The State of Information Security Awareness: Trends & Developments

Transcription

1 The State of Information Security Awareness: Trends & Developments Global Findings from the Ponemon Research Institute and Security Innovation 187 Ballardvale Street, Wilmington, MA

2 2 Table of Contents Introduction... 3 A. Training Goals... 4 TRAINING OBJECTIVES... 4 B. Curriculum Development, Customization, Delivery... 5 CONTENT CUSTOMIZATION... 5 DELIVERY METHOD... 6 TRAINING DEVELOPMENT... 6 PROGRAM CUSTOMIZATION... 8 FREQUENCY OF UPDATES... 9 DURATION OF TRAINING... 9 C. Measuring Results IMMEDIATE FEEDBACK MEASURING LONG-TERM EFFECTIVENESS D. Plans for Training IMPLEMENTATION SCHEDULE AND BUDGET PROGRAM REQUIREMENTS Summary Appendix A Survey Respondents Appendix B Detailed Survey Results... 17

3 3 Introduction Organizations of all sizes face serious challenges with online payment card security. Technical environments frequently change, best practices continually evolve, and industry standards are regularly updated - all while hackers and other criminals diligently develop new ways to cause trouble. Security awareness training programs have become a much higher, more accelerated priority for risk-sensitive employers, due in large part to the efforts of the PCI Security Standards Council and other global agencies that promote employee awareness to mitigate data security risk. To better understand the extent that organizations are educating employees about information security standards, Security Innovation commissioned a research study from Ponemon Institute, a leading independent research firm specializing in privacy, data protection and information security. Ponemon Institute surveyed a global sample of 3,089 IT and security professionals who are influential in their organization s PCI DSS compliance and/or audit activities. 45% of the respondents currently provide information security awareness training to their employees, while 55% do not (although as you will Qualified Responses* 3,089 Currently Offer Training 1,394 (45%) Currently Do Not 1,695 (55%) see, many of them plan to in the near future). This report presents information for each category those who currently offer training, and those who do not yet. Because there was minimal variation between global regions, this report represents worldwide responses in aggregate. Below are the key findings of the 2014 Ponemon Institute Information Security Awareness Training Trends survey, and what they mean to the IT managers and decision makers responsible for ensuring the highest levels of data security within the enterprise. PCI DSS and Security Awareness Training: Major Themes and Trends Mitigating the Human Risk Given the increase in information security threats, it s not surprising that 26% of organizations surveyed plan to roll out training programs in the coming year... and spend some serious money doing it. There s Room for Improvement Most managers and employees are less than satisfied with the training currently available within their organizations. Short, Flexible and Online Awareness training is most effective when available in short sessions, making computer-based training (CBT) the most popular approach for many companies. It s not Just About Compliance Although compliance is currently the single biggest driver of data security training, protecting sensitive data is rapidly growing in importance. * Excludes incomplete responses or those considered invalid for other reasons.

4 4 A. Training Goals It is impossible to understand, plan for, and properly measure the outcome of any training initiative without first understanding its context or purpose. Knowing whether an organization is required to satisfy a set of industry regulations, needs to improve customer experience, or has some other reason for employee education, is the first step in implementing a relevant, effective training strategy. TRAINING OBJECTIVES Ensuring compliance with PCI requirements and advancing good data security practices are two of the main drivers of data security awareness training. Ensuring compliance with PCI requirements (specifically requirement 12.6 of the PCI DSS) is the predominant goal of security awareness training for companies who currently offer it. This aligns with an increased emphasis on security awareness training as reflected in the latest version (v3.0) of the PCI DSS standard. PCI Data Security Standard v3.0 requirement 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions. The Ponemon study also shows that a significant number of organizations implement programs to improve their overall level of data security. This quickly growing trend stems from an increase in the number and severity of security threats, and encompasses objectives such as advancing good data security practices, preventing information loss or theft, preventing reputation or brand damage, and changing employee behaviors. Question: What is the primary purpose of PCI DSS or other security awareness training? (select the top two) Note: Percentages total 200% due to allowing two answers from each of the 1,394 respondents.

5 5 B. Curriculum Development, Customization, Delivery Once the training objectives are understood, the next step is to make some decisions about the curriculum itself, and how it will be delivered to employees. CONTENT CUSTOMIZATION Of the respondents who do provide training, 38% adapt the content to fit employees job functions. Of that group, 45% stated that IT professionals are the most likely to receive customized training. Each job function or role requires different types of information, and very few technical training programs are applied equally across employee roles. For instance, when it comes to information security practices, management and administrative teams may require merely a broad awareness of the subject matter. Conversely, the technical IT team, which is typically responsible for critical infrastructure and support systems, needs customized (and possibly more frequent) training to recognize and manage new threats and attacks. In some cases, increasingly granular distinctions in job responsibility drive further training customization within the IT department. Where some employees focus on hardware and networking, for example, others may be solely responsible for Internet-dependent transactions or application deployment. All Employees In these cases, focused awareness training can be developed using a tiered approach: all employees receive general content; the IT department receives a more technical layer; and the Web or Networking teams get even more specific material related to secure coding and/or the technologies they use. An effective program builds the right level of detail for each group of constituents using this layering approach, building upon foundational concepts that are relevant and timely for each role. IT Department Only Web Team, Networking Team, etc. 70% 60% 50% 40% 30% 20% 10% 0% 66% IT 45% 31% 22% Internal audit or Senior or middle Customer-facing risk management management people 10% Finance & accounting 13% Other Question: Which functions receive customized training? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

6 6 DELIVERY METHOD Most companies who offer PCI DSS training deliver it via computer-based training (CBT). In addition to content customization, the learning platform itself should be tailored to specific organizational roles and training goals. There are many ways to train employees, but the Ponemon survey results show CBT to be the most popular method of delivery, which supports the need for frequent curriculum updates and short education sessions. And because the timeframe for rolling out training for many companies is within 6 months, quick development and deployment are important. Training Formats However, CBT is not the only effective method, and it is not the right solution for all training needs. Effective organizations assess their training audience and goals, and then evaluate all delivery options before assuming one method of training is better than the rest. It is not uncommon for companies with more complex training requirements to implement a hybrid program consisting of multiple delivery options which can include instructor-led courses, virtual instructor-led courses, recorded live presentations, static slide decks, and many others. Additionally, companies leverage newsletters, updates, posters and other reinforcement assets to keep security in the forefront of their staff s minds. Question: How is your organization s PCI DSS training delivered? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

7 7 TRAINING DEVELOPMENT About half of the organizations that currently provide training for their employees procure it from a third-party vendor, rather than developing a program in-house. Developing, implementing and tracking an information security awareness training program usually requires a significant investment in both staff and technology. Many organizations don t have the internal resources to devote to this endeavor; therefore, they partner with external organizations to make sure employees are trained effectively on the most current threat information. What to Look for when Selecting a Third-Party CBT Vendor Meeting PCI DSS requirements. PCI DSS compliance is as important for small companies as it is for enterprises, but they operate with fewer resources and smaller budgets, so outsourcing is often the best option for them. According to a 2011 study from the American Society for Training and Development (ASTD) 1, smaller organizations (fewer than 500 employees) spent almost twice as much per employee on training than large companies (more than 10,000 employees), or $1,605 vs. $825, respectively. It s logical to assume that ASTD s explanation for this phenomenon applies to the information security industry: The cost to develop and administer an hour of training at a large corporation is spread among many more employees than at a small organization with fewer employees. 1 American Society for Training and Development, ASTD 2012 State of the Industry Report: Organizations Continue to Invest in Workplace Learning, November 8, 2012.

8 8 PROGRAM CUSTOMIZATION Of the companies that currently provide formal training to employees via externally developed CBT programs, most have it customized with content or branding unique to their organization. Companies frequently outsource training program development to a third party, but often the curriculum must comprise unique content about the company s equipment or industry. It s not uncommon for organizations to require training about a unique process or custom hardware. And in many cases, they must satisfy niche industry regulations that necessitate specialized subject matter. Even when the training curriculum does not require customization, many companies incorporate internal product and program lingo into the instructional content, questions and answers, giving employees an increased sense of relevance. This technique is effective in any situation where the goal is to personally engage the user. Regardless of whether the training content itself reflects customization, it is usually branded with the organization s logo or other internally recognized imagery, reinforcing employees perception of corporate endorsement or validation. This subtly helps underscore the message that the company believes in the importance of this training initiative, and considers it to be a significant part of the corporate culture. Without this message, participants may feel the training is strictly a formality and as a result, may not pay as close attention as they would if they recognized it as a management-sponsored initiative. Furthermore, many companies brand everything they publish internally or externally, if only to further establish brand strength. 80% 70% 60% 50% 69% 64% 40% 30% 32% 29% 20% 10% 0% Our company's logo Partially customized for company-specific content Fully customized for company-unique regulations, equipment, etc. Other custom features Question: Did the computer-based training feature any of the following types of customization? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

9 9 FREQUENCY OF UPDATES Most respondents who provide training said the curriculum is updated at least once per year. Because data security is an extremely dynamic issue, employee training on security threats, recent attacks and industry trends must be current. The Ponemon research shows that 21% of companies who offer security awareness training update the curriculum more than once per year, and another 40% update it about once per year. Many content changes reflect developments in the data security industry, such as technologies, threats, policies and more. Since it doesn t take long for security awareness content to become obsolete, organizations must be able to disseminate updated material easily. The variability of data security training content makes it ideal for on-line CBT delivery, since updates can be rolled out easily and quickly. Question: How often is the security training curriculum changed or updated? DURATION OF TRAINING More than half said their PCI DSS training contains less than 30 minutes of material. The advantage of focused, short modules is that they allow bitesized learning sessions that fit well into employee schedules. This works well, as long as employees get what they need to ensure the appropriate level of data security for the company. In addition, a long session that covers an exhaustive list of problems and solutions won t be useful when a specific issue crops up and the employee can t readily access the right information. When it comes to compliance, quite often the most effective training support consists of short CBT modules, with access to reference materials, trainers and other subject matter experts when real-time issues arise. Question: On average, how long does it take employees to complete the PCI DSS training? A secondary risk is that a short training program may not have as high a perceived value as something more involved. As a result, it is incumbent upon every organization to convey the importance of the initiative, and to ensure the curriculum is comprehensive.

10 10 C. Measuring Results Given the importance of information security awareness, as well as the corporate investment of time and money that goes into training, measurement of success is critical. Organizations should evaluate whether their training program contains the right content and uses the right approach, so that any necessary adjustments can be made, thus ensuring the highest possible return on investment (ROI). IMMEDIATE FEEDBACK Most organizations that currently provide formal PCI DSS training measure the impact upon program completion. Gathering immediate subjective feedback about the training program is important because a significant element of immediate and long-term training completion and success is participant satisfaction. Asking mostly multiple-choice and a few simple open-ended questions typically gives the review team the information needed: Was the program easy to follow? Did the curriculum seem applicable to the job at hand? Did you feel the time it took was well spent? How could it be better? Employee Satisfaction 58% of survey respondents reported employees were not fully satisfied with existing PCI DSS security training. Regardless of whether a company surveys or tests the employees (or uses another means of measuring the session s immediate impact), it s important they take the next step by communicating the participants feedback to the management and tactical teams responsible for training, either via an informal brainstorm session, a dataheavy report, or something in between. The final crucial step is acting on the feedback. Even if a third party developed the training program, organizations should be able to work closely with them to make adjustments. By gathering, sharing and acting on participant feedback, the training experience can be more positive and effective. Question: How does your organization measure the impact of its PCI DSS training?

11 11 MEASURING LONG-TERM EFFECTIVENESS 38% percent of organizations track the long-term effectiveness of their PCI DSS training programs, and of those, more look at reductions in non-compliance incidents than any other indicator. Although it s important to get employee feedback about the content and curriculum, the success of any information security awareness program must be tied back to the goals of increasing the level of PCI DSS and other compliance mandates, as well as a demonstrable reduction in attacks. If a training initiative falls short of reaching the organization s objectives (e.g., x% fewer compliance incidents over a y-month period ), it can sometimes help to incorporate learning milestones. Employees are often more motivated to learn - and retain knowledge - when the training isn t treated as just a check box activity. Employer Satisfaction 64% of survey respondents reported being less than fully satisfied with existing PCI DSS security training. Although only 38% of survey respondents say they measure the long-term effectiveness of their PCI DSS training, measurable milestones throughout a training effort are an easy way to show progress, and to share individual accomplishments within the team. Question: Does your organization use the following metrics to track the long-term effectiveness of its PCI DSS training?

12 12 D. Plans for Training With an increased focus on Information Security Awareness training in the new version of the PCI DSS, many organizations that don t currently provide training are feeling the need to formalize their programs and ensure applicable staff members are trained. IMPLEMENTATION SCHEDULE AND BUDGET Of the companies who do not currently have a formal training program but plan to develop one, 26% expect to do so in Many of these organizations will spend a significant amount of money ensuring their employees receive the right training. Many organizations now prioritize employee security awareness training more than they have in the past. This is not surprising given the level of risk in today s online payment environment. And because most of these companies employ thousands of people, the training budgets are reaching into the hundreds of thousands of dollars in many cases. $100,001 to $250,000 11% $250,001 to $500,000 21% $50,000 to $100,000 11% < $50,000 12% $500,001 to $1,000,000 27% More than $1,000,000 14% None 5% Budget 0 Immediately 5% When to implement 0 Don't know 11% More than a year 25% Within 6 months 24% Within 1 year 35% Question: What best describes the timeframe for starting the deployment of a formal security training or awareness program? Question: What is the total cost of ownership budgeted for the new security training or awareness program? (excludes employees direct labor costs)

13 13 PROGRAM REQUIREMENTS For the organizations who don t currently offer a formal training program but who plan to deploy one in the future, most will require the ability for training to be delivered through an extranet portal, incorporate social media and , and be delivered on-line. The most important criteria when developing employee training strategies is ensuring access to training via an extranet portal, making it easily available wherever an employee has a web browser and Internet connection. Organizations also benefit from being able to centralize training deployment for ease of content updates (this regularly applies to information security awareness training) and tracking. In some cases, portals also offer a collaborative environment, encouraging participants to work together and share information. As in almost every other area of business communications, the use of social media is growing quickly. As the Ponemon survey data shows, many companies are building it into what is increasingly considered a social learning model. Organizations who use social media platforms to share information internally via an intranet can apply the same approach for sharing information security awareness content. Social media communities also enhance online coursework by making information sharing and collaboration easier, and can be helpful as an ongoing reference resource. The use of and newsletters is the next most common requirement for awareness training. This is not surprising, given the ubiquitous nature and low cost of this method of communication. Sharing processes, standards and other updates by push communication lets an organization get the information to the right audience quickly and consistently. Computer-Based Training (CBT) is the final of the top criteria when developing a new security training or awareness program. This correlates to a previous finding, which showed that the vast majority of training is already delivered this way. It s scalable, more cost-effective and convenient than classroom training, and is easy to update. Question: What are the requirements for the new security training or awareness program? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.

14 14 Summary Today s information security landscape is in constant flux, and IT professionals have learned to anticipate change of all kinds new threats, new risks, new technologies, and new processes. Employee training is one of the most effective tools to combat this onslaught of attacks to remain in compliance with PCI DSS and other industry compliance mandates and standards. To summarize, the results of the 2014 Ponemon Institute Information Security Awareness Training Trends survey illustrate the current state of employee training in the payment card industry via the following key findings: 1. Improving overall security and ensuring compliance with PCI requirements are the two most common drivers of data security awareness training. 2. Within organizations that offer training tailored to job function, IT departments receive the most customized PCI DSS curriculum. 3. Most companies who offer PCI DSS training deliver it via computer-based training (CBT). 4. About half of the organizations that provide training via CBT lean on third-party vendors for development of the programs.

15 5. Most organizations customize their externally developed training curriculum with content that is relevant to their organization. 6. Most of the respondents who provide formal training indicated their curriculum is updated at least once per year. 7. Most survey respondents say their PCI DSS training takes less than half an hour to complete. 8. The predominant requirements for a new training program are that it is accessible through an extranet portal, includes social media and , and is primarily computer based. 9. More than two-thirds of organizations measure the immediate impact of their PCI DSS training using employee tests or satisfaction surveys upon program completion. 10. The most popular way for organizations to measure the long-term effectiveness of their PCI DSS training is by tracking reductions in non-compliance incidents. 11. Most companies who offer formal training programs update the content regularly. 12. About two-thirds of companies who offer a formal program currently train less than a quarter of their workforce. 13. More than a quarter of companies who don t currently offer a formal training program plan to roll one out in Of the companies that plan to implement a new training program, about three-quarters plan to spend over $100,000 and many of them will spend over $500,000. With the right attention to content delivery method, customization, and measurement, organizations can achieve and maintain compliance with PCI DSS and other standards, while making the most of training budgets and employees time. 15

16 16 Appendix A Survey Respondents In November 2013, the Ponemon Institute collected 3,089 responses to their online PCI Awareness Training Survey. Following is a breakdown of the participants by various categories. Global Region Annual Transactions Asia- Pacific 23% Latin America 16% EMEA 29% N. America 32% 1 to 6 million (Tier 2) 46% Less than 1 million (Tiers 3, 4) 17% Over 6 million (Tier 1) 35% Credit card issuer or service provider 3% Supervisor 13% Job Position Staff/ technician 33% Manager 21% Director 16% Admin 6% Consultant / contractor 3% Other 2% Business owner C-level 2% executive/ VP 3% Employee Headcount 5,001 to 10,000 20% 1,001 to 5,000 20% 10,001 to 25,000 24% 500 to 1,000 19% More than 25,000 7% Less than % Primary Industry Classification Ecommerce 12% Technology / software 5% Retail 8% Automotive 4% Financial Other 7% Communications 4% Consumer products 7% Education & research 4% Public sector 7% Logistics / distribution 4% Services 7% Non-profit 4% Industrial / manufacturing 6% Financial Service provider 3% Entertainment / publishing 5% Airlines 3% Health / pharmaceutical 5% Other 4%

17 17 Appendix B Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in November Global Sample 3,089 Screen question S1. What best describes your level of involvement in PCI DSS training, compliance and/or audit activities within your organization? Freq Pct% Very significant % Significant % Some % Minimal or none (stop) 0 0% Total % Part 1. PCI DSS training & awareness programs Q1. What best describes your role in managing the IT security function or activities within your organization? Check all that apply. Freq Pct% Setting IT security priorities % Administering security programs % Managing IT security budgets % Selecting vendors and contractors % Determining IT security strategy % Evaluating program performance % None of the above (stop) 0 0% Q2. In your role, how much responsibility do you have for IT security training activities? Freq Pct% Full or primary responsibility % Some or secondary responsibility % Minimal or no responsibility 285 9% Total % Q3. Does your organization have a PCI DSS training or other security awareness program? Freq Pct% Yes No [Go to Part 2] % Total % Q4. What best describes your level of satisfaction with existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied % Satisfied % Somewhat satisfied % Not satisfied % Total %

18 Q5. What best describes employees satisfaction with their existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied % Satisfied % Somewhat satisfied % Not satisfied % Total % Q6. What percentage of your total workforce participated in a basic IT security training program within the past 12 months? Freq Pct% < 10% % 10 to 25% % 26 to 50% % 51 to 75% % 76 to 100% 71 5% Total % Q7. What percentage of your total workforce participated in a security training program that specifically focused on PCI DSS requirements within the past 12 months? Freq Pct% < 10% % 10 to 25% % 26 to 50% % 51 to 75% % 76 to 100% 39 3% Total % Q8. How is your organization s PCI DSS training delivered? Please check all that apply. Freq Pct% Computer-based training % Classroom training % updates/newsletter % Extranet or internal web site % Social media 109 8% Posters % Other % Q9. If the training is computer based, what features does it include? Please check all that apply. Freq Pct% Audio % Animation % Live action video vignettes % Tests or quizzes % Games % Other 58 6% Q10a. Did a third party (contractor or vendor) produce the computer-based training used by your organization? Freq Pct% Yes % No % Total % 18

19 19 Q10b. If yes, did the computer-based training feature any of the following? Please check all that apply. Freq Pct% Our company s logo % Partially customized content to be relevant to our company % Fully customized content to cover our company s unique regulations, specific % equipment, specific environmental and facility factors Other custom features % None of the above % Q11. On average, how long does it take employees to complete the PCI DSS training? Freq Pct% < 15 minutes % 15 to 30 minutes % 31 to 60 minutes % More than one hour % Total % Q12. Is the PCI DSS training delivered in a single session or spread over the year? Freq Pct% One time % Once a year % Quarterly % Monthly % Other 36 3% Total % Q13. When does your organization deliver the bulk of its security awareness and/or PCI DSS training? Freq Pct% January through March 117 8% April through June % July through September % October through December % Staggered different times for different groups % Total % Q14. How often is the security training curriculum changed or updated? Freq Pct% Never or infrequently % Approximately once each year % More than once each year % Unsure % Total % Q15. If computer-based training is used, are PCI DSS training sessions hosted on your organization s in-house learning management system or in the cloud? Freq Pct% On our own learning management system % In the cloud or on vendor servers % Combination (hybrid) % Total %

20 Q16a. Is the content for PCI DSS training different or adapted for the employees specific job function? Freq Pct% Yes % No % Total % Q16b. If yes, which functions receive customized training? Please check all that apply. Freq Pct% Finance & accounting 55 10% Information technology % Senior or middle management % Internal audit or risk management % Customer facing people (Sales, support, etc.) % Other 68 13% Q17. What topics are covered in the PCI DSS training program? Please check all that apply. Freq Pct% security % Use of the Internet % Use of social media % Desktop security % Mobile device security % Password and other authentication methods % Working from home and remote locations % Classification of sensitive information % Proper handling of sensitive information % Proper handling and destruction of paper documents % Physical security measures such as securing away sensitive information and devices % Safe disposal of computing equipment % Q18. What is the primary purpose of PCI DSS or other security Choice Choice awareness training? Please check the top two choices only. 1 2 Combined Pct% Ensuring compliance with internal policies and procedures % Ensuring compliance with PCI requirements % Ensuring compliance with another regulation (please specify) % Advancing good data security practices % Preventing information loss or theft % Preventing reputation or brand damage % Changing employee behaviors % Other % Total % Q19. How does your organization measure the impact of its PCI DSS training? Freq Pct% Survey employee about their satisfaction with the training % Test or quiz employees following training % Conduct phishing tests internally or with partner % Conduct social engineering tests internally or with partner 126 9% None of the above 116 8% Other 69 5% Total % 20