Security Awarenessand Training Program

Objectives of the security awareness program

• Employees recognize their responsibility for protecting the enterprise’s information assets

• Employees understand the value of information security

• Employees recognize potential violations and know who to contact

• The level of security awareness among existing employees remains high

Protecting Enterprise’s Information Assets

• Employees are told the who, what, where, when, why, and how of information security, they are only there to do their job.

• Information security must be presented to them as a function of their job.

Employees Understand the Value of Information Security

• The next step is making the employee understand how information has value and that personal, legal, and financial losses as well as damage to reputation can occur if the information is not properly protected.

• The value of information is best conveyed through real-life examples that relate to how most employees operate.

• Instead of complaining about necessary security functions whose ultimate purpose is to protect the employee, the employee’s work, and the organization’s information and processing assets, it makes sense to find more efficient processes that will allow the employee both the opportunity to perform security functions as well as the time to perform the job.

Employees Recognize Potential Violations and Know Who to Contact

• Key to educating a user is making that user aware of the warning signs to look for that indicate a potential security breach.

• Human nature makes most of us trusting.• When someone unfamiliar is walking alone

around the office, it is not typical that anyone would walk up to him, ask him who he is and if he needs help.

Training must include:

• Security policy (e-mail, Internet)• Confidentiality, integrity, and availability• User ID and password requirements• Appropriate use of resources• Virus scanning and reporting• Social engineering• Use of encryption• Individual responsibility• Information classification and handling

• Threat by industry• Incident reporting• The information security organization• Internet access• Physical security• Chain mail• Information transmission, storage, and processing• Information security programs• Security monitoring programs• Verbal communication in public• Use of cellular phones

The Level of Security Awareness among Existing Employees Remains High

• Training is more formalized, typically in a classroom or conference setting where the objective is to gain knowledge about a particular subject.

• Awareness is a passive mechanism that occurs through less formal methods such as posters, themes, and objects such as key rings and cups.

PROGRAM CONSIDERATIONS

• Effectiveness is based on long-term commitment of resources and funding

• Benefits are difficult to measure in the short term

• Scoping the target audience, both new and existing employees

• How to effectively reach them