Security awareness training and education, government guidance, training matrix

Transcription

1 Bulletin of Applied Computing and Information Technology Refereed Article A5: Security Awareness Training and Education in Organisations 05: , Dec Charles Tsui Manukau Institute of Technology, New Zealand Tsui, C. (2007). Security Awareness Training and Education in Organisations. Bulletin of Applied Computing and Information Technology, 5(2). Retrieved June 2, 2015 from Abstract This paper discusses support and guidance provided by governments concerning security awareness training and education. Based on the recommended guidelines by the National Institute of Standards and Technology (NIST)of the USA it investigates what technical and non-technical areas should be covered and how training and education should be done most efficiently. Recommendations about improving the efficiency of the training and education delivery and about evaluating their effectiveness are also provided. Keywords Security awareness training and education, government guidance, training matrix 1. Introduction Dr. Eugene Schultz in the editorial of Computer & Security 2004 (Schultz, 2004) encouraged all writers to submit more papers on the aspect of security awareness, training and education (SATE). He started by asking "Does security awareness training and education yield at least a reasonable return on investment?". When organisation budgeting comes to a critical situation, training and awareness would most possibly be the first areas to be slashed. The main reason behind this is that it is very difficult to determine direct benefits of security awareness training and education, when comparing with other security measures. The effectiveness of training and education is largely dependent on the quality of the adopted training and education programme. A good programme should properly fit the particular needs and structural requirements of the organisation, with tools for measuring and maximising return on investment (ROI) of training and education. Based on a literature review, this paper will identify and discuss what technical and nontechnical areas should be covered in a SATE programme, how a SATE programme may be structured to meet different educational and training requirements, and how security awareness training and education programmes could be delivered most efficiently. Models and frameworks will be considered, including government guidelines. 2. Government Guidance There are examples that with promotion and encouragement from governments, toplevel management of organisations are paying more attention on the importance of computer SATE. Some relevant cases are dscribed below. The USA passed Public Law , "The Computer Security Act of 1987", which mandated that the National Institute of Standards and Technology (NIST, 2005) with the United States Office of Personnel Management (OPM) develop and issue guidelines for federal computer security training. To fulfil the requirements, several guidance documents have been produced such as "Information Technology Security Training

2 Requirements: A Role- and Performance-Based Model" (NIST, 1998), and "Building an Information Technology Security Awareness and Training Program" (NIST, 2003). The two documents are complementary. Whle the first one provides higher level strategic concepts on how to build an information technology SATE (IT SATE) programme the second document describes role-based training details at a lower tactical leve. Although the documents are targeting federal agencies in the USA, they may be used by any other organisation and are not subject to copyright. Other governments provide similar guidance, such as "Information Security: Raising Awareness" prepared by the Treasury Board of Canada Secretariat (2000), and "A Users' Guide: How to Raise Information Security Awareness" published in 2006 by the European Network and Information Security Agency (ENISA). In 2006 The Australia government released the "Australian Government Information and Communications Technology Security Manual". In New Zealand, the Government Communications Security Bureau (GCSB) maintains the New Zealand Security of Information Technology (NZSIT) publications and training programme (GCSB, 2006). All these guidelines promote security awareness to organisations and the public and are supported by government offices and agencies. As They share similar approaches, this paper will concentrate on the guidelines provided by NIST. 3. The Sate Concept Security awareness, training and education are the three parts that make up the IT SATE learning continuum. It starts with raising awareness, develops the programme for training, and then evolves into education (NIST, 1998, p.14). The diagram below illustrates the three-layered structure of the IT security learning continuum recommended by NIST (1998, p.13). The three main layers are Awareness, Training, and Education. The interrelationships shown in Figure 1 may serve as a reference framework for building SATE programmes. Figure 1. IT security learning continuum (Source: NIST, 1998, p.13) Awareness is a wide coverage of security aspect that are communicated to broad audiences. An IT SATE programme aims to raise people's attention to things that they take for granted without being aware of the related security issues. Activities at this particular level are especially targeted at workers who have only recently an information system. The middle layer is more formal and is aimed at enhancing workers' skills and providing security knowledge for daily tasks. This layer places emphasis on role-based training in

3 which programmes can be designed specifically for particular positions of an organisation. Education is at the highest level of integration of the framework where a combination of skills and competences is required for producing security specialists and professionals who are in the position of overseeing the whole information structure of the organisation General Training Areas A comprehensive SATE programme should cover an organisation's entire user population. Following their role-based training methodology NIST divide training into three general areas: Laws and regulations, security Programme, and systems life cycle security. Six generic organizational roles are also identified: Manage, acquire, design and develop, iimplementand operate, review and evaluate, and use (NIST, 1998, pp ). NIST recommend an IT security training matrix model (NIST, 1998, p.44) which relates the three training areas with the six organisational user roles. In the matrix (Figure 2) the numbers in the cells corrrespond tpo the numbered sections of the NIST document describing training requirements. Figure 2. IT security training matrix (Source: NIST 1998, p. 44) The matrix arrangement in Figure 2 is a rather generalised framework that has the "one-programme-fits-all" approach. Researchers may find it similar to Shultz's (2004) idea of "fitting a square peg in a round hole". It may not work effectively for security training, as a SATE programme, as mentioned in earlier sections, must be designed for particular audiences. For example, to build a training programme for a Chief Information Officer using the above matrix, all of the cells 1A, 2.2A, 2.1C, 2.2C, 2.1D 2.1E and 3.4E will be selected. To guide the reader, the documentation developed by NISTprovides a number of examples referring to individual organisational roles featuring a selection matrix, samples of training metrics, and a programme Technical vs Non-technical Training Areas When training technical or professional personnel the materials must be arranged up to the technical level required for that particular position. For example, tests and specific programming guidelines for database applications are required when training database security control. Program code and templates are required when training software developers so that the developers can use and apply them to their daily tasks (Steven & Peterson 2006). However, that does not mean that general security awareness is not necessary as well. SATE programmes should be customised to start with an initial training scheme that all staff must attend to raise their awareness and then form groups for further in-depth technical aspects. Steven and Peterson (2006) suggested a three- tier model for awareness training for

4 software developers. The management aspect can be divided into three tiers, namely: executive, management and development, and security. Tthis concept is somewhat similar to the NIST six role model albeit with a smaller number of roles. The higher level roles focus on vision, goals and objectives. The middle level roles have the task to manage the implementation and validation. The lowest level is where the actual tasks are carried out. Further on the technical aspect, developers can be divided into beginners, intermediate and advanced levels. To compare with the NIST guidlines, this further customisation is moving into the education level for professionals and specialists. Non-technical areas can be classified as public or community level. This is covered by NIST's Security Basics and Literacy (NIST, 1998, pp.23-32). A somewhat controversial example of "Community Security Awareness Training" was reported by Endicott- Popovsky, Orton, Bailey and Frincke (2005). It was a security awareness event in the form of "Google-Hacking Contest". The aim was to alert the general public to the risks of identity theft. The contest gathered groups of attendees, ranging from students to senior professionals in computer security, trying to use the technique of "Google- Hacking" to look for exposed personal identity details. 4. Making Training Efficient COBIT (Control Objective for Information and related Technology) identified ' people' as one of the four IT resources that form the IT organisation (ITGI, 2005, p.12). People are the key players who use skills and technology infrastructure to carry out the set of defined processes to run the business; any faulty actions by people directly affect the organisation. This is the reason why in many reports and papers it is stated that that people are the key, but also are one of the weakest links (NIST, 2003, p.1). Therefore a SATE programme should be designed for the people who work in the targeted organisation. The programme will lose its effectiveness, if materials are overloaded with unnecessary content whcih the audience may find irrelevant to their work. People will lose attention and become bored!. Steven and Peterson (2006) note that "Only when training gives prescriptive design and coding guidance of what to do to resist attack does it stand a chance of sticking in a developer's mind." In fact, not only technical people but also general computer users would prefer a "you do what I do" practical training rather than just sittin and watching a demonstration. The more chances that people get for a ' hands on' training experience, the more deeply they will understand the concepts related to security. Further, the training programme must be related to daily tasks. The closer it resembles a daily task, the more attention it will get from the audience. The "Google-Hacking" event mentioned earlier is an example of a very effective and efficient exercise. The event was highly technical, but the outcome was a surprise to all as millions of highly confidential records were retrieved from the Internet through a wireless network provided by a university. Although it was not an official training programme and only the highly-technical attendees gained most of the benefits, the event served well tor alert the general public and was a very efficient security awareness exercise. It was also cost-effective as the organisers paid for the venue and the wireless network connections while attendees contributed to the cost of labour and the equipment. nd equipment. The event gained high publicity world-wide. 5. Measurements and Improvements Every business or non-business process is measured for its effectiveness, efficiency and ROI, and SATE is nt an exception. ENISA described an "Overall strategy for executive awareness initiatives and programmes" in their users' guide. The strategy is divided into three phases: Plan and assess, execute and adjust, and evaluate and adjust. The document gives guidelines on cost analysis and identifying the benefits, and on establishing a baseline and evaluation. Evaluation and feedback can be done by questionnaires (ENISA, 2006, pp.33-37). However, most of the benefits are non-measurable and intangible, such as "motivated to adopt security practices". Although not measurable, comparisons on certain performance criteria can be carried out. For example, statistical data on security

5 breaches and incidents can be collected before and after the SATE programme and regularly for a number of periods, and analysed. Another example is software application development where a security analyst is normally employed to look into loopholes and bugs in applications. Analysis can be done before and after the SATE programme and comparisons can be made to look for continuous improvement. 6. Conclusion This paper addresses some aspects of security awareness training and education in organisations. A brief review of significant guidance documents provided by governments has been carried out. The concept of the people factor in security awareness training and education is introduced and discussed as a backdrop to the further introduction of ideas on how to formalise, design and measure an efficient and useful SATE programme. A number of examples are used to draw practical recommendations for educators and practitioners in the field, with referencing models and frameworks sourced from the literature reviewed.. Acknowledgements Special thanks to the anonymous reviewers for their constructive comments, and to Krassie Petrova and the members of BACIT editorial board for supporting my work on the article. References Australia Government (2006). Australian Government Information and Communications Technology Security Manual. Retrieved October 18, 2006, from ENISA (2006). A users' guide: How to raise information security awareness. Retrieved October 18, 2006, from Endicott-Popovsky B., Orton I., Bailey K., & Frincke, D. (2005). Community security awareness training. Systems, Man and Cybernetics (SMC) Information Assurance Workshop. Proceedings of the Sixth Annual IEEE, pp, GCSB (2006). The NZ Security of Information Technology (NZSIT) publications and training programme. Retrieved October 18, 2006, from ITGI (2005). COBIT (Control Objective for Information and related Technology) 4.0. Retrieved September 30, 2006, from Section=Downloads3&Template=/MembersOnly.cfm&ContentID=23325 IWS (2006). The Information Warfare Site. Retrieved October 18, 2006, from NIST (2005). National Institute of Standards and Technology. Retrieved October 18, 2006, from NIST (1998). Information technology security training requirements: A role- and performance-based model. Retrieved October 18, 2006, from NIST (2003). Building an information technology security awareness and training program. Retrieved October 18, 2006, from Schultz E. (2004). Security training and awareness Fitting a square peg in a round hole. Computers and Security, 23(1), 1-2 Steven J., & Peterson G. (2006). Essential factors for successful software security awareness training. Security & Privacy Magazine, 4(5), Treasury Board of Canada Secretariat (2000). Information security: Raising awareness. Retrieved October 18, 2006, from Copyright 2007 Tsui, C.

6 The author(s) assign to NACCQ and educational non-profit institutions a non-exclusive licence to use this document for personal use and in courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author(s) also grant a non-exclusive licence to NACCQ to publish this document in full on the World Wide Web (prime sites and mirrors) and in printed form within the Bulletin of Applied Computing and Information Technology. Authors retain their individual intellectual property rights. Copyright 2007 NACCQ. Krassie Petrova, Michael Verhaart, Beryl Plimmer (Eds.) An Open Access Journal, DOAJ # , ( zotero)