#113 Keeping Information Security Awareness Training Fresh Peter R. Bitterli, CISA Principal, Bitterli Consulting AG http://www.bitterli-consulting.ch prb@bitterli-consulting.ch Please observe the copyright: You are allowed to use and further distribute this presentation only with this copyright notice attached. If you use parts of this documentation in presentations or other diagrams you have to refer to the source. Any commercial use of this presentation is only allowed with written consent of the author.
Abstract Keeping information security awareness training fresh This session will provide insight into the tricks of running a successful information security awareness campaign. It will explain both a scientific and pragmatic means of analyzing the need for improvement and will help the information security manager recognize the importance of structuring the campaign for different target audiences (e.g., managers, employees, IT staff) and their specific cultural and professional backgrounds. The session will show typical unwanted behaviour of the target audiences and some of their special characteristics that can help in convincing them of something they may not initially be keen to implement
Learning Objectives The participants will learn about Developing and running an international awareness campaign Analyzing the needs for a campaign and its specific goals and objectives The advantages and disadvantages of typical campaign components (e.g., brochures, training, video, e-learning) Taking advantage of successful marketing and sales techniques Measuring the success of campaign elements
Content Keeping information security awareness training fresh Why is it so difficult to sell security? The basics of selling security Target audience analysis More scientific approaches How to use awareness tools Awareness video (Swiss Re) Wrap-up
Part 1: Introduction to Information Security Awareness
Need for a formal Program Security awareness is a combination of culture and behaviour It is a fact that the attitude and behaviour of staff have a high impact on the quality and security of any type of services It is therefore inevitable to prompt all persons involved to be careful when creating, processing, using or handling information and information systems
Target of any Campaign Only a longer lasting program will raise awareness to the necessary level high internalization low personal commitment contact understanding awareness adoption positive image acceptance Level 3 time Level 2 Level 1 The overall target of any awareness campaign should be to convey the correct security and quality aware behaviour so that a high level of personal commitment can be achieved.
Level 1: Basic Understanding The goal of level 1 is to introduce a basic understanding why quality and security are needed for the necessity to personally contribute through correct behaviour Level 1 typically addresses all employees (users of IT) and all levels of management
Level 2: Quality & Security Thinking The attitude of every member of staff must be changed sustainable. To do this, we must show them how they as affected person can contribute to a high level of quality and security Level 2 typically also addresses more specific target groups (e.g. software developers, system administrators, business managers responsible for internal controls)
Level 2: Quality & Security Thinking Level 2 can only be reached with the support of management and through the integrations of quality and security into their daily tasks, e.g. Fixed item on agenda of regular meetings Integration into strategy and planning processes Integration into objectives for subordinates Monitoring and compliance reviews of policies
Level 3: Towards Internalization Only where quality and security are considered automatically, an adequate level of security will be reached Level 3 means that any person involved considers quality and security aspects with every action or decision
Level 3: Towards Internalization An internalization will only be reached, where the following requirements can be met: Binding and understandable regulations for quality and security Incentives for correct conduct Sanctions for non-compliance, based on concise criteria Ongoing comparison between different areas using benchmarking
Part 2: Selling Information Security Awareness: the Basics
Selling Security is difficult Some of the most common reasons for failure of awareness campaigns Unsuccessful track record Failure to fulfil management s expectations Lack of organisational understanding by security staff Failure in coordination between the control functions Evolving organisation structures Lack of coordinated security sales program
Business Objectives How to sell (IT) security Know your organisation s primary business objectives Familiarise with industry / business operations: Annual reports Organisational charts Strategic plans Interviews of business managers Analyse business needs and what could threaten the objectives being met
Sales Strategy How to sell (IT) security Sell to more than one level of management Sell the security professional (yourself) first Avoid negative security messages Know sales techniques General marketing techniques Variety of approaches available Don t forget: Personal presentations One-to-one selling
Selling to Managers (I) How to sell (IT) security Security Policy, Baseline Control, Guidelines Present and discuss; ask for feedback Let the managers explain them to subordinates Awareness materials Present and discuss; ask for accompanying letter Have them talk about this during meetings Distribute articles about security With a commenting letter In person ( have you seen this?)
Selling to Managers (II) How to sell (IT) security Report on security matters In person once every month Fixed item on agenda for meetings Encourage managers to attend Meetings, seminars, conferences on security Be prepared before facing management Anticipate questions and objections (FAQ) Ask them for a decision Handout material Follow-up visit
More Marketing Aspects How to sell (IT) security Make people want to be secure Display high-level support Encourage people to be alert Point out the risks Be simple but comprehensive Be targeted and never assume knowledge Be entertaining and amusing Be two-way
Part 3: Analyse the Target Audiences
Select your Target Groups (I) Whom do you want to address with your awareness campaign? Users Normal With access to sensitive data Home office Travelling users With laptop, PDA, agenda, handy Temps New joiners Management Your boss Business managers Executive management Control related Legal Compliance Human Resources Controlling Data Protection Officer
Select your Target Groups (II) Whom do you want to address with your awareness campaign? IT Manager(s) Developers Operations Administrators Help Desk External Clients Business partners Audit committee Outsourcing providers
Analyse your Target Groups Know your enemy if you want to be successful For every target group collect: Description Major (security) concerns of target group members Unwanted behaviour Expected behaviour Possible delivery mechanisms (marketing ideas) You will find examples on the following slides for three of the many target groups: managers, users, IT staff
Target Group: Management (I) Typical example of the results of target group analysis Description Persons responsible for a department a (large) team a specific area/topic (e.g. Data Protection Officer, Compliance) Hierarchically senior Better paid (Often) better educated Career oriented Major (security) concerns Unavailability of data and computing resources Unauthorised access to data (e.g. sensitive or confidential data) Too high a level of access for temps etc. Internet & third party access
Target Group: Management (II) Typical example of the results of target group analysis Unwanted behaviour Are not all concerned about (IT) security See no need to provide resources for quality and/or security Do not monitor their area of responsibility Are often under high pressure to perform Keep problems to themselves Unwanted behaviour (cont) Set bad examples Pass on their passwords to secretaries Grant too much access to 3 rd parties (consultants, business partners)
Target Group: Management (III) Typical example of the results of target group analysis Expected behaviour Really care about security Provide resources for quality and/or security Check back whether their orders have been met Possible delivery mechanisms Security is part of agenda in all regular meetings MbO and will impact bonus standard management trainings Train-the-trainers Quarterly security management report
Part 4: Analyse the Target Audiences a more Scientific Approach
Behaviorism can help Many different scientific approaches Behaviorism shows, how persons really behave what persons really think Scientific approach Questionnaires Interviews Observation (video, measuring brain currents, ) Supports effectiveness Problems/concerns Behaviour Motivation You know what makes them tick Supports efficiency Focus on target group(s) Focus on important issues
Behaviorism can help Two of the many approaches explained 4ways of Life Analysis Grouping based on predefined criteria Supports focussing on most common types, e.g. Hierarchists Individualists Risk & Security Perceptions Grouping based on common criteria Supports focussing on just a few factors Will produce highly valuable starting-points for campaign
4ways of life analysis Prof. Dake Systematic and scientific assessment of cultural biases Fatalist Emphasise gains and losses Views Nature is a lottery, capricious Outcomes are a function of chance Preferences Weigh gains against losses Low degree of social contact Individualist High degree of social regulation Views Nature is resilient Outcomes are a personal responsibility Preferences Personal responsibility Free of control Oppose top down intervention Dislike organised societal learning Emphasise responsibility Low degree of social regulation Hierarchist Emphasise risk assessment Views Nature is tolerant if treated with care Outcomes can be managed to be sustainable Preferences Regulators/contract to facilitate commerce Voluntary arrangements brokered by markets and prices High degree of social contact Views Nature is vulnerable Outcomes require altruism and common effort Preferences Precaution (irresponsible to take action which could harm the current or future state) Emphasise impact Egalitarian
4ways of life analysis Prof. Dake Using the results of such a scientific analysis to our advantage We can/should focus on most frequent types Hierarchists Emphasize importance of technology for decision making Focus on rules and expected norms of behaviour Message must be delivered by, or jointly, with line management Individualists Appeal to personal responsibility Do not emphasize strict rules, policies and procedures Use other distribution channels than organized training Use MbO and appraisal processes to reward desired behaviour
Risk and Security Perceptions Scientific background All persons simplify information to enable decisions Using questionnaires and mathematical methods to find out how persons perceive and simplify complex information The different ways of combining information can provide insights into thinking, blind spots,
Risk and Security Perceptions Assessment methodology 18 risk scenarios (stimuli) 13 risk elements (attributes) 7-point bipolar scale (yardstick) Overall risk Frequency Likelihood Stress Accidental/deliberate Recovery Technology/human cause Costs Individual/ organizational effects Effects contained within/outside organisation Embarrassment Reputation Major/minor consequences Employee uses p/w Data entry error Coffee damages equip Y2k failure Slow machines No training Power cut Credit cards stole Internet use in work Hacker steals Payroll data lost Disc stolen Computer virus Disclose personal data Eye strain Software fault Poor software Obsolete system
Risk and Security Perceptions Presenting the results (UK Financial Sector) Frequency 0.803 Likelihood 0.592 3 Probability 2 1 0-1 payroll data lost disc stolen hacker steals y2k failure computer virus disclose personal data employee uses p/w credit cards stolen coffee damages equip obsolete system s/w fault Recovery 0.940 2 2 Reputation 0.902 1 1 0 0 Consequences 0.895-1 -1-2 Effects in/out 0.867 Overall risk 0.814 Costs 0.711 Tech/Human causes 0.808 Seriousness poor s/w slow machines power cut data entry error no training eye strain internet use in work Technology/Human causes
Security Perceptions Survey Results of such a survey give valuable insight (managers) Managers concentrate for their personal risk evaluation on: impact on themselves (embarrassment) and organization (reputation) past events (frequency) and not likelihood of an event happening in future Managers should (also) observe: Recoverability Overall consequences (impact) Causes of possible problems Probability not freqency
Security Perceptions Survey Results of such a survey give valuable insight (IT staff) IT staff think about: whom they can blame (human cause or technical failure) how to manage risks costs alone (don t use other factors i.e. reputation, embarrassment, ) IT staff should focus more on: Individual and/or organizational effects Accidental/deliberate causes Embarrassment and stress
Part 5: How to use Awareness Tools
Awareness Tool Set (I) Wide range of possible marketing elements Paper based Articles Brochures Hand books Posters, mini-posters Stickers Ads Tips & tricks Electronic CBT Videos Intranet web site E-learning / E-lab Others 1-to-1 marketing Security training Security reps
Awareness Tool Set (II) Wide range of possible marketing elements Useful things Mouse mat Screen saver Calendar Office material Note pads Post-it Pencils Others Table stand Magnetic signs Napkins, mugs Toilet paper Security calculator Security games Other give-aways
Security Brochures Marketing and communication elements for awareness: Example A Advantages Highly attractive Can really raise understanding for security Can be produced to appeal reader Disadvantages Difficult to ensure, that they are read by everybody completely Tendency to contain too much text and be too long winded Outdated when printed One-way communication
Security Brochures Marketing and communication elements for awareness
Articles in Magazines Marketing and communication elements for awareness: Example B Advantages High attentiveness Interesting and attractive messages Disadvantages Not personalised Need to be done very professional Articles soon loose attractiveness One-way communication
Videos Marketing and communication elements for awareness: Example C Advantages Simple short messages Can be easily integrated into other events Huge variety possible Many highly professional videos available for sale Disadvantages Very expensive, esp. if individually produced Have a tendency to be exaggerated Boring for trainers that use videos One-way communication
Posters, Mini-posters Marketing and communication elements for awareness: Example D Advantages Highly visible Memorable Concentration on most important messages Disadvantages Distribution often difficult or costly Need space to hang One-way communication
Security Trainings Marketing and communication elements for awareness: Example E Advantages Easily tailored Personal Participation can be fun Intensive knowledge transfer Opportunity for questions Highly satisfactory for security officers Disadvantage Time consuming Needs highly sophisticated approach Needs highly qualified trainers Rollout can be organisationally demanding
Visualisation Define the corporate identity of the awareness campaign Logos define a security logo Brand / CI define a recognisable brand B/W or colour not just a matter of cost Photographs of people of negative scenes? Cartoons not at all? for specific elements, e.g. e-learning posters in brochures?
Cross-linking Elements (II) Some successful examples Example C (2002) Slogan Logo (inofficial) Articles Brochure Posters Training End users Laptop users Give-aways Example C (cont) E-learning for IT Regulations Developer Operations/Admin E-lab Developer Operations/Admin
Awareness Life Cycle Complacency unconscious competence Experience Level 3 unconscious incompetence Level 0 conscious competence Level 2 conscious incompetence Awareness Level 1 Training
The optimal Campaign My personal experiences of the last 13 years Do a proper project Project leader Steering committee Detailed time plan Set of deliverables Budget for 2-3 years Address campaign to different target audiences A good campaign: Goals defined Target audience analysed Staged over a longer period Multi-channel approach Highly cross-linked
If you have any awareness material for my collection