Effective Security Awareness. Workshop Report

Transcription

1 Effective Security Awareness Workshop Report April 2002

2 1. Set objective for security awareness 1.1 Identify security awareness problems 1.2 Set high-level programme objective 1.3 Set specific campaign goals 1.4 Define & establish campaign metrics 2. Scope and design security awareness programme 2.1 Perform stakeholder analysis 2.2 Identify driving and resisting forces 2.3 Identify appropriate action steps 3. Develop and deliver security awareness campaigns 3.1 Define security awareness messages 3.2 Unfreeze existing behaviour 3.3 Deliver messages 3.4 Refreeze new behaviour 4. Evaluate effectiveness of campaigns 4.1 Evaluate 4.2 Revise 4.3 Run campaign campaign / further effectiveness programme campaigns Figure 1: Process for effective security awareness

3 Executive Summary Data from the Forum s Information Security Status Survey indicates that most Members believe that the effectiveness of their security awareness initiatives does not rate especially highly, and that more than four out of five feel they do not commit sufficient time and resources to their awareness activities. These concerns combined with comments from many Member organisations that security awareness activities often fail to deliver a lasting behaviour change were addressed during a series of eight workshops run by the Forum on the topic of Effective Security Awareness. At the workshops, Members agreed that awareness initiatives often fail because they: are not managed as a formal programme of work, and lack formal objectives, a business sponsor or the necessary resources for their successful completion are not aimed at specific business problems, but instead from a belief that awareness needs to be raised do not use specialised awareness materials do not incorporate a mechanism for assessing security behaviour: instead looking at security knowledge. In order to address these issues, the workshops examined a process developed by the Forum to deliver lasting behavioural change, based on the concept of effective security awareness. The process shown in Figure 1 opposite is derived from a proven approach that facilitates a positive change in behaviour by examining the forces driving and resisting that change. The key stages of the process are to: set a clear, measurable objective for security awareness activities create a structured programme of awareness work that includes one or more campaigns, where each campaign has a goal to change an aspect of security behaviour develop and deliver the awareness messages, and ensure that the desired security-positive behaviour is maintained measure the effectiveness of the awareness campaigns to confirm the change to securitypositive behaviour, and revise and repeat the awareness campaigns if necessary. The key findings of this project are important for anyone planning or managing information security awareness activities. They provide a unique insight into a new process for planning and implementing security-positive behaviour change.

4 WARNING This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org or on +44 (0) Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, the Information Security Forum accepts no responsibility for any problems or incidents arising from its use.

5 Part 1 Introduction Table of contents This report Purpose of this report Who should read it Page Part 2 Part 3 Part 4 Part 5 Part 6 Basis for this report Background Validity of the effective security awareness process Security awareness What is security awareness? The importance of security awareness A traditional model for security awareness Key issues Extent of awareness activities Drivers for security awareness Objective of awareness activities Sponsorship of awareness activities Awareness topics Effectiveness of the traditional model Commitment to delivering awareness From awareness to behaviour change The need for a new awareness model Influencing risk perception The impact of organisation culture Reluctance to change Creating security-positive behaviour The importance of equilibrium Maintaining security-positive behaviour Effective security awareness What is effective security awareness? A new approach to security awareness Stage One: Set objective for security awareness Stage Two: Scope and design security awareness programme Stage Three: Develop and deliver security awareness campaigns Stage Four: Evaluate effectiveness of campaigns Summary Conclusions and next steps Conclusions How the process addresses the key issues Next steps: Recommendations for further work

6 Security awareness must be delivered through an ongoing, continuous programme of work, as opposed to a finite set of activities that stop and are not continued. The key messages, tone and approach of the programme must be relevant to the audience and consistent with their values and goals: If security is perceived as a hindrance to their own personal activities, then the t message will carry little meaning. Effective security awareness is achieved through an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organisation from lasting behavioural change. The benefits of awareness activities must be quantifiable in order to determine value for money and whether the programme itself is successful in achieving its objectives. The awareness programme should not only result in a security-positive change in behaviour, but that change should last longer than the programme itself. Figure 2: Definition of effective security awareness

7 Part1 This report Purpose of this report Introduction Many organisations run security awareness programmes in order to encourage security-positive behaviour in their employees, but which often fail to deliver any lasting benefit. This leads many organisations to query: whether it is possible to create a change in staff attitude to security that has sustainable, quantifiable benefits for the organisation what the success factors are that make for an effective security awareness programme. In order to provide Members with a fresh perspective on this topic, the Forum ran a series of workshops on Effective Security Awareness. The definition for effective security awareness shown in Figure 2 opposite, was validated by Members at all of the workshops. This concept of effective security awareness is explored throughout this report, and the definition is described in greater detail in Part 5, Effective security awareness. The purpose of this report is to assist Members in their goal of making effective, positive and lasting change in security behaviour through awareness. The report does this by: documenting Members experiences of security awareness and the lessons they have learnt: both from material collected from Members before the workshops and from know how shared at the events themselves setting out the principles of an effective security awareness campaign: in particular, by examining closely the issues associated with getting people to change their behaviour providing a process for awareness that Members may wish to consider in order to become agents of positive change within their organisations. Who should read it This report is aimed primarily at information security professionals, but is also intended for any individual within a Member organisation with an interest in or responsibility for the developme nt or delivery of security awareness programmes or materials. The reader should have some familiarity with security awareness techniques prior to reading this report. WARNING This report is not intended to be a full Forum report and has not involved the detailed level of analysis that would be normal for such a document. 1

8 Part 2 Background Previous Forum reports Basis for this report In 1993, the Forum published an Implementation Guide on How to make your organisation aware of IT security. The Implementa tion Guide provides a comprehensive framework for the planning and implementation of an IT security awareness programme. Since the publication of the Implementation Guide, both security technology and the management approach to security have changed signif icantly; for example, the Internet has become an important enterprise resource, and security standards have been developed to manage its threat to enterprise security. These new controls require end users to adopt new security behaviours which in turn require new security awareness initiatives. The Forum therefore decided to run a series of workshops to explore how Members are addressing the subject of security awareness now, and what the critical success factors are for an effective security awareness programme. To prepare for the workshops, the Forum drew upon a range of information sources, including: previous Forum reports, including Information Security Culture: A preliminary investigation and Driving Information Risk Out of the Business results from the Information Security Status Survey research by the project team results from a questionnaire of participating Members presentations by Members at the workshops case studies of Members security awareness experiences. These information sources were used to define and develop the workshop contents, and are described in greater detail below and on the following pages. The Forum has already produced several reports that are relevant to an information security awareness programme. The current workshop report complements the existing materials, details of which are shown in Table 1 opposite: 2

9 Table 1: Previous security awareness reports Document It Could Happen to You: A Profile of Major Incidents (2000) Information Security Culture: A preliminary investigation (2000) Driving Information Risk Out of the Business (1999) The Impact of Security Management (1999) How to make your organisation aware of IT security (1993) Summary This report contains details of 13 information incidents that had a major impact on Member organisations. The incidents provide valuable examples for use within a security awareness programme by providing: a realistic view of the range of events that can compromise business information insights into their causes and their business impact practical suggestions for action to prevent recurrence of the incidents. This report presents the results of a preliminary investigation into the nature of an organisation s culture and its importance in determining the level of information security in that organisation. This report presents quantified information about the business risks of breakdowns in information security. It is based on the results of the Information Security Status Survey and other quantitative research. It also presents a framework for action, designed to help Members strengthen their information security arrangements and bring risks down to an acceptable level. This is one of a series of publications arising from the results of the Forum s 1998/99 Information Security Status Survey. The report focuses on the arrangements made to promote good information security practices (eg security organisation, programmes and resources). It identifies what organisational arrangements and resources are required, measures the impact of individual programmes and outlines what indiv idual Members can do to strengthen their existing arrangements, thereby maximising the contribution they make to business success. This report is aimed at all organisations that wish to start or improve their security awareness programmes. It sets out a method for developing and delivering security awareness campaigns, and provides tips on how to ensure the success of those campaigns. This list does not cover all of the Forum s awareness documentation; in particular, valuable material is available in The Forum s Standard of Good Practice. The Forum s Information Security Status Survey The Forum s Information Security Status Survey ( the Survey ) allows Members to complete a detailed questionnaire at intervals of their choosing and obtain a thorough analysis of their information security status, giving a clear picture of performance across all aspects of information security. Security awareness is one of the sets of controls probed by the Survey. The Forum drew upon the Survey results database to determine the impact of security awareness on the overall level of security. These results are presented at relevant points within Part 5, Effective security awareness. 3

10 Research The questionnaire Member presentations The project team calle d upon the resources of vendors, service providers and media reports in order to research the workshop contents. To ensure that this research was valid and provided a fresh perspective on the subject, the team was joined by Dr John Maule, Director of the Centre of Decision Research and Senior Lecturer in Management Decision Making at Leeds University Business School. Dr Maule has an international reputation in research on human decision making and risk taking, focusing in particular on the mental models that underlie strategic choice, the effects of time pressure and stress, and various aspects of human risk taking, including how to communicate risk. Dr Maule contributed to the research, and presented at five of the eight workshops. Prior to the workshops, participants were asked to complete a questionnaire about their opinions of security awareness and the effectiveness of awareness in their organisations. A total of 80 individuals from 72 Member organisations completed the questionnaire, the results of which are presented at relevant points within this report. The questionnaire, and its consolidated results, are available on the Forum s Member Exchange (MX) System, as are copies of the presentations, workshop packs and workbooks. Eight Effective Security Awareness workshops were held. Participants had the opportunity to share experiences, issues and ideas for effective security awareness. They also worked through the Effective Security Awareness process described later in this report using examples from their own organisations. Each workshop included presentations from Members, as detailed in Table 2 opposite: 4

11 Table 2: Workshop presentations Venue Date Presentation Topic Copenhagen 5 September 2001 Per Verdelin, TDC Services Melle Beverwijk, Infosecure Dublin 6 September 2001 Martina Costelloe, AIB Jim Sheridan, British Airways London 10 September 2001 Steve Pomfret, Nationwide Building Society Amanda Finch, Marks & Spencer Cheshire 25 September 2001 John Wall, Clerical Medical Martin Whitehead, The Co -operative Bank London 26 September 2001 Mark Goddard, Friends Provident Adrian Wright, Reuters Amsterdam 28 September 2001 Saïda Wulteputte, Procter & Gamble Melle Beverwijk, Infosecure/Klaas Bruin, KLM The Elements of an Awareness Project Awareness Programme for Information Security Security Awareness The Chameleon Programme Security Awareness Development of an Awareness CBT Campaign at M&SFS Changing Staff Attitudes Staff Awareness Experiences From The Front Line A CBT System for Security Awareness How We Failed and How We Plan to do Better in the Future Awareness Programme for Information Security Johannesburg 6 November 2001 Geoff Tumber, SCMB Security Awareness Chicago 5 December 2001 Dan Landess, State Farm Insurance Information Security Awareness Case studies During the research and delivery of the workshops, the project team met with Members to discuss their experiences of Information Security Awareness. Since the topic is subjective, and experie nces vary greatly between organisations, the objective was not to provide comparisons between Members, but instead to gather useful information about their awareness activities. This report therefore contains anecdotal case studies that describe the experiences of individual Member organisations and the lessons that they have learnt through their awareness programmes. Validity of the effective security awareness process The effective security awareness process described in this report was revised after each workshop to ensure that it provides a practical, usable method to develop an effective security awareness programme. When the workshops were complete, the project team spent two days with the information security team from a Member organisation working through the process to test its validity in a real environment. 5

12 Part 3 What is security awareness? Security awareness In 1993, the Forum published an Implementation Guide on How to make your organisation aware of IT security. The Guide includes a framework for the planning and implementation of an IT security awareness programme, and provides a definition of security awareness as follows: Information security awareness is the degree or extent to which every member of staff understands: the importance of information security the levels of information security appropriate to the organisation their individual security responsibilities and acts accordingly. The definition was validated by Members at all of the workshops, who agreed that it is still rele vant. The key element of this definition is the final line, since awareness is itself of no value unless it results in a desired change in behaviour. The importance of security awareness The effective management of information security requires a combination of technical and procedural controls to protect information assets. However, these controls can be circumvented or abused by employees who disregard their organisation s policies for security behaviour. Therefore the implementation of effective securit y controls is dependent upon creating a securitypositive environment where employees understand and engage in the behaviour that is expected of them. The use of security awareness to create and maintain security-positive behaviour is a critical element in an effective information security environment. The Information Security Status Survey provides data on the value of promoting information security activities. The results of question SM2401: Is awareness of information security promoted across the enterprise? are shown in Figure 3 opposite: 6

13 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Did not experience major incident Experienced major incident Figure 3: SM2401: Is awareness of information security promoted across the enterprise? Awareness and other security initiatives A traditional model for security awareness The results suggest that organisations that do not promote information security awareness are more likely to experience a major security incident than those that do promote awareness. A security-positive environment is a pre-requisite for certain other security initiatives. For example, a scheme of information classification whereby staff can assign a label to information that will determine the security controls to be applied to it is dependent upon all staff understanding and respecting the classification mechanism, which in turn requires staff to understand and respect information security. The Implementation Guide How to make your organisation aware of IT security proposes a four-step model for delivering a security awareness programme. The model allows for multiple awareness campaigns, where: a security awareness programme is a continuous undertaking aimed at building and sustaining a security-positive environment a security awareness campaign is one of a number of defined activities aimed at a special audience and/or at a specific security problem: for example, informing users about the threat from viruses, and teaching them how to control that risk. The security awareness programme is used to determine the scope of work and to define the multiple security awareness campaigns, as shown at a high level in Figure 4 overleaf: 7

14 Campaigns Determine programme scope Design campaign 1 Design campaign 2 Design campaign 3 Programme Develop campaign 1 Develop campaign 2 Develop campaign 3 Deliver campaign 1 Deliver campaign 2 Deliver campaign 3 Figure 4: Traditional model for security awareness The model comprises multiple campaigns forming an overall programme of work. The programme commences with a scope phase, which defines the security awareness campaigns, each of which will then have separate design, development and delivery phases. These may run sequentially or in parallel (as shown in Figure 4). Key issues The traditional model for security awareness described in How to make your organisation aware of IT security is widely used by Members. However, organisations represented at the workshops complained that security awareness activities fail to deliver a lasting behaviour change: that is, staff adopt the desired securitypositive behaviour for a short period of time, but often revert to their previous behaviour when the awareness activities have finished. To better understand the effectiveness of the traditional approach to security awareness, 80 participants from 72 Member organisations completed a questionnaire about their activities. The following sections explore the key issues associated with the traditional approach to security awareness. These are derived from statistical evidence from the questionnaire and the Information Security Status Survey, and anecdotal feedback from workshop attendees. The key issues, and their consequences for security awareness, are listed in Table 3 opposite: 8

15 Table 3: Key issues for security awareness Item Key Issue The majority of security awareness activities are not managed as a formal programme of work. The belief that awareness needs to be raised is the most common reason for commencing a security awareness programme. Very few awareness programmes have a formal, documented objective. The security management team sponsors the majority of awareness programmes. Many security awareness campaigns do not use specialised awareness materials. The majority of awareness campaigns do not incorporate a mechanism for assessing their own effectiveness, but instead measure the level of security knowledge of staff. Most organisations fail to commit sufficient resources to their awareness programme. Consequences Awareness programmes may not be correctly prioritised against other security activities The pace of delivery is not maintained due to a lack of formal deadlines and commitments The business case for security awareness is hard to justify because the need has not been clearly identified Value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined The purpose of the awareness programme may be unclear It may be hard to evaluate success since the desired outcome is unknown It may be difficult to determine the financial value of security awareness to the organisation The relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities Business management are reluctant to release staff for awareness training because they have not committed to the activities Recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need The programme fails to achieve a culture change because staff do not see senior management who may themselves have security-negative attitudes leading that change Staff do not understand what is expected of them since the awareness message does not specify who should do what and are therefore less likely to adopt the desired behaviour Campaigns fail because staff have heard similar messages before and are no longer interested Measurement of awareness proves little except that the individual has received the awareness messages: measure ment of effectiveness proves whether the message has actually changed behaviour Without firm evidence of effectiveness, it is difficult to justify or measure the success of awareness, and hence this can become a major obstacle to commencing an awareness programme A security function which does not receive adequate resources for security awareness is likely to focus instead on other activities that are perceived to be more important 9

16 Extent of awareness activities Members were asked to describe their current security awareness activities in order to understand whether they are formal campaigns or intermittent activities. The results are shown in Figure 5 below: Percentage of responses 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% A formal Unstructured, A single No security programme of intermittent campaign awareness work activities activities Activity Figure 5: Please describe your organisation s security awareness activities Findings Whilst half of the respondents describe their awareness activities as a formal programme of work, it is clear that the remainder have less or no structure for security awareness as: over a third of awareness projects are run as unstructured, intermittent activities one in six organisations have only a single campaign or no awareness activities at all. Thus in the absence of a formal programme of work, it is likely that most security awareness activities will suffer from a lack of formal deadlines and commitments. These findings are reinforced by data taken from the Information Security Status Survey. Figure 6 opposite shows the result of question SM2403a: Is awareness promoted using a formal awareness programme? 10

17 In no case 37% Exception 1% In all cases 14% In most cases 26% In a few cases 14% In about half the cases 8% Figure 6: SM2403a: Is awareness promoted using a formal awareness programme? Consequences It can be seen that for those cases where all, most or about half of awareness activities are managed using a formal awareness programme, 48% of all survey participating organisations promote security awareness issues through the use of formal awareness programmes. Over one half of Survey participants have little or no formal structure for their awareness activities. If security awareness activities are not managed as a formal programme of work, then: awareness programmes may not be correctly prioritised against other security activities the pace of delivery is not maintained due to a lack of formal deadlines and commitments. Key Issue: The majority of security awareness activities are not managed as a formal programme of work. 11

18 Drivers for security awareness Members were asked to comment on what they saw as the drivers for commencing their security awareness activities. The results are shown in Figure 7 below: Knowledge that security awareness can contribute to overall level of security Compliance with external standards/best practice Compliance with regulatory requirements Management concern about overall levels of information Drivers Audit or security review Result of risk analysis Many minor incidents in this organisation Major incident in this organisation Major incident in another organisation Very Low Low Medium High Very High Scale Figure 7: To what extent did the following events prompt the initiation of your security awareness activities? Findings The results suggest that Members security awareness activities are most commonly influenced by soft drivers: eg knowledge that awareness needs to be raised, either to comply with a standard, or because awareness is known to be a good thing. The hard drivers eg risk assessments or incidents appear to have less influence on the need to run security awareness campaigns. Consequences Commencing a security awareness campaign because of a belief that awareness needs to be raised means that: the business case for security awareness is hard to justify because the need has not been clearly identified value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined. Key Issue: The belief that awareness needs to be raised is the most common reason for commencing a security awareness programme. 12

19 Objective of awareness activities Members were asked to comment on the importance of their objective for security awareness activities. The results are shown in Figure 8 below: To reduce the number of security incidents To comply with external standards/best practice To address management concern about overall levels of information security Objective To comply with regulatory requirements To satisfy the recommendations of a review Other Very Low Low Medium High Very High Scale Figure 8: In your opinion, how important are the following objectives of your security awareness activities? Findings The results show a broad spread of objectives, with many Members reporting several different objectives for security awareness. The objectives appear to be more tangible than the drivers for commencing awareness activities described in the previous section. However, in the workshop sessions Members were asked whether they have a formal written objective for their awareness activities. The response suggests that only a small proportion typically fewer than 10% have a documented objective for their security awareness activities. Consequences In those cases where security awareness activities do not have a formal, documented objective: the purpose of the awareness programme may be unclear it may be hard to evaluate success since the desired outcome is unknown it may be difficult to determine the financial value of security awareness to the organisation the relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities. Key Issue: Very few awareness programmes have a formal, documented objective. 13

20 Sponsorship of awareness activities In order to understand where the responsibility for awareness is perceived to rest, Members were asked who sponsors their awareness activities. The results are shown in Figure 9 below: No sponsor 16% Other Senior business 9% management 33% Human resources department 2% Information security management 40% Figure 9: Who sponsors your awareness activities? Findings The results show that: only one third of awareness activities are sponsored by the business management one project in six had no sponsor at all. Consequences SM24: Security Awareness of The Forum s Standard of Good Practice ( The Standard ) states that Formal awareness programmes should be supported by top management. Anecdotal evidence from workshop attendees suggests that successful awareness programmes often have a business sponsor or significant involvement from senior business management, and that nearly all successful programmes have some sponsor. Without a sponsor, awareness activities are likely to suffer problems that include: business management are reluctant to release staff for awareness training because they have not committed to the activities recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need the programme fails to achieve a culture change because staff do not see senior management who may themselves have security-negative attitudes leading that change. Key Issue: The security management team sponsors the majority of awareness programmes. 14