Development trend 3: Cultivating an Information Security Culture

Transcription

1 Chapter 6 Development trend 3: Cultivating an Information Security Culture 6.1 Introduction This chapter will investigate the third development trend of the institutional wave as described by Von Solms. [VON01] Von Solms identified this trend as the cultivation of an information security culture. This includes designing and implementing an information security awareness programme to educate employees about information security in the organisation. Implementing an effective information security awareness programme helps all employees understand why they need to take information security seriously, what they will gain from its implementation and how it will assist them in completing their assigned tasks. An effective information security awareness programme could be the most cost-effective initiative a company can take to protect its critical information assets. [NET01] This protection can only be provided if there are effective programmes in place to make certain that employees are aware of their responsibilities. The NIST handbook [NIS00] states that people are a crucial factor in ensuring the security of computer systems and valuable information resources. This is because human actions account for a far greater degree of computer-related loss than all other sources combined. According to the information security breaches survey in 2000, [ISB00] a big problem that organisations face is the training of people so that they use Chapter 6 70

2 systems properly and securely. This is because people think that whenever anything goes wrong; it is always the information technology department s fault. It is the organisation s responsibility to make employees aware of information security policies and issues in the organisation. Without knowing the necessary security controls (and how to use them), users cannot be truly accountable for their actions. [NIS00] Organisations that have implemented strong protection mechanisms and have educated their staff are in the best position to protect their information from unauthorised disclosure or modification. According to CCTA [CCT99], the information security procedures must be integrated into normal everyday routine, and staff should come to recognise security as an enabler rather than a barrier. The NIST handbook [NIS00] also stresses this every day routine by stating that information security is an ongoing process. This process of making employees information security aware must continue after a candidate has been hired, which includes keeping employees up to date with their information security duties and responsibilities. One method of making employees more aware of information security issues in the organisation is by means of an information security awareness programme. An information security awareness programme must be carefully thought through and correctly implemented to obtain optimal results. An information security awareness programme must be structured in such a way that all employees, from top management to the individuals, understand their responsibilities in terms of information security. The rest of this chapter will investigate the importance of information security awareness in an organisation. This includes why employees must be information security aware and how this awareness can be presented to the employees. This chapter will also investigate different methods that can be used to present information security awareness to employees. Chapter 6 71

3 6.2 Information security awareness According to Netigy, [NET01] security professionals claim that there are three key elements for any security programme: availability, integrity and confidentiality. Corporate management must have confidence in the available information so that it can make informed business decisions. For this reason, information needs to be readily accessible, and controls and reporting mechanisms must be in place to detect unauthorised access, whether by someone outside the organisation or someone within. This idea of availability, integrity and confidentiality is also shared by Internet Security Systems [ISS00] when talking about information security awareness. This can be depicted in the figure below: Business strategy Policy and guidelines Security frameworks, architecture and solutions Awareness and vigilance Figure 6.1: Influence of awareness Chapter 6 72

4 The figure clearly shows that awareness has a big influence on the availability, integrity and confidentiality of information in an organisation. The Internet Security Systems [ISS00] continue to state that this awareness can be obtained through employee education. This education is an ongoing effort to raise awareness of the need for information security at the senior management, administrator and end-user levels. The process cuts across all other security processes and can be depicted in the figure below [ISS00]: Best practices and guidelines Figure 6.2: Fundamental security management life cycle The figure above clearly shows that awareness (education) has an influence on best practices as depicted in the middle of the cycle. In a survey conducted by Information Week and Price WaterhouseCoopers [WOR98], employees and other authorised users were the source of most information security Chapter 6 73

5 breaches in a corporate network. This has driven organisations to look at security from all angles and define an overall security strategy that reduces their risks. These risks can involve a variety of breaches that can occur in an organisation. The next paragraph will investigate different kinds of breaches in more detail. 6.3 Security breaches According to a survey conducted by IDC [WOR98], more than 68% of organisations have deployed network firewalls. These dedicated security applications prevent hackers and other unauthorised users from accessing the corporate network. The "quick-fix" has been adopted by almost everyone in the business environment. These firewalls help to keep security breaches from outside the organisation to a minimum. [WOR98] According to Frank Prince, a senior security analyst at Forrester, the kinds of insider breaches that are the most costly get traced back to a human being, and become a physical security personnel issue. [BRI00]. A survey held by Survey 200 [BRI00] showed nine (A-I) insider breaches that were investigated. These insider breaches included: A: Installation/use of unauthorised software B: Infection of company equipment via viruses/ malicious code/executables C: Use of company computing resources for illegal or illicit communications or activities D: Abuse of computer access controls E: Installation/use of unauthorised hardware/peripherals F: Use of company computing resources for personal profit G: Physical theft, sabotage or intentional destruction of computing equipment H: Electronic theft, sabotage or intentional destruction/disclosure of proprietary data or information I: Fraud Chapter 6 74

6 The figure below depicts the different insider breaches with the percentages of occurrence. % of Breaches I 13 H 24 G 42 Breaches F E D C 63 B A % Figure 6.3: Percentage of insider breaches Insider breaches may be partially addressed with an information security awareness programme. The survey also investigated if these insider breaches were accidental or deliberate. The figure below depicts which of the nine insider breaches were accidental or deliberate. Accidental and deliberate breaches 17% 35% Deliberate Accidental Unsure 48% Figure 6.4: Deliberate and accidental breaches. Chapter 6 75

7 The figure above clearly shows that 48% of all the insider breaches in an organisation are accidental. This means that the employees did not know they were violating the integrity, confidentially and/or the availability of the information. If however, these employees were more aware of the security issues in the organisation, the accidental breaches could have been avoided. One method that organisations can use to make employees more information security aware is an information security awareness programme. The next paragraph investigates an information security awareness programme in more detail. 6.4 An information security awareness programme Presentation of an information security awareness programme There are a lot of different methods that can be used to present an information security programme to employees. Each method has its own advantages and disadvantages in educating employees. These advantages and disadvantages will be investigated in this chapter. The methods that will be investigated include: Posters Screensaver/mouse pads Calendar Workshops Videos Internet Other methods that will not be investigated but are also useful in an information security awareness programme are brochures, newspapers and magazines. Small competitions can also be held in the organisation to encourage employees to participate in an information security awareness programme. These can include Chapter 6 76

8 monthly competitions to see which employee can submit the most interesting information security article he/she has read that month. When planning an information security awareness programme, the following aspects must be looked at: The number of employees who are going to participate in the information security awareness programme. The employees geographical locations. Funds available for security awareness programmes. Timeframes available to complete the security awareness programme. The level of awareness that employees must have to comply with. The amount of awareness information that can be displayed. The rest of this chapter will investigate each of the information security awareness methods and compare them to the aspects mentioned above Posters Posters must be carefully designed to educate the reader, while providing the how and why in order to gain the reader's acceptance, resulting in more widespread adoption of secure practices and greater levels of compliance with existing standards. The advantage of this method is that posters are placed in areas such as above water fountains and coffee machines or in tearooms, for example, where staff normally spend a couple of minutes. Posters can efficiently and effectively educate numerous staff on new security topics each and every month. [SEC00] Posters must be colourful and attract the employees attention. The disadvantage of this method is that the information security awareness team has no idea if the employees actually do read the posters and take the security issues on them seriously. Another disadvantage is that no matter how well the posters are Chapter 6 77

9 designed, they will simply blend in to the environment after a while. To prevent this from happening, all awareness techniques should be creative and changed frequently. [NIS00] Another disadvantage is that only a limited amount of awareness information can be printed on the posters. Posters are usually used if all the employees are working at one central working place. If employees are working at different geographical locations, the cost of transport must be added. The uncertainty is also always there that the poster can get lost, misplaced and will never reach the target employees. The figure below shows an example of a poster. Figure 6.5: Example of a poster [ISA00] The table below evaluates the poster method according to the criteria already mentioned above. Chapter 6 78

10 Table 6.1: Evaluation of posters. Evaluation: Number of employees involved Number of different geographical locations involved Funds needed Timeframes needed for presentation Level of awareness of employees Amount of awareness information displayed Medium High Low Low Low Low Screensaver There are a lot of small things around the office and the workstation that can be used in presenting information security awareness to employees like screensavers and mouse pads. People seem to be intrigued with screensavers. That's why a screen saver is an effective way to bring information security awareness messages right to the individual end-users. The advantage is that screensavers can be used to convey information security facts, awareness tips, and quiz questions with answers. This will provide repetitive learning to the employees. Short security-related animations are included to help elevate interest and encourage attentiveness. [SEC00] These information security facts and awareness tips that are combined with the screensaver can be changed on a regular basis, for instance each month. The employees can obtain these screensavers by means of an sent by the information security awareness team. It is up to senior management to decide who must take responsibility for updating the screensavers. The responsibility can be given to an already established committee like the publicity committee or a new committee can be formed to take responsibility for all information security awareness matters. If the screensaver is not animated, any poster design can be used. Chapter 6 79

11 Another method is using mouse pads to display awareness tips. A security tip is chosen in such a way that it will always be relevant and will be seen by the employee every time he/she works with the mouse. A security awareness tip can include something like always keep your password secure or always remember to log off when finished working. A mouse pad can be seen as a small poster. Figure 6.6: Example of a mouse pad [ISA00] The table below evaluates the screensaver and mouse pad methods according to the criteria already mentioned above. Table 6.2: Evaluation of screensavers and mouse pads Evaluation: Screen saver Mouse pad Number of employees involved: High Medium Number of different geographical locations involved: High Medium Funds needed: Low Medium Timeframes needed for presentation: Low Low Level of awareness of employees: Low Low Amount of awareness information displayed: Low Low Chapter 6 80

12 Calendars Another method organisations can use to present information security awareness is with calendars. Calendars contain the days, weeks and months of the year and can be used on a daily basis. The size of calendars can differ, from pocket-size calendars to calendars that can be hung on a wall. Calendars doesn't have to be dry, boring memos circulated by company or nagging tips of the day on pop-up menus. Instead, calendars must be created to be fun and eye-catching and work as an alternative form of promotional materials that will get the message across [ISA00]. The figure below is an example of a calendar. Figure 6.7: Example of a calendar The table below evaluates the calendar method according to the criteria already mentioned above. Table 6.3: Evaluation of calendars Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: High High Medium Low Low Medium Chapter 6 81

13 Workshops Holding a workshop is an excellent way to provide interaction and a personal touch to your information security awareness training. Workshops must be designed to enable a person to easily present an awareness course to employees. This means that an information security awareness workshop must be interesting and easily understood by employees. The course can cover a variety of areas where employees may face information security issues in the performance of their normal daily activities. An objective of the workshops is for employees to learn about their responsibility towards protecting the information they works with. [SEC00] This can include workshops covering topics ranging from choosing and protecting passwords to making backups, for example. There are a few disadvantages that need to be considered when presenting workshops. One problem is the cost of the workshop. The security awareness teams must organise a venue where these workshops are going to take place. If the organisation does not have a favourable venue on the premises, an external venue must be rented. The employees must take time off from work to attend the workshops. The productivity of the organisation will be affected if employees are absent for any period of time. At workshops, large amounts of information are given to the employees and an employee might not be able to absorb all the information that is given to him. This means that an employee must learn at the presenter s pace and not his own. This is a great disadvantage. When talking about attendance, another problem is what happens when the employees are working at different locations. For example, if an organisation s head office is in Johannesburg and a second office in Cape Town, the problem that arise as to where the workshop should be held. Do all the employees from Johannesburg travel down to Cape Town (where the organisation is paying for all expenses) or are there going to be two different workshops. This means two different venues and different people to present the workshop. The conclusion is that workshops are a very good and personal Chapter 6 82

14 method for presenting security awareness programmes if all the employees are at one geographical location. [ISA00] The table below evaluates the workshop method according to the criteria already mentioned above. Table 6.4: Evaluation of workshops Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: Low Low High High Medium High Videos Showing an information security awareness video is a good way to stimulate discussion for an information security awareness training session. [IRO00] It is through this discussion that managers and trainers can reinforce the need for information security in the organisation. Videos must be created in an interesting and humorous way so the employees find it interesting to watch. Videos can convey vast amounts of information in a short period of time. The disadvantage with the video method is that all the employees must be in one central area at the same time to watch the video. That means scheduling a venue and time that is suitable for all. Videos can cost a lot of money to design and produce, but after the initial expense the videos are a cost-effective method that can be used in workshops (as mentioned Chapter 6 83

15 above) to educate employees. Video is also an excellent idea to use in the orientation of new employees. The table below evaluates the video method according to the criteria already mentioned above. Table 6.5: Evaluation of videos Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: Medium Medium Medium Medium Low High Internet and Intranet Many organisations are finding that an effective way to provide information for their staff is through a company s Intranet. This allows a user to browse or search large amounts of information and he/she can learn at his/her own pace on their own schedule. The world-wide method that is being used for making employees security aware is a security awareness web site. [SEC00] This website can easily be customised to fit your organisation's image. Simply insert the website into your existing Intranet structure. An editable contact page and link are available to inform the reader of whom to contact for more information and what to do in case of a security incident. This is a great tool for promoting awareness of any topic. [SEC00] This website can be designed to attract the employees attention, for example, by displaying jokes and cartoons. The information security awareness team can make Chapter 6 84

16 the learning of security issues fun by running competitions on the website. These competitions can vary from crossword puzzles to word games. Competitions can include things like the employees must find an article published in newspapers, magazines or on the web on any security situation that happened anywhere in the world. The employees learn about information security situations and what can go wrong in organisations while searching for an article. All the articles or summaries of the articles can then be published on the website for all the employees to read. The best one can win a prize. This is to motivate the employees and to let them know that they can also gain from learning about information security aspects. These security awareness websites will cost less than the other methods already mentioned. The websites can also be updated on a regular basis so that the employees will always find something new. The website can be used not only in educating employees on information security awareness aspects but also in testing them. Different information security tests can be posted on the site for completion by the employees. These tests can cover different security aspects. The results of the tests are then checked to see whether or not if the employee successfully completed the test. If the employee failed the test, more information can be sent to the employee about that specific information security aspect(s). The employee is then asked to take the test again. By doing the testing via websites, an information security awareness profile can be built up for every employee. The results of the tests that were done by the employee can then be added together to compile a profile of the state of information security awareness in the whole organisation. Educating employees by means of a website has many advantages. This kind of security awareness education is not only for employees at the same geographical location but can be used for any employee anywhere in the world who has access to the Internet. This concept of education over the Internet falls into the category of distance learning/education. Chapter 6 85

17 Fig AWARENESS IS THE KEY TO SECURITY S-A-F-E Security Awareness for Everyone Main Page Passwords PC Security Backups use Passwords Passwords are an integral part of overall security. Unfortunately, they are one of the vulnerabilities most frequently targeted by someone trying to break into a system. There are several ways an unauthorized person (ie: hacker/cracker) might try to gain access to another person's password. Often, people use personal information such as their own or a family member's name as a password. This is one of the first things a hacker or cracker might try. A more sophisticated method is password cracking software. Most of these programmes can 'crack' a password within seconds by using large dictionary files and lists of common names or passwords. Another type, known as a 'brute force' attack, attempts every possible combination of letters, numbers, or special characters. Back to Main Page Creating Stronger Passwords Figure 6.8: Internet awareness programme [SEC00] Chapter 6 86

18 According to Czirr [CZI00], an Internet education programme saves time and space and reduces or eliminates travel requirements for those working in satellite facilities. This means that the state of the organisation s information security awareness can be known at any time and potential information security risks can be stopped well in advance. Figure 6.8 is an example of the home page of an information security awareness programme. The table below evaluates the Internet method according to the criteria already mentioned above. Table 6.6: Evaluation of Internet Evaluation: Number of employees involved: Number of different geographical locations involved: Funds needed: Timeframes needed for presentation: Level of awareness of employees: Amount of awareness information displayed: High High Low Medium Medium High The contents of an information security awareness programme The method used to present an information security awareness programme is very important, but what is more important, is the awareness information that will be presented. Figure 6.2 depicted that education is based around a best practice. This means that an organisation must educate its employees about the information security awareness aspects that can be found in a best practice. One aspect that BS 7799 addresses is passwords. The section on password use is under the heading Access control in the ISO/IEC guidebook and includes the following [BRI99]: Chapter 6 87

19 Keep password confidential Avoid keeping a paper record of password, unless this can be stored securely Change passwords whenever there is any indication of possible system or password compromise Select quality password with a minimum length of six characters Not based on anything somebody else could easily guess or obtain Free of consecutive identical character or all numeric of all alphabetical groups Change passwords at regular intervals or based on the number of accesses Change temporary passwords at the first log-on Do not share individual user passwords. The information security aspects mentioned above cover only a small amount of information that can be included in an information security awareness programme. This information can be handed to the employees in the following ways: [SEC00] Full presentation on CD Printed handouts Printed speaker notes Presenter's guide Customised audio intro End-user quiz Information security aspects that can be included in the handouts mentioned above and discussed in an information security awareness programme include: [SEC00] Password Construction Password Management Internet Usage Telephone Fraud Chapter 6 88

20 Usage Viruses PC Security Software Licensing Backups Physical Security Social Engineering Data Confidentiality These are many aspects that can be included in the presentation of an informality security awareness programme. Ultimately, each organisation must decide which information security aspects will be included in the awareness programme. 6.5 Conclusion This chapter investigated the presentation methods that can be used to present information security awareness programmes to employees. The main purpose of an information security awareness programme is to make employees aware of their information responsibilities in terms of information security in an organisation. All employees must be aware of information security measures before they can comply with them. This means that it is up to organisations to inform employees about information security issues. Using the definitions of confidentiality, integrity and availability, a basic understanding of information security is possible. These security awareness measures can be presented to the employees by way of information security awareness programmes. Each of the presentation methods has been evaluated against a set of criteria. These information security awareness programmes cannot be a once-off programme, but must be ongoing for the optimum results. These information security awareness programmes and information security measures must become part of all the Chapter 6 89

21 employees everyday routines. Before the employees can start securing information in the workplace, they must know what can be done to prevent information security incidents. The next chapter will investigate the fourth and last information security trend of the institutional wave. The fourth trend is about measuring the information security situation in an organisation. The reason for measuring information security is to determine whether or not information security measures are complied with. Chapter 6 90