How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.

Transcription

1 SECURITY AWARENESS SURVEY Is a survey necessary A survey will give you insight into information security awareness within your company. The industry has increasingly realized that people are at least as important as technology, and probably more important when it comes to protecting information assets. An organization that lacks security awareness on the part of users of technology may experience more security incidents, greater losses, and increased risk of compliance failure. The extent of such risks is difficult to measure but, like any organizational behavior, more visibility into the nature of the behavior leads to better control and management of that behavior. That s why we view a survey as necessary. This survey is not a magic bullet, nor a crystal ball. It is a diagnostic instrument that can provide empirical evidence of security behaviors and attitudes within the organization. The data collected can then be used to identify areas of possible improvement and risk reduction. When administered repeatedly over time, the survey can provide a baseline of security awareness that may indicate progress or challenges for the security awareness program. How it works There are 30 questions, measuring characteristics of the company s security awareness posture. Some questions collect factual data (role, time in job, etc.) while others collect data about the user s awareness, attitudes and behaviors. How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey. 1. Identify executive stakeholders or sponsors to help promote the value of the survey, perhaps even have them send an organization wide announcing the survey and its purpose. 2. Have the survey reviewed and approved by public relations, HR, or legal. 3. Identify the scope of users you want to take the survey (employees, contractors, volunteers, etc.) Don t forget to include management and specialists, who are also end users of technology. 4. Determine if the survey will be required or is voluntary. If it is voluntary, what is the motivation or is there a prize for taking the survey? 5. Consider whether the survey should be anonymous, particularly if asking questions about behaviors that may violate company policy. Respondents are more likely to be honest if they are not worried that their response may incriminate them or result in punishment. 6. Evaluate and chose a survey engine or learning management system from which to conduct to the survey (Google, Survey Monkey, etc.).

2 7. Determine how long to leave the survey open. 8. Determine the audience for the results of the survey and how to disseminate insights gained. 9. Determine if you will conduct longitudinal surveys of the same respondents to measure progress over time (perhaps as the result of specific awareness interventions). Survey Questions 1. What is your employment status? a. Full time employee b. Part time employee c. Contractor d. Partner e. Vendor f. Other (please describe open field) 2. What is your management position? a. I am an executive or other senior manager b. I am a front line manager c. I am not a manager but I supervise others (team or project lead) d. I am not a manager 3. Where do you work? a. Sales b. Accounting c. Marketing d. Information Technology e. Human Resources f. Manufacturing g. OTHER [AS NECESSARY] 4. How long have you worked in your role? a. More than five years b. Three to five years c. One to three years d. Less than one year 5. How aware are you of the activities of the company s information security organization? a. I know where the organization sits in the organization, what they do, and how to contact them b. I know we have such an organization and where to go to find out more about them c. I ve heard that organization mentioned, but I have no more knowledge than that d. I did not know we had such an organization in our company 6. When was the last time you remember interacting with the company s information security team (receiving an , receiving security training, having an information security team member in a meeting, etc.)? a. Within the last week

3 b. Within the last month c. Within the last year d. It s been over a year e. I have never interacted with the information security team 7. How important are the actions and activities of the company s information security organization to your daily job and tasks? a. Very important I use materials and guidance they provide almost every day b. Somewhat important they have given me skills and knowledge that have helped me in my job c. Neither important nor unimportant I assume their activities function in the background d. Not important I don t feel like I get any benefit from the information security organization e. Detrimental the information security organization actually hinders my job performance f. Unknown I know nothing about the information security organization 8. How confident are you that you can recognize the symptoms and signs of a computer security incident? Computer security incidents may include viruses and malware on your PC or phone, a hacker gaining unauthorized access to your system, or an attacker tricking you into giving away sensitive data over the phone or by . d. Not very confident e. No confidence at all 9. How confident are you that you would recognize the symptoms of a specific security incident [NOTE: customize this question with any particular scenario of interest]. d. Not very confident e. No confidence at all 10. Have you ever been directly involved in a security incident? Computer security incidents may include viruses and malware on your PC or phone, a hacker gaining unauthorized access to your system, or an attacker tricking you into giving away sensitive data over the phone or by . a. Yes b. No c. I don t know or am not sure 11. If you were to suspect that your computer, smart phone, or other device was involved in a security incident such as a virus, a hacker attack, or some other problem, how confident do you feel that you know how to respond to and report the situation?

4 d. Not very confident e. Not confident at all 12. If you were to suspect that your computer, smart phone, or other device was involved in a security incident such as a virus, a hacker attack, or some other problem, what would you do? Select all that apply. a. Tell my manager b. Tell my coworkers c. Contact the IT Security team (I currently have this information or know where to find it) d. Contact the IT Help Desk (I currently have this information or know where to find it) e. I do not know who I am supposed to inform if this happens f. I would be worried about telling anyone, since I might get in trouble 13. I have been given the information necessary to know what to do if I suspect that my computer, smart phone, or other device was involved in a security incident, such as a virus, a hacker attack, or some other problem. a. I have all the information I need to respond and report the incident b. I have some of the information I need to respond and report the incident, but I have questions c. I would be confused as to what to do because I do not have all the information I need d. I feel like I have no information regarding what to do in such an event, and might ignore it 14. Without being specific, do you know of any situations in the company where someone has given their password to another person for any reason? a. Yes b. No c. I don t know or am not sure 15. Without being specific, do you know of any situations where people in the company share the same password for an IT system or application? a. Yes b. No c. I don t know or am not sure 16. How familiar are you with the company records retention policy, including the proper ways to create, classify, manage, and dispose of both electronic and hard copy documents? a. Very familiar b. Somewhat familiar d. Not very familiar e. I do not know what that policy is 17. How familiar are you with the company information classification policy, including the proper ways to identify and label both electronic and hard copy documents? a. Very familiar b. Somewhat familiar d. Not very familiar

5 e. I do not know what that policy is 18. How confident are you that you know how to protect sensitive company information in electronic documents, including how to label, share, and securely dispose of such information? d. Not very confident e. Not confident at all 19. How well do you feel the company manages IT assets including computers, phones, and other devices to protect them from security threats? a. The company manages computer security very well b. The company manages computer security well c. The company manages computer security neither well nor badly d. The company manages computer security badly e. The company manages computer security very badly f. I don t know 20. How much do you worry about the risk of using IT assets including computers, phones, and other devices inside the company? a. I worry a lot about the risks b. I sometimes worry about the risks c. I rarely worry about the risks d. I never worry about the risks e. I don t know or have never thought about the risks 21. How involved do you feel in the daily process of information security and protecting the company s information assets? a. I feel very involved b. I feel somewhat involved c. I feel somewhat uninvolved d. I feel very uninvolved e. I don t know or have never thought about it 22. How much do you worry about becoming the victim of a phishing attack at work? a. A lot b. A little c. Not at all d. I don t know what phishing attack means 23. How often do you receive s with attachments or links to the Web? a. Very often once or more each day b. Often more than one each week c. Occasionally a few each month d. Almost never less than one per month e. I don t understand the question 24. How often do you receive s from strangers or organizations you do not recognize?

6 a. Very often once or more each day b. Often more than one each week c. Occasionally a few each month d. Almost never less than one per month e. I don t know 25. Of the s you receive with attachments or links to the Web, how often do you open the attachment or click on the link? a. Every time b. Sometimes c. Rarely d. Never e. I don t understand the question 26. To what extent would you agree to the following statement: No hacker would attack me or my computer. I don t have anything they would want a. Completely agree b. Agree somewhat c. Neither agree nor disagree d. Disagree somewhat e. Completely disagree 27. In the past three months, have you (check all that apply): a. Tried to visit a website and found that the company blocks you from doing so? b. Wanted to visit a website but did not do so because you knew it was against company policy? c. Visited a website even though you were not sure whether it was against company policy? d. Known of someone who deliberately visited websites that were explicitly prohibited by company policy. 28. Based on your everyday work experience, how would you rank the following priorities of your organization? Please rank the most important priority as 1, the next important priority as 2 and so on. a. Financials (profit, revenue, share price, etc.) b. Customer satisfaction (delivery, marketing, complaints) c. Innovation (the ability to create new products and/or business processes) d. Information Technology (using the best, most modern technologies) e. Information Security (protecting company information assets) f. Employees (safety, satisfaction, retention) g. Other (please list) 29. Do you ever feel pressure to do more with less in your job, even if that means cutting corners in some areas in order to complete others? a. Always b. Often, but not always c. Sometimes d. Not very often

7 e. Never 30. How many times, in the last year, have you heard information security discussed in a formal setting outside of specific security training exercises (for example, in staff meetings, in general company memos or s, or in performance reviews)? a. I have never heard security discussed unless I was taking security training f. On occasion, I have heard about security, but usually because of some specific event g. Security is talked about as often as anything else, even when I m not undergoing specific training h. Security is often a topic, in a variety of settings, during my daily job Security is always top of mind, and is discussed c Popcorn Training Feel free to contact us for further information & assistance. Tel: [email protected] Website: Ref: Securing the human. (SANS)