How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.



Similar documents
1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

+GAMES. Information Security Advisor. Be a Human Firewall! The Human Firewall' s Top Concerns in the Cyber, People & Physical Domains

C-SAVE. Scenario #1 Jake and the Bad Virus. The two major C3 concepts this scenario illustrates are:

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

Computer Security Self-Test: Questions & Scenarios

Life With Hope I m Not An Addict I M NOT AN ADDICT 147

Information Security Policy

'Namgis Information Technology Policies

Protect yourself online

Security Awareness Quiz Questions

October Is National Cyber Security Awareness Month!

DHHS Information Technology (IT) Access Control Standard

Information Security Training. Jason Belford Jimmy Lummis

Business Case. for an. Information Security Awareness Program

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Onboarding Program. Sponsor s Guide

Computer and Information Security End User Questionnaire

Presented by: Pikr.co.za Contact us: Visit us:

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Assessment for Establishing a Whistleblower Hotline:

A MyPerformance Guide to Performance Conversations

Tips for Banking Online Safely

Multi-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006

Are you Smarter than a Scam Artist? 2015 AASC National Conference Nashville, Tennessee

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

2013 Satisfaction Survey. How are we doing? Easier to Read Version

SPECIAL REPORT INFUSIONSOFT: 7 KEYS TO TOP RESULTS. What s Inside? OVERVIEW KEY # 1: RESPECT YOUR AUDIENCE

Disclosure Best Practices Toolkit E D I T I O N

National Cyber Security Month 2015: Daily Security Awareness Tips

So the security measures you put in place should seek to ensure that:

Use Case Experiment Investigator: Soren Lauesen,

Information security education for students in Japan

Safer Internet Day Quiz

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

National Cybersecurity Awareness Campaign. Kids Presentation

Designing and Implementing Your Communication s Dashboard: Lessons Learned

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Best in Class Customer Retention

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Contents

Guide to Preventing Social Engineering Fraud

Section 1: Introduction to the Employee Satisfaction Roll Out Process 3

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY:

Working Practices for Protecting Electronic Information

BERKELEY COLLEGE DATA SECURITY POLICY

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

TEL2813/IS2820 Security Management

How do members of the MSU community engage online? What it means to engage online is no different than what it means to engage offline.

Choosing Health Care Insurance Medicare Supplements

2012 NCSA / Symantec. National Small Business Study

Child Abuse, Child Neglect. What Parents Should Know If They Are Investigated

UNDERSTANDING YOUR ONLINE FOOTPRINTS: HOW TO PROTECT YOUR PERSONAL INFORMATION ON THE INTERNET

Data Security in Development & Testing

TRAINING NEEDS ANALYSIS

Information Security. Annual Education Information Security Mission Health System, Inc.

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

ITAR Compliance Best Practices Guide

Standard: Information Security Incident Management

INTERNET SAFETY: VIRUS: a computer program that can copy itself and infect your computer. CAPTCHAS: type the letters to set up an online account

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Hello, my name is Jessica and I work in Human Resources for Target Corporation.

I ve been breached! Now what?

2. _General Help and Technical Support

HIPAA Privacy & Security Training for Clinicians

Jumpstarting Your Security Awareness Program

Introduction to Computer Security

Business leaders have long recognized that attracting and

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

ELECTRONIC INFORMATION SECURITY A.R.

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Information Security It s Everyone s Responsibility

Cyber Security Awareness. Internet Safety Intro.

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

What Spammers Don t Want You To Know About Permanently Blocking Their Vicious s

Transcription:

SECURITY AWARENESS SURVEY Is a survey necessary A survey will give you insight into information security awareness within your company. The industry has increasingly realized that people are at least as important as technology, and probably more important when it comes to protecting information assets. An organization that lacks security awareness on the part of users of technology may experience more security incidents, greater losses, and increased risk of compliance failure. The extent of such risks is difficult to measure but, like any organizational behavior, more visibility into the nature of the behavior leads to better control and management of that behavior. That s why we view a survey as necessary. This survey is not a magic bullet, nor a crystal ball. It is a diagnostic instrument that can provide empirical evidence of security behaviors and attitudes within the organization. The data collected can then be used to identify areas of possible improvement and risk reduction. When administered repeatedly over time, the survey can provide a baseline of security awareness that may indicate progress or challenges for the security awareness program. How it works There are 30 questions, measuring characteristics of the company s security awareness posture. Some questions collect factual data (role, time in job, etc.) while others collect data about the user s awareness, attitudes and behaviors. How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey. 1. Identify executive stakeholders or sponsors to help promote the value of the survey, perhaps even have them send an organization wide email announcing the survey and its purpose. 2. Have the survey reviewed and approved by public relations, HR, or legal. 3. Identify the scope of users you want to take the survey (employees, contractors, volunteers, etc.) Don t forget to include management and specialists, who are also end users of technology. 4. Determine if the survey will be required or is voluntary. If it is voluntary, what is the motivation or is there a prize for taking the survey? 5. Consider whether the survey should be anonymous, particularly if asking questions about behaviors that may violate company policy. Respondents are more likely to be honest if they are not worried that their response may incriminate them or result in punishment. 6. Evaluate and chose a survey engine or learning management system from which to conduct to the survey (Google, Survey Monkey, etc.).

7. Determine how long to leave the survey open. 8. Determine the audience for the results of the survey and how to disseminate insights gained. 9. Determine if you will conduct longitudinal surveys of the same respondents to measure progress over time (perhaps as the result of specific awareness interventions). Survey Questions 1. What is your employment status? a. Full time employee b. Part time employee c. Contractor d. Partner e. Vendor f. Other (please describe open field) 2. What is your management position? a. I am an executive or other senior manager b. I am a front line manager c. I am not a manager but I supervise others (team or project lead) d. I am not a manager 3. Where do you work? a. Sales b. Accounting c. Marketing d. Information Technology e. Human Resources f. Manufacturing g. OTHER [AS NECESSARY] 4. How long have you worked in your role? a. More than five years b. Three to five years c. One to three years d. Less than one year 5. How aware are you of the activities of the company s information security organization? a. I know where the organization sits in the organization, what they do, and how to contact them b. I know we have such an organization and where to go to find out more about them c. I ve heard that organization mentioned, but I have no more knowledge than that d. I did not know we had such an organization in our company 6. When was the last time you remember interacting with the company s information security team (receiving an email, receiving security training, having an information security team member in a meeting, etc.)? a. Within the last week

b. Within the last month c. Within the last year d. It s been over a year e. I have never interacted with the information security team 7. How important are the actions and activities of the company s information security organization to your daily job and tasks? a. Very important I use materials and guidance they provide almost every day b. Somewhat important they have given me skills and knowledge that have helped me in my job c. Neither important nor unimportant I assume their activities function in the background d. Not important I don t feel like I get any benefit from the information security organization e. Detrimental the information security organization actually hinders my job performance f. Unknown I know nothing about the information security organization 8. How confident are you that you can recognize the symptoms and signs of a computer security incident? Computer security incidents may include viruses and malware on your PC or phone, a hacker gaining unauthorized access to your system, or an attacker tricking you into giving away sensitive data over the phone or by email. d. Not very confident e. No confidence at all 9. How confident are you that you would recognize the symptoms of a specific security incident [NOTE: customize this question with any particular scenario of interest]. d. Not very confident e. No confidence at all 10. Have you ever been directly involved in a security incident? Computer security incidents may include viruses and malware on your PC or phone, a hacker gaining unauthorized access to your system, or an attacker tricking you into giving away sensitive data over the phone or by email. a. Yes b. No c. I don t know or am not sure 11. If you were to suspect that your computer, smart phone, or other device was involved in a security incident such as a virus, a hacker attack, or some other problem, how confident do you feel that you know how to respond to and report the situation?

d. Not very confident e. Not confident at all 12. If you were to suspect that your computer, smart phone, or other device was involved in a security incident such as a virus, a hacker attack, or some other problem, what would you do? Select all that apply. a. Tell my manager b. Tell my coworkers c. Contact the IT Security team (I currently have this information or know where to find it) d. Contact the IT Help Desk (I currently have this information or know where to find it) e. I do not know who I am supposed to inform if this happens f. I would be worried about telling anyone, since I might get in trouble 13. I have been given the information necessary to know what to do if I suspect that my computer, smart phone, or other device was involved in a security incident, such as a virus, a hacker attack, or some other problem. a. I have all the information I need to respond and report the incident b. I have some of the information I need to respond and report the incident, but I have questions c. I would be confused as to what to do because I do not have all the information I need d. I feel like I have no information regarding what to do in such an event, and might ignore it 14. Without being specific, do you know of any situations in the company where someone has given their password to another person for any reason? a. Yes b. No c. I don t know or am not sure 15. Without being specific, do you know of any situations where people in the company share the same password for an IT system or application? a. Yes b. No c. I don t know or am not sure 16. How familiar are you with the company records retention policy, including the proper ways to create, classify, manage, and dispose of both electronic and hard copy documents? a. Very familiar b. Somewhat familiar d. Not very familiar e. I do not know what that policy is 17. How familiar are you with the company information classification policy, including the proper ways to identify and label both electronic and hard copy documents? a. Very familiar b. Somewhat familiar d. Not very familiar

e. I do not know what that policy is 18. How confident are you that you know how to protect sensitive company information in electronic documents, including how to label, share, and securely dispose of such information? d. Not very confident e. Not confident at all 19. How well do you feel the company manages IT assets including computers, phones, and other devices to protect them from security threats? a. The company manages computer security very well b. The company manages computer security well c. The company manages computer security neither well nor badly d. The company manages computer security badly e. The company manages computer security very badly f. I don t know 20. How much do you worry about the risk of using IT assets including computers, phones, and other devices inside the company? a. I worry a lot about the risks b. I sometimes worry about the risks c. I rarely worry about the risks d. I never worry about the risks e. I don t know or have never thought about the risks 21. How involved do you feel in the daily process of information security and protecting the company s information assets? a. I feel very involved b. I feel somewhat involved c. I feel somewhat uninvolved d. I feel very uninvolved e. I don t know or have never thought about it 22. How much do you worry about becoming the victim of a phishing attack at work? a. A lot b. A little c. Not at all d. I don t know what phishing attack means 23. How often do you receive emails with attachments or links to the Web? a. Very often once or more each day b. Often more than one each week c. Occasionally a few each month d. Almost never less than one per month e. I don t understand the question 24. How often do you receive emails from strangers or organizations you do not recognize?

a. Very often once or more each day b. Often more than one each week c. Occasionally a few each month d. Almost never less than one per month e. I don t know 25. Of the emails you receive with attachments or links to the Web, how often do you open the attachment or click on the link? a. Every time b. Sometimes c. Rarely d. Never e. I don t understand the question 26. To what extent would you agree to the following statement: No hacker would attack me or my computer. I don t have anything they would want a. Completely agree b. Agree somewhat c. Neither agree nor disagree d. Disagree somewhat e. Completely disagree 27. In the past three months, have you (check all that apply): a. Tried to visit a website and found that the company blocks you from doing so? b. Wanted to visit a website but did not do so because you knew it was against company policy? c. Visited a website even though you were not sure whether it was against company policy? d. Known of someone who deliberately visited websites that were explicitly prohibited by company policy. 28. Based on your everyday work experience, how would you rank the following priorities of your organization? Please rank the most important priority as 1, the next important priority as 2 and so on. a. Financials (profit, revenue, share price, etc.) b. Customer satisfaction (delivery, marketing, complaints) c. Innovation (the ability to create new products and/or business processes) d. Information Technology (using the best, most modern technologies) e. Information Security (protecting company information assets) f. Employees (safety, satisfaction, retention) g. Other (please list) 29. Do you ever feel pressure to do more with less in your job, even if that means cutting corners in some areas in order to complete others? a. Always b. Often, but not always c. Sometimes d. Not very often

e. Never 30. How many times, in the last year, have you heard information security discussed in a formal setting outside of specific security training exercises (for example, in staff meetings, in general company memos or emails, or in performance reviews)? a. I have never heard security discussed unless I was taking security training f. On occasion, I have heard about security, but usually because of some specific event g. Security is talked about as often as anything else, even when I m not undergoing specific training h. Security is often a topic, in a variety of settings, during my daily job Security is always top of mind, and is discussed c Popcorn Training Feel free to contact us for further information & assistance. Tel: 021 813 9264 Email: info@popcorntraining.com Website: www.popcorntraining.com Ref: Securing the human. (SANS)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information