issues to be part of the security team’s responsibilities, and these have to be included within awareness programmes. National variations in legislation may require that campaigns are restructured for each country in which they are delivered. |
Disregarding policy |
Users choose to ignore policy and disregard security requirements. Management permits exceptions to security rules without considering the risk implications. |
Lack of basic awareness |
New members of staff often have little understanding of the organisation’s policies, culture or their security responsibilities. |
Poor systems security |
Complying with security development , like SAMM standards and hence ensure that security measures are built into applications. |
Technical security issues |
A key technical problem that requires an awareness fix is that of viruses, since users must be taught to not bypass controls or open ‘suspect’ files. |
Justifying security |
In organisations that recognise the need for security, there is often little perception of information as an asset, and it is hard to justify security budgets or activities in such cases. |
Resistance to security |
Middle and senior management are still seen as resisting security because of a lack of interest or failure to understand their own responsibilities. |
Define clear objectives. Some common objectives you can reuse are:
Driving Force |
Example actions to increase Driving Force |
|---|---|
Need to reduce costs |
* Show how poor security costs more time and money in the long term |
Achieve compliance with policy and regulations |
- Ask Internal Audit Department to inform departments of security audit requirements well in advance of the audit |
Reduce number and severity of security incidents |
- Configure systems to make anti-virus software mandatory |
Protect reputation |
- Demonstrate threat to reputation and collect data on incidents affecting other organisations in the same sector |
Management support for security |
- Demonstrate that current vulnerabilities are ‘real’ |