IMPLEMENTING AN EFFECTIVE INFORMATION SECURITY AWARENESS PROGRAM



Similar documents

IMPLEMENTATION AND ADVANTAGES OF A TOTAL QUALITY MANAGEMENT SYSTEM IN SERVICE RELATED INDUSTRIES

Vermenigvuldig en Afdeling (Intermediêre fase)

FAMILY PLAY THERAPY IN THE CONTEXT OF CHILD SEXUAL ABUSE: AN ECOLOGICAL AND GESTALT FIELD APPROACH MODEL

CUSTOMER RELATIONSHIP MANAGEMENT FROM THE PERSPECTIVE OF A TRACKLESS MINING EQUIPMENT MAINTENANCE ORGANISATION

Servikale kanker is die tweede mees algemene kanker onder Suid-Afrikaanse vroue

AN AUDIT AND RISK HANDLING PROTOTYPE FOR FIREWALL TECHNOLOGY. by ESTÉE VAN DER WALT DISSERTATION

How To Get A Bsc In Forensic Science

UNIVERSITEIT VAN PRETORIA / UNIVERSITY OF PRETORIA DEPT WISKUNDE EN TOEGEPASTE WISKUNDE DEPT OF MATHEMATICS AND APPLIED MATHEMATICS

An information technology governance framework for the public sector. by Judith Terblanche. Thesis presented in partial fulfilment of the requirements

THE USE OF PLAY THERAPY MEDIUMS IN A STRESS MANAGEMENT PROGRAMME WITH CORPORATE EMPLOYEES

COLOUR AS COMMUNICATION IN SELECTED CORPORATE VISUAL ldentltles. Mini-dissertation submitted in partial fulfilment of the requirements for the degree

Department of Mathematics and Applied Mathematics Departement Wiskunde en Toegepaste Wiskunde

THE REQUIREMENTS FOR THE DEGREE OF MASTER OF PUBLIC ADMINISTRATION AT THE UNIVERSITY OF STELLENBOSCH

The development of a hybrid agile project management methodology J. Grey

COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION

Department of Mathematics and Applied Mathematics Departement Wiskunde en Toegepaste Wiskunde

ANNEXURE TO ASSESSMENT INSTRUCTION 17 OF 2014 CHIEF MARKERS REPORT ON MARKING OF 2013 NATIONAL SENIOR CERTIFICATE EXAMINATION (NSC)

MARKETING MANAGEMENT

Die vrae uit ou vraestelle, toetsvraestelle, en modelvraestelle is individueel gekies en uitgehaal vir

Call Centre Design, Operation and Optimisation A Structured and Scientific Based Approach

Entrepreneurial skill development: Participatory action research approach in a rural community

The disclosure of costs and income on incomplete contracts in the financial statements of contractors

0 MAKEsnase Alive. TM 200E05-3w MAY JUL togs Au

Total Quality Management in the civil engineering consultancy industry in South Africa.

A QUALITY AlTDIT SYSTEM FOR NURSING COLLEGES IN GAUTENG SUSAN JENNIFER ARMSTRONG DOCTOR CURATIONIS PROFESSIONAL NURSING SCIENCE.

The Functional Design of a Project Management Information System: Case Study with South African Breweries Ltd

Innovasie deur diversiteit EN INLIGTINGSTELSELS

APPLYING PRINCE2 PROJECT MANAGEMENT DISCIPLINES TO ADDRESS KEY RISKS IN ERP SYSTEM IMPLEMENTATION PROJECTS. Author: Svetlana Plotnikova ASSIGNMENT

D alinq with moral valu s in plurdlistic workinq nvironm nts

Benefits, business considerations and risks of big data

COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION

Expectations on the use of Facebook for employee engagement Annerie Reyneke

RAND AFRIKAANS UNIVERSITY

STEPS TO APPLY FOR ADMISSION: MBChB; BSc Radiation Sciences; BSc Physiotherapy; B Optometry; BSc Dietetics; B Occupational Therapy

How To Improve A Performance Management System

Young adults' relationship intentions towards their cell phone network providers

INTEGRATED MARKETING COMMUNICATION AT THE SOUTH AFRICAN NATIONAL BLOOD SERVICE: AN EVALUATION OF ITS SOCIAL MARKETING CAMPAIGNS GIBSON CHAUKE

FUNCTIONAL REQUIREMENTS OF ecrm SOLUTIONS FOR THE SOUTH AFRICAN SME SECTOR PHILIP ZAAYMAN SHORT DISSERTATION

Policy on Student Leadership Development and Training

PROPOSED BUSINESS PROCESS IMPROVEMENT MODEL WITH INTEGRATED CUSTOMER EXPERIENCE MANAGEMENT. G.J Botha 1 and A.C. van Rensburg 2

A MODEL FOR VULNERABILITY FORECASTING

Agile Software Development as a Response to Complexity

The role of knowledge management in offshore outsourced software development

A critical review of industrial-organisational psychologists as counsellors. H. Barkhuizen (Hons. B.Com) M.Com

A sport management programme for educator training in accordance with the diverse needs of South african schools

Examen Software Engineering /09/2011

Funksionaliteit van die parateks in Lina Spies se vertaling van Anne Frank se dagboek, Het Achterhuis, in Afrikaans 1

Creating a GIS data model for IT infrastructure management - A pilot project at the Potchefstroom campus of the North-West University.

Managerial support for an optometry practice: A business analytics study

MARKETING CULTURE IN PUBLIC SCHOOLS - IMPLICATIONS FOR SCHOOL MANAGEMENT BY ABDUL SAMED AHAMOOD A MINI - DISSERTATION MAGISTE [DUCA-I-BONUS

DIE ROL VAN VISIE EN MISSIE IN 'N ONDERNEMING TEN OPSIGTE VAN STRATEGIESE BESTUUR. A.J. Kuyvenhoven. Skripsie MAGISTER COMMERCII ONDERNEMINGSBESTUUR

The relevance of informal wine tasting clubs as a potential marketing channel for small and new wine brands:

SINGLE SIGN-ON IN HETEROGENEOUS COMPUTER ENVIRONMENTS by CECIL PETRUS LOUWRENS DISSERTATION

THE NGK OFFICIALS PENSION FUND INTERIM RULING IN TERMS OF SECTION 30J OF THE PENSION FUNDS ACT OF 1956

NATIONAL SENIOR CERTIFICATE GRADE/GRAAD 12

Information Management in the age of E-government- the case of South Africa

Legal Limitations for Nurse Prescribers in Primary Health Care

Constructive Dismissal and Resignation due to Work Stress

Faculty of Humanities

Government Gazette REPUBLIC OF SOUTH AFRICA. AIDS HELPLINE: Prevention is the cure

The information in this report is confidential. So keep this report in a safe place!

A Systematic Approach to Enterprise Risk Management

Understanding female consumers risks perception for apparel purchasing on the Internet

Quality Customer Information Management in the Financial Services Industry: A CASE STUDY. George Francois Malan

PERCEPTIONS OF TUTORS AND STUDENT NURSES ON FACTORS THAT INFLUENCE ACADEMIC PERFORMANCE AT A NURSING COLLEGE

INTERPRETING WITHIN THE WESTERN CAPE HEALTH CARE SECTOR: A DESCRIPTIVE OVERVIEW

IP-NBM. Copyright Capgemini All Rights Reserved

A South African Perspective on User-Created Content in Cloud Computing: A Copyright Conundrum. Mignon Hauman ( )

A Health Systems Engineering Approach to Meeting the Demand for Skilled Foetal Ultrasound Services in the Boland/Overberg Public Health District

THE DEVELOPMENT OF AN INTEGRATED SUPPLY CHAIN COMPETENCY MODEL

DEPARTEMENT SIVIELE INGENIEURSWESE DEPARTMENT OF CIVIL ENGINEERING 9th Version 2014: 11/07/2014

Adri Breed Vakgroep: Afrikaans en Nederlands, Skool vir Tale, Noordwes-Universiteit, Potchefstroom

THE PRINCIPAL AS CURRICULUM LEADER DURING A TIME OF EDUCATIONAL CHANGE. SYBILL GERTRUDE OCTOBER HDE (HONS) B.Ed

THE GOVERNANCE OF SIGNIFICANT ENTERPRISE MOBILITY SECURITY RISKS

Faculty of Humanities

# 06 / 2014 Tel: /8150; Fax: , anton@ccmedia.co.za

AN EVALUATION OF SOFTWARE PROJECT RISK MANAGEMENT IN SOUTH AFRICA

THE SUPREME COURT OF APPEAL REPUBLIC OF SOUTH AFRICA JUDGMENT. SILTEK HOLDINGS (PTY) LTD (in liquidation) t/a WORKGROUP

Opstel Assesseringsrubriek tot ½ tot tot 7. 7½ tot 8 4½ 4 3 2½ 2

2. The fees appearing in the Schedule are applicable in respect of services rendered on or after 1 Apri12012 and Exclude VAT.

ADDRESSING THE INCREMENTAL RISKS ASSOCIATED WITH SOCIAL MEDIA BY USING THE COBIT 5 CONTROL FRAMEWORK

JACOBUS ADRIAAN RUPPING. Thesis presented in partial fulfilment of the requirements for the degree. MAcc (Taxation) of the

THE CONSTRUCTION PROJECT MANAGER AS COMMUNICATOR IN THE PROPERTY DEVELOPMENT AND CONSTRUCTION INDUSTRIES. Benita Gertruida Zulch

Shopper Marketing Model: case Chocomel Hot. Eric van Blanken 20th October 2009

University of Pretoria, South Africa ABSTRACT

THE APPLICATION OF SPORT PSYCHOLOGY PRINCIPLES IN THE WORK PLACE

CMY 117 SEMESTERTOETS 2 / SEMESTER TEST 2

DECISIONAL INVOLVEMENT OF REGISTERED NURSES IN A TERTIARY HOSPITAL IN SAUDI ARABIA

Rhandzavanhu Harris Rikhotso

Knowledge Creation at the First Tier Level of the Supply Chain

THE LIVING STANDARDS MEASURE AS A MARKET SEGMENTATION TOOL FOR SELECTED RETAILERS

THE DEVELOPMENT AND EVALUATION OF A PARTIAL TALENT MANAGEMENT COMPETENCY MODEL. Anne-Marguerite Oehley

THE DEVELOPMENT OF COMPETITIVE INTELLIGENCE (CI) IN SOUTH AFRICA WITH SPECIAL REFERENCE TO THE CI PRACTICES IN A PHARMACEUTICAL COMPANY

IN THE HIGH COURT OF SOUTH AFRICA (NORTH WEST DIVISION, MAHIKENG) JACOBUS WILLEM ADRIAAN NELL FRANZALL INSURANCE BROKERS CC JUDGMENT

THE APPLICATION OF NECESSARY BUT NOT SUFFICIENT PRINCIPLES TO THE IMPLEMENTATION OF PRODUCT LIFECYCLE MANAGEMENT SOFTWARE

ANTECEDENTS INFLUENCING ESTATE PLANNING

THE EFFECT OF THE CONSUMER PROTECTION ACT ON FRANCHISE AGREEMENTS

. Ons moes vra hoe die wetenskap aangewend kan word om reg te stel wat verkeerd geloop het.

A THEORETICAL FRAMEWORK FOR THE ONLINE CONSUMER RESPONSE PROCESS JANETTE HANEKOM. submitted in fulfilment of the requirements for the degree of

Transcription:

IMPLEMENTING AN EFFECTIVE INFORMATION SECURITY AWARENESS PROGRAM by AMANDA WOLMARANS DISSERTATION Submitted in fulfilment of the requirements for the degree MASTER OF SCIENCE in COMPUTER SCIENCE in the FACULTY OF SCIENCE at the RAND AFRIKAANS UNIVERSITY SUPERVISOR: PROF. S.H. VON SOLMS JUNE 2003

Summary The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people s attitude towards change must be changed. It is also important to measure the behavioural change to make

sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a webbased security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter.

Opsomming Die doel van die projek en verhandeling is om n effektiewe inligtingsekuriteit program te ontwikkel wat binne in n organisasie geimplimenteer kan word. Die projek begin met n literatuurstudie wat fokus op die behoeftes vir n inligtingsekuriteit bewustheid program, navorsing wat reeds gedoen is hieroor en gedragsaspekte wat in ag geneem moet word tydens die implimentering van so n program. n Sekondere resultaat van die projek is om n web gebasseerde sekuriteit bewustheid program te ontwikkel wat gebruik kan word om werknemers meer sekuriteit bewus te maak. Hierdie program moet n meer komplete sekuriteit bewustheid program in n organisasie komplimenteer. Hoofstuk 1 gee n oorsig van die probleemstelling, die doel en struktuur van die projek en verhandeling en die metode wat gevolg is om die navorsing te doen om die probleem op te los. In hoofstuk 2 word die konsep van sekuriteit bewustheid en die verskillende komponente waaruit dit bestaan gedefinieer. Die verskil tussen bewustheid, opleiding en opvoeding word verduidelik asook die belangrikheid daarvan om n sekuriteit bewustheid omgewing binne in n organisasie te implimenteer. Hoofstuk 3 bespreek die ISO 17799 sekuriteit standaard en wat dit se oor sekuriteit bewustheid en die belangrikheid van werknemer opleiding. Die sekuriteit bewustheid prototipe wat ontwikkel is as deel van die studie speel n rol in die opleiding van die werknemers in sekuriteit bewustheid. Die houding probleem is die fokus van hoofstuk 4. Vir n sekuriteit bewustheid program om suksesvol te wees, moet mense se houding teenoor verandering

verander word. Dit is ook belangrik om die gedragsverandering te meet om seker te maak dat die houding teenoor verandering wel verander het. Die sekuriteit bewustheid prototipe word bekend gestel en daar word genoem dat dit gebruik kan word om n organisasie te help om hulle sekuriteit bewustheid doel te bereik. Hoofstuk 5 bespreek die sekuriteit bewustheid prototype in meer detail. Die prototipe is n voorbeeld van n web omgewing wat gebruik kan word om gebruikers op te lei in sekuriteit sodat hulle meer sekuriteit bewus kan wees. Hoofstuk 6 gaan in meer detail in oor die struktuur van die sekuriteit bewustheid web omgewing. Toegangsbeheer en hoe dit bereik word, word verduidelik. Die doel van die 10 modules en die toets aan die einde van elke module word ook genoem. Inligtingskakels en verslae kan ook deel vorm van die prototype om n meer komplete oplossing te verskaf. Hoofstuk 7 verskaf n oorsig van n gevallestudie wat ek nagevors het oor navorsing wat deur Hi-Performance Learning gedoen is oor die menslike faktor wat betrokke is in enige opleidingsprogram. Ek verduidelik hoe hulle die probleem van mense se sensitiwiteit teenoor verandering suksesvol aanspreek. Hoofstuk 8 verduidelik die belangrikheid daarvan om die regte kursus inhoud, kursus struktuur, en leermedium te kies en hoe dit my daartoe gelei het om n web gebasseerde sekuriteit bewustheid prototipe te ontwikkel. Ander meganismes soos plakkate en brosjures wat gebruik kan word as deel van n meer komplete sekuriteit bewustheid program word in hoofstuk 9 bespreek. Hoofstuk 10 is n samevatting van die verhandeling en verskaf n oorsig oor hoe die sekuriteit bewustheid program geimplimenteer en beheer kan word in n organisasie. n Opsomming van hoe die doel van die projek en verhandeling bereik is, word gegee aan die einde van hierdie hoofstuk.

Contents 1. Introduction Problem Statement. The objectives of the project and dissertation The approach and research.. The overall structure of the dissertation.. 1 2 3 3 2. What is Security Awareness? Components of an Information System that need to be secured Why is security awareness necessary?... Security Awareness vs. Training vs. Education. The assets-, threats-, countermeasures-, responsibility concept 5 9 10 12 13 15 3. ISO 17799 and Information Security Awareness Is it a Policy, a Standard or a Guideline?... What is ISO 17799?... ISO 17799 and Information Security Awareness... ISO 17799 controls and the Security Awareness Prototype 17 17 18 20 21 21

4. The Attitude problem Mind-Talk or Attitude explained. People s attitude towards security How to change people s attitudes. Measuring the behavioural change.. Security Awareness Prototype: Changing users mind-talk or attitudes. Summary... 23 25 26 28 34 36 37 5. Introduction to the Security Awareness Prototype The Security Awareness Web environment The technologies that were used to develop the prototype.. Database Technology... Visual Basic Web Development.. Multimedia content The role players... Summary... 38 39 40 40 41 42 43 44 6. The structure of the Security Awareness web environment The Security Awareness Laws.. Access control.. The modules. Computer Login. Passwords.. PC Security. Backups.. Computer Viruses.. Internet Usage E-mail Usage.. Social Engineering Software Piracy.. 45 47 47 47 48 48 49 50 50 51 52 52 53

Who to contact... Testing the user... 54 54 55 7. A Security Awareness Program: Case Study The approach of the Security Awareness plan... The Human Performance System Non-Training factors that impact human performance.. The Micro level environment. The Practice. Bringing the concept of the Micro level environment and practice into the study. 56 57 57 58 59 62 64 66 8. Implementing an effective Security Awareness Program The skills and competence performance factor.. Why training solutions struggle to deliver these learning outcomes.. Ineffective Learning and Performance Needs Analysis.. Inappropriate and Ineffective Course Content and Structure. Inappropriate Selection of Learning Media Instructor-Led Training. Computer-Based Training Combining instructor-led training and computer-based training. Ineffective Learning Support Ineffective Learning Assessment Learning management requirements... 67 68 70 70 71 72 73 75 77 78 79 79 80

9. Mechanisms that can be used as part of a Security Awareness Program Posters.. Screensavers... The Intranet.. Brochures. Multimedia computer-based training Custom Awareness Programs.. Talks.. Trinkets. Security Awareness day. Professional Help 81 82 84 85 85 86 86 87 87 87 88 88 10. Implementing and Managing the Security Awareness Program Approaches for implementing and effective Information Security Awareness Program Bottom-Up Approach Top-Down Approach. Using the development strategy to support the implementation of a Security Awareness project. Summary.. 89 89 90 92 94 96 References... 98

Figures and Tables Figure 1: A graphical representation or roadmap of the chapters. 4 Figure 2: Security Awareness in the learning continuum 7 Figure 3: A television: example of an asset.. 13 Figure 4: Company information or electronic assets... 14 Figure 5: Model that defines behavioural and knowledge requirements.. 24 Table 1: The mind-talk and associated desired norms and undesired norms.. 27 Figure 6: The culture transition 29 Figure 7: Three levels of an integrated communication strategy... 30 Figure 8: Key content elements.. 31 Figure 9: Communication channels 32 Figure 10: Different means of delivering training. 34 Figure 11: The importance of managing behavioural change 35 Figure 12: The first screen of the Security Awareness Program prototype. 45 Figure 13: The Micro Level Environment.. 60 Figure 14: An example of a poster that can be used as part of a Security Awareness Program. 83 Figure 15: Approaches to Security Implementation. 90 Figure 16: The Development Strategy with the 6 phases... 92

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information