Discussion 2 – Week 9
"Awareness and Training" Please respond to the following:
Awareness programs that can get the support of management are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. Anyone responsible for running a security awareness program should first attempt to obtain strong support, before focusing on anything else. Successful efforts frequently highlight that security awareness was required for compliance and that awareness efforts provided a return on investment that will inevitably save the company money and every executive likes to hear that you’re saving them costs.
Another key factor in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiating new awareness efforts. Without having a baseline, it is hard to demonstrate that your efforts had more than assumed success. The metrics can include surveys on attitudes or they could include the use of phishing simulation tools to include pre and post awareness training. You can also examine the number of security related incidents, such as attempted visits to banned websites. When you can show measurable improvements in any aspect of security, you can justify your program, and obtain additional funding and support.
Creativity is also a key elements that needs to be included in a security awareness program. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. An example of creativity includes the use of a security cube during a company event. The security awareness department set up a mock cubicle, with 10 common security violations, in the main hallway. Employees who could identify all 10 violations were entered in a prize drawing.
Another key element that needs to be included in a security awareness program is successful programs that incorporate a variety of awareness tools. This includes newsletters, posters, games, newsfeeds, blogs, phishing simulation, etc. The most participative efforts appear to have the most success. Another issue to consider is that materials should attempt to connect with different generations. For example, some videos seem to connect best to young males. You then need to use other videos or materials that connect with older employees and females. There is definitely no such thing as "One Size" security awareness.
Most security awareness programs follow a one-year plan. Those plans also attempt to cover one topic a month. This is ineffective, as it does not reinforce knowledge, and does not allow for feedback or to account for ongoing events. Programs that rely on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. The most successful program focuses on 3 topics simultaneously that are reinforced regularly throughout the 90 Days.
Security awareness programs differ from security training programs because security awareness sets the tone and goals for the policy while security training focuses on the mechanics of what is expected to be done and when.
Teaching an old dog, new tricks in many organizations is tough, many times security is implemented as an afterthought. Because security is not always integrated from the very beginning, users have months, weeks and even years to develop bad habits. This makes the challenge of implementing a security awareness program twice as hard. Not only do you have to educate employees on security, but you also have to help them unlearn any bad habits that they may have acquired. In addition, employees in this situation tend to have extra trouble buying into the value of security. As far as they are concerned, the organization has operated just fine for many years without security. New security requirements are viewed as unnecessary changes that make their lives more difficult. Many times to help change the ideas of these types of employees you will have to focus on these bad habits and explain why they are an issue and what vulnerabilities they incur.
Many employees share the perception that security is the sole responsibility of the IT security department and not theirs. They tend to limit their role to the bare minimum of compliance to keep their jobs rather than rather than the big picture of what they can do to help. While adhering to policy is a good start, there is much more that can be done. It is important that employees understand that the IT staff cannot do it alone. You must create purpose for them within security and ensure they feel their part is needed rather than wanted.
Some security awareness and training programs fail to adequately segment their audience and deliver appropriate messages. This is a very poor strategy that results in messages getting ignored. Employees receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one size fits all strategy may be easy on you, but it will not be effective. You must remember that age and gender will play a larger part in security awareness and training. It is important to create these different types of programs to facilitate the interest of these separate types of employees.
Many security awareness programs fail to educate their employees on why security is important. They cover every other aspect, but leave out the information that is most likely to motivate employees to change their behavior. Employees that understand why certain behaviors are not secure are most likely to take ownership of the issue and change their behavior. For example, if you communicate a new password policy that has more stringent complexity rules, employees will most likely view the new policy as a pain. On the other hand, if you also communicate to employees how passwords are cracked and misused and the potential impact that this could have, then they are much more likely to take ownership and willingly adopt the new policy.
Security awareness can be considered the more complex process, but each is equally important. A security awareness program must take a tailored approach for each job level, level of awareness, and technical skill level (Johnson & Merkow, 2011). In general, security training programs are more straightforward than delivering awareness (Johnson & Merkow, 2011). "Security training focuses on mechanics - what is expected to be done and when" (Johnson & Merkow, 2011, p.327). Training becomes much more difficult without awareness.
Developing centralized policies in a decentralized environment is very difficult. And now most organizations have a distributed IT infrastructure. The key to solving this hindrance is to centralize administration. A distributed infrastructure and environment can also lead to a lack of standardization (Johnson & Merkow, 2011). To address this hindrance, "Both administration groups need to agree on a common approach to security" (p. 339). Developing a common approach is greatly facilitated with centralized administration. To address both distributed infrastructures and environments, senior leadership must agree on a timeline for these programs (Johnson & Merkow, 2011). The lack of executive management support may be the most critical hindrance. "A lack of support makes implementing security policies impossible" (Johnson & Merkow, 2011, p.341). Therefore, making these efforts worthwhile requires effective communication and preparation to ensure management support.
Johnson, R., Merkow, M. (2011). Security Policies and Implementation Issues. Sudbury, MA: Jones & Bartlett.
Executive support is the key to having a successful infrastructure in any business. According to your statement, “The lack of executive management support may be the most critical hindrance” I would agree this is the most critical hindrance. Without the support of the executive team you will find yourself with a budget that cannot facilitate the security needs of the business. The executive team also plays a large part in enforcing IT security policies. If the end users see the lack of support from management then they will not be invested in the policy which creates another hindrance. Executive support must be acquired before implementing any type of policy or procedures.