Developing SETA Programs for Small Businesses

Transcription

1 Developing SETA Programs for Small Businesses Stephen Townsend IS 8930 Information Security Administration Summer 2010 June 30, 2010 ABSTRACT Numerous studies show that small businesses are woefully insecure when it comes to their information systems and data. Reluctant management, lack of a dedicated IT staff, and unaware employees can all contribute to poor security within such an organization. The development of an effective SETA program takes the considerations of a small business into account. It covers not only what areas are the most cost-effective and prudent to pursue, but also the most efficient means of teaching the material and the motivational methods that ensure employees are compliant with the topics covered. Categories and Subject Descriptors K.6.6 [Management of Computing and Information Systems]: Project and People Management Training, management techniques, staffing. General Terms Management, Security, Awareness, Training Keywords Management 1. INTRODUCTION The purpose of this paper is to examine the development/design of security education, training, and awareness (SETA) programs for small businesses with a focus on raising security awareness for general users. While size standards vary in the U.S., the Small Business Administration [2010] typically identifies a small business as having less than 500 employees. Such organizations play an invaluable role in the U.S. economy by representing 99.7 percent of all employer firms and employing over half of all private sector employees [SBA 2010]. Despite the fact that many of these businesses operate locally and have little global impact, the information they collect and store can be sensitive for the party to which it belongs. Unfortunately, a 2009 study from McAfee shows that a majority of the small- and medium-sized business they surveyed spend less than 5 hours a week on proactive security (see Figure 1). In many cases management and employees of small businesses need to be made aware of the important role that information security plays Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. in their daily work and how to effectively implement it. However, it s no secret many small businesses do not have a dedicated information technology (IT) staff. Figure 1. More than half the small- and medium-sized businesses surveyed said they spend 5 hours or less per week on proactive security. Source: McAfee s The Security Paradox, 2009 A National Cyber Security Alliance study [2009] that polled about 1,500 small business owners shows that 86% of the businesses polled did not have anyone solely focused on IT security. In addition, a global study from McAfee and MSI International [2009] found that 75% of organizations polled cut or froze their IT security budgets in In an economic climate that calls for saving money at every possible juncture, support for information security can and does suffer. However, by approaching the development of a SETA program with the specific considerations of a small business in mind, solutions can be reached that ensure the best possible outcomes. The following text examines the many facets of designing such a program and is intended for use by either a security awareness training group or a business s IT staff, should it exist. 2. SMALL BUSINESS MANAGEMENT A small business s management plays an integral role in the development of a SETA program and as such warrants discussion first. For purposes of this text, management will refer to senior management, or top-level management, and not middle management, unless specifically noted. In many cases, management even serves as the company s functioning IT department (see Figure 2). A program without the support of management is certain to fail. They are the ones who give the goahead for such programs and as such should be made aware of their importance. The struggle to notify management of such a need has been a long-standing problem for many IT staffs. Because it is essential to convince management of the need for 1

2 the trust and respect they require to do their jobs. By considering this aspect of security beforehand, a training team and management can use this knowledge to more effectively present security topics during a presentation or meeting by defining what responsibilities an end user will have. This allows for tailored approaches to specific topics of discussion. Forging effective lines of communication with management early on and often in the process of developing a SETA program will be essential to ensuring the rest of the program is not simply a wasted effort of time and resources. Management should also be made aware that if they are not supportive of the goals of the program and do not show their employees how much it means to the business, then their employees are not likely to take it as seriously. If management is skeptical or unwilling to consider a SETA program from the start, then they must be convinced of why it is crucial. Figure 2. Fifty-nine percent of small business owners who did not have a dedicated IT staff said in an NCSA/Symantec survey that they were responsible for their business s IT. Source: Data from NCSA/Symantec Small Business Study, programs that raise security awareness, the next section is entirely devoted to how to deal with management that is reluctant. In this section, however, the status of management as a role model and supporter of security is examined. 2.1 Management as Role Models Members of management should know that they need to follow the security practices that are proposed during the program. While it seems like common sense, many managers fail to comply by the very procedures they expect their employees to follow. If management does not serve as a positive role model, they cannot expect their employees to be motivated and follow the security practices they are claiming to endorse. Management should also follow the security practices espoused by the program because they are the ones that can put the organization at the most risk. The information they can access and data they are in control of can be much more important than the data regular employees deal with on a daily basis. 2.2 Controls versus Trust While a healthy mix of trust and controls is needed to ensure employees fulfill their security duties, management should not overdo one or the other. It may seem premature to be discussing a decision such as this before the actual program. Yet it is necessary to note that this balance is one that will vary from business to business, and in designing a SETA program it will be necessary to note areas where the organization uses more controls and areas where they grant more freedom. Controls are effective tools for ensuring employees follow the security guidelines set forth by the organization, but add too many and they can become a hindrance on daily routines. Likewise, too much trust in employees to perform their security duties could lead to damage from incidents related to negligence. By incorporating both in healthy amounts, management can keep an eye on employees while still giving them 3. ADDRESSING THE ISSUES There are several reasons why small businesses are averse to designing and/or reinforcing security practices, and they should be addressed before the development of a SETA program can take place. Bringing these faulty assumptions to light can help convince management that action is needed, or it can strengthen their resolve to implement security measures. 3.1 Why Does My Business Need Security? One assumption owners and managers of small businesses that employ minimal security have is that they do not really need a SETA program because they have less to lose than big corporations and therefore will not be targets. In the global McAfee study [2009], which looked at medium-sized businesses (51 to 1,000 employees), they estimated that "almost half of midsize organizations around the world think companies with more than 500 employees are most at risk for a security attack. Many smaller organizations believe that their data is nowhere near as valuable as their larger counterparts." However, those from businesses with less than 500 employees were found to have suffered from more security incidents on average than individuals from larger organizations, and smaller businesses are far less likely to have policies and resources in place to recover from attacks. While it is not true in every case, the McAfee study [2009] also provides data to claim it is more costly to remediate a successful attack than to prevent one in the first place How Small Businesses Become Victims In an online news article on cyber security, Eric Shorr, president of an IT services firm, said in an interview that small businesses are a popular mark for hackers, who target unsuspecting smallbusiness networks and individual computers so that they can anonymously reach their intended high-profile victims [Nesi 2008]. Many other attacks have no intended target at all, and simply seek out unprotected systems from which to launch attacks. While small businesses may not be the intended target of a threat, it does not mean their systems cannot be used by attackers. These attacks almost always occur over the Internet, which affects all types of organizations and can wipe a small business out, making the need for proper security as well as trained and aware staff a top priority. According to the National Cyber Security Alliance study [2009], 75% of small businesses 2

3 said that they use the Internet to communicate with customers. Increasing use of such technology opens the doors for attackers, and the sooner management is made aware of the risks, the sooner a program can be developed It Won t Happen to Me A real-world example of how no business is safe, no matter its size, can be seen by the MyDoom worm, which accounted for 30% of all traffic in February 2004 and affected nearly one in three small businesses [U.S. Chamber of Commerce 2004]. Small business management should be made aware that the it won t happen to me approach is simply not sufficient. A company s IT department can also appeal to management by highlighting the importance of protecting customer data. This is essential for small businesses in particular because of the personal relationships they have with their customers compared to larger organizations. Every single positive relationship is a boon to small businesses, so ensuring this data is safe from threats and harm can foster trust with clientele But What if it Does? Richard Kissel [2009] provides a good example of how a SETA program can save a small business money in the long run. He notes that less obvious costs can often go unnoticed by a small business until it s too late. For example, if a small business suffers a security breach because of insufficient awareness and/or training on behalf of its employees, then it may have to notify all of its customers per state law. He says the average cost of such notifications is over $130 per person, which would make an incident that affected 1,000 customers cost about $130,000. This does not take into account the added losses of customers who will take their business elsewhere. For a small business, employees are the most valuable resource and also the most dangerous. When properly trained and aware of threats and risks, they can potentially save a company thousands. Likewise, if they are ignorant and inexperienced, they can cause irreparable damage. 4. THE SETA PROGRAM The development of an effective SETA program for a small business follows the standard methodology of any other program, but it should also take into consideration several key areas of interest. While some specific training topics will be covered in detail later, first it s necessary to analyze the general structure of how the program will be designed. While many methodologies exist on which to base a SETA program, the fundamentals remain the same. As was noted in the introduction, small businesses rarely have dedicated information technology staff, let alone a dedicated information security staff. For this reason the training party should take extra care to remain on the same page as management throughout the development process. A later section examines some points of interest for small businesses that have their own IT departments. 4.1 Identifying Program Goals The program will likely focus both on reinforcing behavior and thus emphasizing awareness, and teaching and applying skills and thus emphasizing training [NIST-SP ]. This section primarily focuses on awareness, which affects all small business employees that work with technology. Many of the tasks that will be covered such as creating strong passwords and practicing good habits do not require extensive, specialized training, but rather end user understanding and compliance. As National Institute of Standards and Technology (NIST) Special Publication states, The fundamental value of IT security awareness programs is that they set the stage for training by bringing about a change in attitudes which change the organizational culture. The cultural change is the realization that IT security is critical because a security failure has potentially adverse consequences for everyone [NIST-SP ]. In other words, before small business employees can start practicing better habits, they should be made aware of their importance. This focus on employees is necessary because, as K. Rudolph [2001], primary author of the security awareness chapter in the Computer Security Handbook and participant of the group that created NIST SP states, a small business s staff is one of its most cost-effective defenses against security incidents, and their compliance with security policy can make or break a program. She says, awareness is the most important part of a business s security program and that experts suggest 40 percent of a security budget should be spend on awareness measures Identifying Training Needs Training and awareness solutions also should be cost-effective, because most small businesses are already suffering in the current economic climate. They also must be feasible, or solutions the employees of the business will actually do. Anything too technical that might require the addition or expansion of a security staff is unlikely to be as successful. Small businesses can often have the benefit of being able to gather input from all of their employees as to what areas they feel should be covered. This is something that larger organizations of thousands of employees cannot possibly accomplish. Rather than assuming what employees will need to know or learn, it is much more effective to get a feeling first of what security practices are working and strong, and which are dysfunctional and weak. 4.2 Target Audience Both the Instructional Systems Design process and the NIST-SP stress the importance of identifying the target audience early in the design process [Gilbert 2003]. For small businesses, this means determining whether everyone needs to participate or whether only a specific group requires training. This group could be identified by the training party or by management. It can include a small group of individuals or the entire staff of a small business. Determining who will be participating in the program is essential because it will help in deciding how the group should be divided. Keeping with the rest of the text, this section focuses on a small business s general end users and not its specific IT department or middle management Audience Considerations As Chelsa Russell [2002] notes, there are many obstacles related to the target audience that can hamper security efforts. Many small business employees have no formal computer training or have developed bad habits through the years. Such users often view security as unnecessary, because they have managed to do their jobs without such knowledge up until this point. They should be made aware of how their previous actions may have adversely affected the business. 3

4 Many users look at security as something that is not their concern. An internal or external IT group is responsible for all related matters in their minds, and their role is simply to follow company policy. Yet often an internal IT department for a small business is only a single person, and external groups do not have the same level of integration as regular employees. These users should be made to understand that security efforts are everyone s responsibility, not simply the party who has it listed in their job description. 4.3 Delivery Methods A SETA program can employ many different approaches when it comes to the delivery method of the material. Cost and intimacy of the delivery method are often crucial factors. While a one-onone approach is the most personal and can ensure the needs of the trainee are met, it is also costly [Whitman and Mattord 2010]. This can be the deciding factor for a small business. A cost-saving approach divides employees into small groups, which still offers interaction but at the cost of difficult scheduling. Perhaps the most economical approach is web-based learning, which favors cost and convenience over personalized learning. Other approaches exist, but ultimately a small business should weigh the pros and cons of each and compare the potential outcomes with the proposed program s goals. Very small businesses of only a few employees who require training may want to consider investing in one-on-one training to ensure their employees get the best possible experience. Others may be in a financial position such that online training is their only option. Management of the latter should understand that the cheaper and quicker the program, the more it should be reinforced in the workplace down the line. A later section will examine developing plans to motivate employees to follow correct security procedures. If a small business chooses to divide its employees into groups for training, it should first define what types of users will be in each group and how those groups will be defined. This can occur in a number of ways, but as Whitman [2010] states, Training is most effective when it is designed for a specific category of user. For example, any training for an IT staff of a small business is likely to be separate from the end user awareness program because of its technical nature. Ordinary employees will be confused by the jargon used in such courses. Likewise, any users, not just IT staff, who are deemed to be computer-savvy, may require different training from those who need a broader, generalized approach. Such tactics are used in organizations both large and small, but tailoring the program to meet the needs of each individual user is something that is particularly important in small business. In such organizations one individual or a very small group of individuals can account for an enormous amount of productivity. Ensuring these individuals receive the best possible training will serve to further safeguard a small business. One benefit small business has is that it can very effectively get the right message to the right audience. While bigger organizations struggle with making sure each subunit within the organization is exposed to the right kind of information in a program, smaller businesses have less people and thus can focus more on what each particular group or individual needs. 4.4 What Should the Program Include? Designing what will be included in the program will differ from case to case. The following are some awareness topics taken from 4 the NIST-SP and the U.S. Chamber of Commerce s cyber security guide [2004] for small businesses. These topics should be compared to the business s current policies, if they exist, and adapted accordingly. Some of the topics deal directly with end users, while others concern the IT staff or outside IT group of a small business, should one exist. Almost all of them are costeffective and require basic technical skills. Creating an effective motivation program is an integral part of enforcing compliance with these topics and will be discussed subsequently Passwords Anyone who uses computers in a small business should have to deal with passwords on a daily basis. They grant access to computer systems, programs, communications and more. The purpose of this topic is to educate those who are ignorant of proper password practices and reinforce its importance to those who simply fail to comply. Employees should be made aware of the techniques attackers use and how good passwords can stop them. Figure 3. A study of small- and medium-sized businesses in the U.S. shows that senior management is most worried about and Internet security. Source: GFI Security Study, Physical Access Controls Even with good passwords, individuals can and do access data on computers if they can simply get their hands on them. By emphasizing to end users the importance of securing their machines before leaving for the day or setting up a screen lock/auto logoff when a computer is inactive, more physical access incidents can be avoided Small businesses are increasingly using as the primary means of communicating within the organization. This widespread use makes educating users about potentially malicious attachments a top priority for small businesses. A GFI study [2007] of 455 small- and medium-sized businesses found that 39% of senior executives said viruses were their greatest security risk (see Figure 3). Every user needs to be made aware of the dangers of attachments. If a business has an IT staff, then management might consider in-house solutions to

5 monitor and restrict access to potentially dangerous content. This can also help with employee compliance if they know they re being monitored Social Engineering Russell [2002] notes that social engineering is one of the most important topics to address because it feeds on human tendency to help others. Friendliness and congeniality are typical traits favored by small businesses because of the need to appear approachable and welcoming to customers. Small businesses often prefer to differentiate themselves from bigger chain stores in this fashion. However, many attackers can use this to their advantage by impersonating customers or some other related party and tricking employees into giving information. Policies should be in place that explain how the identity of a caller should be authenticated and how information should be handled in various forms of communication. Including it as a topic in security awareness sessions can help reinforce these existing policies Firewalls and Antivirus Software Firewalls and antivirus software are essential components in the IT infrastructure of any small business because they help block out potentially damaging access and threats to a network. According to the GFI study [2007], 90% of small businesses surveyed said they had a firewall installed and 96% said they employed antivirus software. Yet the issue here is not the installation of such controls, but compliance with them. While the setting up and maintenance of these security components are under the care of the group responsible for a company s IT, users should also be made aware of their importance and functionality. Employees should know how to tell if and when such services are turned on and how to resolve issues if they are blocking a particular service they are trying to access. Employees struggles with trying to access data that is blocked should be addressed, as should management s promise that the issue will be solved in a timely manner without compromising security Creating backups If a business is small enough, it may rely on its employees to back up their own data. If a small business has no backup plan, then now is a good time to consider one. Users should be made aware of the importance of this process and how it could mean saving their employment. If important data has not been backed up and is lost during an incident, the company may be forced to shut down. Effective backups can and have saved companies from going under, and in some cases it is the employee s responsibility to ensure they take place. These are just a few of the topics that may be covered by the program, and many more can be found in electronic documents on the Internet at websites such as the National Institute of Standards and Technology ( and SANS ( One thing they should all strive to accomplish, however, is an explanation of why the topics are important. Instead of simply telling users to adopt new and often more complicated daily practices, an effective program should also detail why certain current practices are insecure and thus help motivate users to be accountable [Russell 2002]. 4.5 A Small Business s IT Staff A small business with a couple hundred employees will likely have an IT group dedicated to performing many of the tasks described previously. The size and scope of this staff will determine what kind of support they can provide for the SETA program. During the development process of the program, any assistance that will be required from them should be communicated. In the previous topic examples, IT might be responsible for password management and monitoring. In this case the end users should be made aware of how the IT staff conducts such operations (in basic terms) so they can better understand their duties and responsibilities. Training and awareness specifically for the IT group includes its own distinct challenges and falls outside the scope of this article. Often such programs include terms and jargon that are easily understood by IT professionals and proceed at a much quicker pace. 4.6 When Should It be Conducted? Monthly versus Annually Once a delivery method and program content are designed, a time should be chosen to conduct the sessions. This also will differ depending on the company, its hours of operation, and the amount of free time it can grant to its employees. A greater decision a business must make is whether to conduct these sessions on a regular basis, once a year, or both. Lance Spitzner, an IS professional with more than 15 years experience, previous senior security architect for Sun Microsystems, and original faculty member of the SANS institute, suggests both. He says that while an annual program ensures everyone learns key topics, most individuals will quickly forget what they learned. Likewise, monthly programs could leave a company insecure while it waits to cover a certain topic. For this reason Spitzner [2010] recommends having an annual program that everyone takes, and a monthly program that reinforces important topics that might be of particular relevance to a small business New Hires Many small businesses experience a high turnover rate, especially in low-level positions that are fulfilled by part-time employees. This provides a specific set of challenges to a small business seeking to ensure all of its employees are up-to-date on security protocols and policy. As part of the development of a SETA program for a small business, it might be prudent to consider the creation of an orientation security packet that highlights key areas and can be given to any new hires. It is important current employees buy in to the business s culture because it will serve as an example that new hires can learn from. However, a new hire can just as easily mimic bad behavior as they can good behavior, so current employees need to know their role in supervising and training new staff. 5. MOTIVATION The development process isn t finished when the program s design and content is determined. Additional methods should be considered and devised to ensure employees follow the recommended security procedures. In a small business, the need for management to motivate employees is magnified, and by letting employees know exactly what is expected of them, management can more efficiently inspire them to follow proper 5

6 security practices. This process of motivation covers what must be done after a program is implemented, but should also be planned for during the development stages of a SETA program. 5.1 Rewards and Penalties According to Donn B. Parker [2002], CISSP, 2008 Fellow of the Association for Computing Machinery, motivation is essential to making SETA programs effective, and in many cases awareness programs can result in less security in its absence. He says that security awareness may, in fact, enlighten employees as to ways they can bypass security and become more efficient at the work for which they are paid. To combat this, rewards and penalties can be implemented to motivate employees effective use of security because they are traditional and controllable. If users are rewarded for using good practices or know there will be consequences for poor behavior, then they will be more likely to follow what they learned in the program [Parker 2002]. In smaller businesses management can have an extremely positive impact on the motivation of staff to practice good security habits. By encouraging employees and rewarding them when they do things the right way, management can show that security is a top priority of the organization and thus assimilate good practices into the company s culture. 5.2 Making It Personal William Hubbard [2002] explains that personalizing reminders and messages relating to the importance of security can make employees think about how a particular issue will affect them directly. Small business can achieve this by s or bulletins that everyone in the organization sees on a daily basis. Because of the close-knit atmosphere of small businesses it can be much easier for them to instill vested interests in their employees compared to larger organizations that have thousands of workers. The ultimate goal is to have every individual in a small business to be aware of how their actions affect not only themselves, but also the company and everyone related to it. 5.3 Promoting Security Promoting security can often be a challenge and should also be included in the design stages of the SETA program. This step addresses the issue of how to keep security on everyone s mind days, weeks, and even months after the program is over. According to the NCSA study [2009] 90% of businesses polled did not have workplace signage that helps keeps IT security and Internet safety awareness at the top of the mind for employees. Yet without this reinforcement, employees are not likely to be compliant. Parker [2002] suggests avoiding cliché, trite instructional videos that may have a negative effect on security efforts. Such material can offend the intelligence of employees by portraying extremely obvious security breaches and their solutions. Posters are a great way to draw attention to security, but they should not be displayed for long periods of time or they risk becoming ignored. One way to solve this is to have poster design contests that are displayed periodically. If a small business chooses to go with a monthly approach to security topics, then the current topic could be the theme for posters around the office. In addition, many websites offer free promotional materials that small businesses can use to save money. Examples are: Offers free materials such as awareness posters and more. Offers personalized training messages for end users. Offers free materials for small businesses in a large, downloadable package. 6. CONCLUSION Designing a SETA program for a small business is in many ways unlike developing a similar program for a much larger organization. While many of the fundamental concepts such as group size and topic discussion must be taken into account, smaller businesses have a host of unique considerations that warrant a more specialized approach. In some cases a small business s management may feel like they are not a target of attacks and therefore do not see a need for spending resources on increased awareness. Yet many high-profile attacks can and have occurred, and they have shut down many small businesses that were not prepared for them. More and more small businesses are trying to do more with less as the economy struggles to fully rebound. Yet failure to secure assets or information in even one instance can spell disaster for a small business. Employees are the best defense against such incidents and the development of an effective SETA program for a small business can ensure they are trained and aware. The actual approach of a SETA program for a small business will differ on a case by case basis. Yet many characteristics of small businesses, such as their smaller number of employees and more personal relationships with customers, remain the same across the board. A business with fewer employees can opt to provide much more personalized training sessions to ensure they fully understand the topic material. For those with a tight budget, costeffective web-based solutions exist, as do free promotional materials. The absence of a group whose sole duty is related to IT also means that each and every employee should be aware of their actions and how they can affect the organization. Rewards and penalties are more likely to be effective in motivating employees to adopt such an attitude because in smaller businesses it is feasible that everyone in the organization will know of a person s accomplishments or shortcomings. This can either motivate people to perform well or deter them from not being compliant. Ultimately a small business s management should integrate security awareness into the organization s culture if it is to be accepted by employees. A SETA program can aid in this task, and it does not need to be costly. Leading by example and showing employees that security is a priority will motivate them to do their part not only for their own benefit, but also for the business as a whole. 7. REFERENCES [1] GFI. (2007). Security survey in the United States. Study. Retrieved from: [2] Gilbert, C. (2003). Developing an Integrated Security Training, Awareness, and Education Program. SANS Institute Reading Room. Retrieved from: [3] Hubbard, W. (2002). Methods and Techniques of Implementing a Security Awareness Program. Sans Institute 6

7 Reading Room. Retrieved from: ethods-techniques-implementing-security-awarenessprogram_417. [4] Kissel, R. (2009). Small Business Information Security: The Fundamentals (Draft). Retrieved from: pdf. [5] McAfee, Inc. (2009). The Security Paradox. Study. Retrieved from: html. [6] National Cyber Security Alliance, Symantec. (2009) NCSA / Symantec Small Business Study. Study. Retrieved from: BStudy2009%20FINAL.pdf. [7] National Institute of Standards and Technology. Information Technology Security Training Requirements. NIST-SP Retrieved from: [8] National Institute of Standards and Technology. Building an Information Technology Security Awareness and Training Program. NIST-SP Retrieved from: SP pdf. [9] Nesi, T. (Nov. 5, 2008). Study: Americans' cyber security awareness uneven. Providence Business News, 2010, from t=1. [10] Parker, D. B. (2002). Motivating the Workforce to Support Security Objectives: A Long-Term View. Retrieved from: [11] Rudolph, K. (2001). Computer Security Handbook 4th edition. Retrieved from: [12] Russell, C. (2002). Security Awareness Implementing an Effective Strategy. SANS Institute Reading Room. Retrieved from: curity-awareness-implementing-effective-strategy_418. [13] Small Business Administration. (2010). Small Business Size Standards. Retrieved from: dex.html. [14] Small Business Administration Office of Advocacy. (2010). Frequently Asked Questions. Retrieved from: [15] Spitzner, L. (2010). Security Awareness Programs Monthly or Annual? Securing The Human. Retrieved from: [16] U.S. Chamber of Commerce. (2004). Commonsense Guide to Cyber Security for Small Businesses. Study. Retrieved from: bersecurity.htm. [17] Whitman, M. E. & Mattord, H. J. (2010). Management of Information Security. (pp. 196). Boston, MA: Course Technology, Cengage Learning. 7