A CompTIA report of March/April 2007 indicated that human error is the principal cause of security breaches. In 2006, 60% of all security breaches experienced by organizations were due to human error. However, only 29% of these organizations required training for IT staff and 36% offered security awareness training to their employees.
Employees are faced everyday with creating and handling sensitive information such as customer and financial information. It is thus essential that they understand the importance of information security and the consequences that could arise from security breaches.
The goal of a security awareness program is to positively influence employee behavior by motivating them to protect their organization and the information they manage.
A security awareness program is not a one-time project. It is a series of campaigns aimed at keeping information security at the forefront of employee minds to instill in them a sense of responsibility in the light of the security of their job function. A campaign may target general security considerations such as company policy and employee responsibilities or it may address key security areas such as anti-virus, spam and password policy.
Requirements for Creating an Effective Security Awareness Program
A security awareness program can not be organized independently. It requires active participation from all departments and solid support from executive management. There are four essential components in an effective security awareness program:
1. Security Policy: A security awareness program is founded on the security policy. The success of the awareness program relies on the accuracy and completeness of the security policy in place at the organization.
2. Executive Management Support: Executive management must be the promoter of the program and an active participant. Executive management should take charge of formally communicating the importance of the program throughout the organization. Without active management support, employees will not understand the significance of the program.
3. Resources: Executive management is required to assign the necessary time, people, and funds to the program.
4. Creativity and Humor: Advertising security should be done humorously and must still attempt to include the message to be put across. Lack of creativity and humor could lead to boredom among employees and they could even avoid reading the messages.
Costs Involved
Organizations should put aside up to 20% of the security budget towards the awareness program. The budget should be enough to cover at least the following expenses:
• The salary of the security awareness group (external consultants or in-house employees)
• The cost of the materials (slides, videos, etc.)
• The time invested in the promotion of the program
• The time spent by the target audience
There are many cost efficient, yet effective, tools that can be used in a security awareness program such as videos, newsletters, brochures, booklets, signs, posters, coffee mugs, pens and pencils, note pads, stickers and many others.
Benefits of a Security Awareness Program
The security awareness program contributes to create a “security culture” within an organization. The numerous benefits include:
• Increased Employee Knowledge: Employees would begin to understand the reasons behind the security policy and the overall security stance of their organization. The number of errors and omissions would decrease because employees would be aware of the correct and secure behavior in any particular situation.
• Increased Protection: Employees would become more knowledgeable with respect to protection of information. Therefore, the number of incidents caused by external attackers will decrease as well as the cost to recover data lost or altered during an incident.
• Compliance with Laws and Regulations: Compliance with laws and regulations such as the Gramm Leach Bliley Act (GLBA), Sarbanes Oxley Act (SOX), and Health Insurance Portability and Accountability Act (HIPAA) that require organizations to implement a security awareness program.
• Increased Confidence of Customers and Partners: Customers and partners would feel safer knowing that they are dealing with an environment where employees seriously care about security.
• Increased Reputation: A security awareness program would give an organization a distinct competitive advantage and also enhance its reputation.
Measure the Results
Organizations should measure employee receptiveness and responsiveness after each security awareness campaign. This measurement can be used as a guideline to improve upcoming campaigns and assess the overall effectiveness of the awareness program. Common measurement tools include:
• Questionnaires
• Interviews
• Security audits
• Examination of employees performances
The following metrics can be used to quantify the effectiveness of the security awareness program:
• Number of employees attending the training sessions
• Number of incidents before and after each campaign
• Number of employees reading documents, emails or web pages related to information security
Evaluate the Organization’s Maturity Level
The maturity level of an organization refers to how well the organization manages information security. A widely used ranking model is the COBIT Maturity Model, a six-point scale, which allows an organization to grade itself from nonexistent (0) to an optimized (5) maturity level. The maturity level calculated with the COBIT Maturity Model can then be compared with international standards and industry best practices to identify the areas requiring improvement. A sample of standards and best practices, to get you started, is provided below:
• Control Objective for Information and related Technology (COBIT)
• ISO/IEC 17799:2000, Information Technology–Code of Practice for Information Security Management
• ISO/IEC 13335, Information Technology-Guidelines for the Management of IT Security.
