IMPLEMENTING AN EFFECTIVE INFORMATION SECURITY AWARENESS PROGRAM by AMANDA WOLMARANS DISSERTATION Submitted in fulfilment of the requirements for the degree MASTER OF SCIENCE in COMPUTER SCIENCE in the FACULTY OF SCIENCE at the RAND AFRIKAANS UNIVERSITY SUPERVISOR: PROF. S.H. VON SOLMS JUNE 2003
Summary The aim of this project and dissertation is to develop an effective information security awareness program that can be implemented within an organization. The project starts with a literature study that focuses on the requirements for an information security awareness program, research that has already been done in this area and behavioural issues that need to be considered during the implementation of such a program. A secondary deliverable of this project is to develop a web-based security awareness program that can be used to make employees more security aware and that should compliment a total security awareness program within an organization. Chapter 1 provides an overview of the problem statement, the objectives and structure of the project and dissertation, and the approach that was followed to solve the problem. In chapter 2 the concept of security awareness and the different components it consists of, are defined. The difference between awareness, training, and education, and the importance of implementing a security awareness environment within an organization, will be explained. Chapter 3 discusses the ISO 17799 security standard and what it says about security awareness and the importance of employee training. The security awareness prototype that was developed as part of this study plays a role in achieving the training objective. The Attitude problem is the focus of chapter 4. In order for a security awareness program to be effective, people s attitude towards change must be changed. It is also important to measure the behavioural change to make
sure that the attitude towards change did change. The security awareness prototype is introduced in this chapter and mentioned that this can be used to assist an organization to achieve their security awareness goals. Chapter 5 introduces the security awareness prototype in more detail. This prototype is an example of a web environment that can be used to train users to a higher degree of security awareness. Chapter 6 goes into more detail about the structure of the security awareness web environment. Access control and how it is achieved is explained. The objectives of the 10 modules and the test at the end of each module are also mentioned. Links and reports can also form part of this prototype to make it a more comprehensive solution. Chapter 7 provides an overview of a case study that I researched. It focuses on research done by Hi-Performance Learning about the human factor that is involved in any training program. I explain how they succeeded in addressing this and people s sensitivity towards change. Chapter 8 explains the importance of choosing the right course content, learning media and course structure and how this led me to develop a webbased security awareness prototype. Other mechanisms like posters and brochures that can be used as part of a comprehensive security awareness program are discussed in chapter 9. Chapter 10 concludes the dissertation by providing an overview of how the security awareness program can be implemented and managed within an organization. A summary of how the objectives of this project and dissertation were met, are given at the end of this chapter.
Opsomming Die doel van die projek en verhandeling is om n effektiewe inligtingsekuriteit program te ontwikkel wat binne in n organisasie geimplimenteer kan word. Die projek begin met n literatuurstudie wat fokus op die behoeftes vir n inligtingsekuriteit bewustheid program, navorsing wat reeds gedoen is hieroor en gedragsaspekte wat in ag geneem moet word tydens die implimentering van so n program. n Sekondere resultaat van die projek is om n web gebasseerde sekuriteit bewustheid program te ontwikkel wat gebruik kan word om werknemers meer sekuriteit bewus te maak. Hierdie program moet n meer komplete sekuriteit bewustheid program in n organisasie komplimenteer. Hoofstuk 1 gee n oorsig van die probleemstelling, die doel en struktuur van die projek en verhandeling en die metode wat gevolg is om die navorsing te doen om die probleem op te los. In hoofstuk 2 word die konsep van sekuriteit bewustheid en die verskillende komponente waaruit dit bestaan gedefinieer. Die verskil tussen bewustheid, opleiding en opvoeding word verduidelik asook die belangrikheid daarvan om n sekuriteit bewustheid omgewing binne in n organisasie te implimenteer. Hoofstuk 3 bespreek die ISO 17799 sekuriteit standaard en wat dit se oor sekuriteit bewustheid en die belangrikheid van werknemer opleiding. Die sekuriteit bewustheid prototipe wat ontwikkel is as deel van die studie speel n rol in die opleiding van die werknemers in sekuriteit bewustheid. Die houding probleem is die fokus van hoofstuk 4. Vir n sekuriteit bewustheid program om suksesvol te wees, moet mense se houding teenoor verandering
verander word. Dit is ook belangrik om die gedragsverandering te meet om seker te maak dat die houding teenoor verandering wel verander het. Die sekuriteit bewustheid prototipe word bekend gestel en daar word genoem dat dit gebruik kan word om n organisasie te help om hulle sekuriteit bewustheid doel te bereik. Hoofstuk 5 bespreek die sekuriteit bewustheid prototype in meer detail. Die prototipe is n voorbeeld van n web omgewing wat gebruik kan word om gebruikers op te lei in sekuriteit sodat hulle meer sekuriteit bewus kan wees. Hoofstuk 6 gaan in meer detail in oor die struktuur van die sekuriteit bewustheid web omgewing. Toegangsbeheer en hoe dit bereik word, word verduidelik. Die doel van die 10 modules en die toets aan die einde van elke module word ook genoem. Inligtingskakels en verslae kan ook deel vorm van die prototype om n meer komplete oplossing te verskaf. Hoofstuk 7 verskaf n oorsig van n gevallestudie wat ek nagevors het oor navorsing wat deur Hi-Performance Learning gedoen is oor die menslike faktor wat betrokke is in enige opleidingsprogram. Ek verduidelik hoe hulle die probleem van mense se sensitiwiteit teenoor verandering suksesvol aanspreek. Hoofstuk 8 verduidelik die belangrikheid daarvan om die regte kursus inhoud, kursus struktuur, en leermedium te kies en hoe dit my daartoe gelei het om n web gebasseerde sekuriteit bewustheid prototipe te ontwikkel. Ander meganismes soos plakkate en brosjures wat gebruik kan word as deel van n meer komplete sekuriteit bewustheid program word in hoofstuk 9 bespreek. Hoofstuk 10 is n samevatting van die verhandeling en verskaf n oorsig oor hoe die sekuriteit bewustheid program geimplimenteer en beheer kan word in n organisasie. n Opsomming van hoe die doel van die projek en verhandeling bereik is, word gegee aan die einde van hierdie hoofstuk.
Contents 1. Introduction Problem Statement. The objectives of the project and dissertation The approach and research.. The overall structure of the dissertation.. 1 2 3 3 2. What is Security Awareness? Components of an Information System that need to be secured Why is security awareness necessary?... Security Awareness vs. Training vs. Education. The assets-, threats-, countermeasures-, responsibility concept 5 9 10 12 13 15 3. ISO 17799 and Information Security Awareness Is it a Policy, a Standard or a Guideline?... What is ISO 17799?... ISO 17799 and Information Security Awareness... ISO 17799 controls and the Security Awareness Prototype 17 17 18 20 21 21
4. The Attitude problem Mind-Talk or Attitude explained. People s attitude towards security How to change people s attitudes. Measuring the behavioural change.. Security Awareness Prototype: Changing users mind-talk or attitudes. Summary... 23 25 26 28 34 36 37 5. Introduction to the Security Awareness Prototype The Security Awareness Web environment The technologies that were used to develop the prototype.. Database Technology... Visual Basic Web Development.. Multimedia content The role players... Summary... 38 39 40 40 41 42 43 44 6. The structure of the Security Awareness web environment The Security Awareness Laws.. Access control.. The modules. Computer Login. Passwords.. PC Security. Backups.. Computer Viruses.. Internet Usage E-mail Usage.. Social Engineering Software Piracy.. 45 47 47 47 48 48 49 50 50 51 52 52 53
Who to contact... Testing the user... 54 54 55 7. A Security Awareness Program: Case Study The approach of the Security Awareness plan... The Human Performance System Non-Training factors that impact human performance.. The Micro level environment. The Practice. Bringing the concept of the Micro level environment and practice into the study. 56 57 57 58 59 62 64 66 8. Implementing an effective Security Awareness Program The skills and competence performance factor.. Why training solutions struggle to deliver these learning outcomes.. Ineffective Learning and Performance Needs Analysis.. Inappropriate and Ineffective Course Content and Structure. Inappropriate Selection of Learning Media Instructor-Led Training. Computer-Based Training Combining instructor-led training and computer-based training. Ineffective Learning Support Ineffective Learning Assessment Learning management requirements... 67 68 70 70 71 72 73 75 77 78 79 79 80
9. Mechanisms that can be used as part of a Security Awareness Program Posters.. Screensavers... The Intranet.. Brochures. Multimedia computer-based training Custom Awareness Programs.. Talks.. Trinkets. Security Awareness day. Professional Help 81 82 84 85 85 86 86 87 87 87 88 88 10. Implementing and Managing the Security Awareness Program Approaches for implementing and effective Information Security Awareness Program Bottom-Up Approach Top-Down Approach. Using the development strategy to support the implementation of a Security Awareness project. Summary.. 89 89 90 92 94 96 References... 98
Figures and Tables Figure 1: A graphical representation or roadmap of the chapters. 4 Figure 2: Security Awareness in the learning continuum 7 Figure 3: A television: example of an asset.. 13 Figure 4: Company information or electronic assets... 14 Figure 5: Model that defines behavioural and knowledge requirements.. 24 Table 1: The mind-talk and associated desired norms and undesired norms.. 27 Figure 6: The culture transition 29 Figure 7: Three levels of an integrated communication strategy... 30 Figure 8: Key content elements.. 31 Figure 9: Communication channels 32 Figure 10: Different means of delivering training. 34 Figure 11: The importance of managing behavioural change 35 Figure 12: The first screen of the Security Awareness Program prototype. 45 Figure 13: The Micro Level Environment.. 60 Figure 14: An example of a poster that can be used as part of a Security Awareness Program. 83 Figure 15: Approaches to Security Implementation. 90 Figure 16: The Development Strategy with the 6 phases... 92