Professional Documents
Culture Documents
Security Awareness
• Security Awareness Purpose
• 4 Phases of Awareness
• Measuring Progress
• Case Studies
• Questions?
AWR1 Tracking Progress on Security Awareness 2
Awareness Purpose
• Understand and comply with security
policies and procedures
• Work to reduce errors and omissions by
users due to lack of awareness and/or
training
• 1st step in increasing Security
– Awareness, Training, Education
AWR1 Tracking Progress on Security Awareness 3
Four Phases of Security Awareness
Source NIST 80050
AWR1 Tracking Progress on Security Awareness 4
Four Phases of Security Awareness
1. Design Project plan
2. Develop or Purchase Security
Awareness material
3. Implement program
• Pilot group
4. Postimplementation
• Measure results: Before & After
AWR1 Tracking Progress on Security Awareness 5
Step 1 Design
• Strategy & Goals
– Institutional long term view
– Conducting a Needs Assessment
• Prepare Training & Project plan
– Get feedback, observations
– Select Pilot Team
• Get management approval!
– Funding
– Agree on Benchmark statistics
AWR1 Tracking Progress on Security Awareness 6
Step 1 WIIFM
• Your motivation:
– Keep your job!
– Obtain raise or promotion
– Raise Security Awareness!
WIIFM: What’s In It For Me?
AWR1 Tracking Progress on Security Awareness 7
Source NIST 80050
AWR1 Tracking Progress on Security Awareness 8
Step 2 – Obtain Material
• Develop
• Purchase
• Outsource
• Test & Integrate
– Learning Management System
• WIIFM: Quality, Relevant, Fun
AWR1 Tracking Progress on Security Awareness 9
Step 3 Implement program
• Pilot group
• Get feedback & support
• Adjust
• Involve population sample
• Savvy person
• Influential manager
• Contrarian
• WIIFM: Successful deployment
AWR1 Tracking Progress on Security Awareness 10
Step 4 Postimplementation
• Measure results:
• Before
• During
• After
• Report to Management on
• Identified Goals and Metrics
• Success can be measured by reduction of
chronic problems, testing, surveying
• Leverage audit results, operational monitoring
• WIIFM: do it better next time!
AWR1 Tracking Progress on Security Awareness 11
Success Indicators
• 100% Compliance (or not!)
• Help desk calls/tickets
– Less password resets or data loss,
– Less virus incidents
• Incident reports
AWR1 Tracking Progress on Security Awareness 12
Monitoring Compliance
• Tracking compliance involves assessing
the status of the program
• Reports to identify gaps or problems
AWR1 Tracking Progress on Security Awareness 13
Example: US Government
• Total Number of Employees 4,222,251
• Employees that received IT security awareness training
• 3,427,756 or 81%
• Total Number of Employees with significant IT security
responsibilities 107,540
• Employees with significant responsibilities that received training
88,939 or 83%
• Total Costs for providing IT security training $79,389,201
• SOURCE: Governmentwide Summary CIO Reports,
OMB FY 2005 Report to Congress, 3/1/2006.
AWR1 Tracking Progress on Security Awareness 14
Case 1
• Mandatory:
– Federal Law requires employees [or contractors]
using, managing or operating Federal computer
systems to receive annual IT Security Awareness
and Training.
• 4 Main online modules
• Certificate for each completed section
• Feedback form at end of course
AWR1 Tracking Progress on Security Awareness 15
AWR1 Tracking Progress on Security Awareness 16
Case 1 – Training Completed
AWR1 Tracking Progress on Security Awareness 17
Case 1 – Exceptions
• 68 Users currently on the Training
Exemption List which are not included in
these totals:
– 53 of the 68 are New Users which are still
within their 2 week grace period
– The remaining 15 are Medical, Regular
Leave or Mission related exemptions
AWR1 Tracking Progress on Security Awareness 18
Case 2 Before
• Audit finding:
– Weaknesses in incident response, antivirus, and
password knowledge were revealed by the survey.
– Most responders indicated that had not received
any security awareness training in the past year
• Recommendation
– We recommend that security awareness training
be conducted for each employee.
AWR1 Tracking Progress on Security Awareness 19
Case 2 Plan
• IFC is conducting a mandatory Computer
Based Training (CBT) program based on
BS7799 standards, customized for all IFC
information users
• IFC will continue to hold an annual
Computer Security Day function to increase
staff awareness
• IFC will host a national Peer Group
Awareness Session for the Computer
Security Institute.
AWR1 Tracking Progress on Security Awareness 20
Case 2 –
Awareness Pilot
• IFC has piloted a Computer Based Training
(CBT) program based on BS7799 standards
and customized for IFC.
• The pilot was given to a cross section of IFC
information users (190+) at HQ & Country
Offices.
• Based on the success of the pilot it was
decided through the ISC to proceed with the
awareness program to all IFC information
users.
AWR1 Tracking Progress on Security Awareness 21
Our Target Audiences
AWR1 Tracking Progress on Security Awareness 22
Deliverables: All Staff
AWR1 Tracking Progress on Security Awareness 24
Deliverables: IT Professionals
AWR1 Tracking Progress on Security Awareness 25
Deliverables: Sr. Managers
• Senior managers and executives have
specific training needs
• Some possible solutions may include:
– Executive briefing sessions in appropriate forums
– A video presentation of key issues
– A short, focussed elearning program looking at
organizational issues
AWR1 Tracking Progress on Security Awareness 26
Case 2 Measure
the effectiveness T1
CBT Sessions
T2
• Baseline Preperception assessment
(Time 1) to measure the current staff’s
perception of key security issues
• CBT Introduction of an independent
variable, the Information Security
Awareness Program
• Posttraining perception assessment of
Security Awareness after CBT (Time 2)
AWR1 Tracking Progress on Security Awareness 27
Population Sample
Experimental Group (N=237)
8
37
IFC HQ
36 IFC CO
156 WB HQ
WB CO
18
IFC HQ
11
IFC CO
58
WB HQ
AWR1 Tracking Progress on Security Awareness 28
CBT followed by a second
Questionnaire
• A sample of employees split into two
groups, a study and a comparison
group
• The comparison group will control for
other variables beyond the intended
independent variable (the security
awareness training)
AWR1 Tracking Progress on Security Awareness 29
Before & After
Study Group Reaction to Questionnaire Study Group Reaction to CBT
at Time 1 (N=193) at Time 2 (N=193)
Response Percentage
40% 60%
Response Percentage
35%
30% 50%
25% 40%
20%
15% 30%
10% 20%
5%
0% 10%
Opened my eyes to potential Opened my eyes to existing problems 0%
problems Opened my eyes to potential problems Opened my eyes to existing problems
Questions Questions
Results:
AWR1 Tracking Progress on Security Awareness 30
Impact of CBT on Study Group
Study Group Abbreviated Item Content Rank Ordered on Basis of Study
Group’s CHANGE Scores
Time 1 Time 2
40.0%
Percentage
30.0%
20.0% Comparison Group N=73
10.0%
0.0%
8 7 6 5 4 3 2 1
Response Categories
(8= Of Utmost Importance; 1=Somewhat Important)
AWR1 Tracking Progress on Security Awareness 32
Change of Attitude Towards Security
25%
20%
Percentage
Response
AWR1 Tracking Progress on Security Awareness 33
Change of Attitude Towards Monitoring
25%
20%
Percentage
Response
AWR1 Tracking Progress on Security Awareness 34
0
5
10
15
20
25
30
Good CBT
CBT Content
Supervised
Mandatory
Data
Classification
Comments
CBT
Navigation
Encryption
AWR1 Tracking Progress on Security Awareness
Password
Performance
What did staff tell us in the surveys?
F bldg.
design
35
Questions?
Email: Adrian@Mikeliunas.com
? ? ?
?
This is not the Beginning,
This is not the End,
But the End of the Beginning
AWR1 Tracking Progress on Security Awareness 36