Security awareness training and education, government guidance, training matrix



Similar documents
Role of Awareness and Training for Successful InfoSec Security Program 1

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN

Guide for the Development of Results-based Management and Accountability Frameworks

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Frameworks for IT Management

Sector Development Ageing, Disability and Home Care Department of Family and Community Services (02)

Community Security Awareness Training

Quick Guide: Meeting ISO Requirements for Asset Management

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

A STRUCTURED METHODOLOGY FOR MULTIMEDIA PRODUCT AND SYSTEMS DEVELOPMENT

Publication Number: Third Draft Special Publication Revision 1. A Role Based Model for Federal Information Technology / Cyber Security Training

How To Write A Cybersecurity Framework

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

APPENDIX 13.1 WORLD FEDERATION OF OCCUPATIONAL THERAPISTS ENTRY LEVEL COMPETENCIES FOR OCCUPATIONAL THERAPISTS

Course Outline. Foundation of Business Analysis Course BA30: 4 days Instructor Led

Investigating Effective Lead Generation Techniques

Website Usage Monitoring and Evaluation

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

SECURITY. Risk & Compliance Services

Ten Steps to Quality Data and Trusted Information

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Law & Ethics, Policies & Guidelines, and Security Awareness

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

ITIL v3 Service Manager Bridge

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN. Version : 1.0 Date : April 2009 : Pink Elephant

BPM 2015: Business Process Management Trends & Observations

SecureNinja. SecureNinja. The CyberSecurity Experts

Project management skills for engineers: industry perceptions and implications for engineering project management course

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Security Awareness Training Policy

TEL2813/IS2820 Security Management

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Selecting a Content Management System

A Guide to the Cyber Essentials Scheme

Whitepaper. Choosing the Right Athlete Electronic Health Record System. Dave Glickman Chief Operating Officer, Presagia.

Chief Information Officer

People and Capability (P&C) Intelligence Community Shared Services (ICSS) Chief People Officer (CPO)

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

WEB 2.0 AND SECURITY

WHAT IS GRC AND WHERE IS IT HEADING? A BRIEFING PAPER.

Bachelor of Information Technology (Network Security)

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

ITIL Service Lifecycle Design

Satisfaction Survey. Prescriber Update Reader. Survey Outcome Report. Medsafe

Brixton Live: Web development brief

RECORDS MANAGEMENT POLICY

ISO/IEC/IEEE The New International Software Testing Standards

Student reactions to online tools for learning to use the Internet as a study tool: Outside the comfort zone?

The Importance of Cybersecurity Monitoring for Utilities

2015 Information Security Awareness Catalogue

Knowledge Management in Public Administration: Strategies and Tools

Business Intelligence

The fourth hurdle system. International HTA agencies. Australian PBAC. Difference between health technology regulatory body and HTA body

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Innovation & Learning the organisation s intellectual capital both human and non-human

DrupalGov Canberra 2013 Summary Report. Christopher Skene 3rd March 2014

An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development

ITAG RESEARCH INSTITUTE

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide

Business Intelligence

Risk Management. Upasna Saluja, PhD Candidate. Dato Dr Norbik Bashah Idris

ENISA s ten security awareness good practices July 09

THE INFORMATION AUDIT AS A FIRST STEP TOWARDS EFFECTIVE KNOWLEDGE MANAGEMENT: AN OPPORTUNITY FOR THE SPECIAL LIBRARIAN * By Susan Henczel

Statements of Learning for Information and Communication Technologies (ICT)

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

CYBER SECURITY FOUNDATION - OUTLINE

BT Assure Threat Intelligence

Cybersecurity Framework: Current Status and Next Steps

Certification for Information System Security Professional (CISSP)

Procedures for Assessment and Accreditation of Medical Schools by the Australian Medical Council 2011

Building an Information Technology Security Awareness and Training Program

Benefits of conducting a Project Management Maturity Assessment with PM Academy:

ITAG RESEARCH INSTITUTE

CONSTRUCTION HEALTH AND SAFETY, AND INJURY PREVENTION Research and develop accident and incident investigation procedures on construction sites

ISSA Guidelines on Master Data Management in Social Security

Transcription:

Bulletin of Applied Computing and Information Technology Refereed Article A5: Security Awareness Training and Education in Organisations 05:02 2007, Dec Charles Tsui Manukau Institute of Technology, New Zealand charles.tsui@manukau.ac.nz Tsui, C. (2007). Security Awareness Training and Education in Organisations. Bulletin of Applied Computing and Information Technology, 5(2). Retrieved June 2, 2015 from http://www.citrenz.ac.nz/bacit/0502/2007tsui_security.htm Abstract This paper discusses support and guidance provided by governments concerning security awareness training and education. Based on the recommended guidelines by the National Institute of Standards and Technology (NIST)of the USA it investigates what technical and non-technical areas should be covered and how training and education should be done most efficiently. Recommendations about improving the efficiency of the training and education delivery and about evaluating their effectiveness are also provided. Keywords Security awareness training and education, government guidance, training matrix 1. Introduction Dr. Eugene Schultz in the editorial of Computer & Security 2004 (Schultz, 2004) encouraged all writers to submit more papers on the aspect of security awareness, training and education (SATE). He started by asking "Does security awareness training and education yield at least a reasonable return on investment?". When organisation budgeting comes to a critical situation, training and awareness would most possibly be the first areas to be slashed. The main reason behind this is that it is very difficult to determine direct benefits of security awareness training and education, when comparing with other security measures. The effectiveness of training and education is largely dependent on the quality of the adopted training and education programme. A good programme should properly fit the particular needs and structural requirements of the organisation, with tools for measuring and maximising return on investment (ROI) of training and education. Based on a literature review, this paper will identify and discuss what technical and nontechnical areas should be covered in a SATE programme, how a SATE programme may be structured to meet different educational and training requirements, and how security awareness training and education programmes could be delivered most efficiently. Models and frameworks will be considered, including government guidelines. 2. Government Guidance There are examples that with promotion and encouragement from governments, toplevel management of organisations are paying more attention on the importance of computer SATE. Some relevant cases are dscribed below. The USA passed Public Law 100-235, "The Computer Security Act of 1987", which mandated that the National Institute of Standards and Technology (NIST, 2005) with the United States Office of Personnel Management (OPM) develop and issue guidelines for federal computer security training. To fulfil the requirements, several guidance documents have been produced such as "Information Technology Security Training

Requirements: A Role- and Performance-Based Model" (NIST, 1998), and "Building an Information Technology Security Awareness and Training Program" (NIST, 2003). The two documents are complementary. Whle the first one provides higher level strategic concepts on how to build an information technology SATE (IT SATE) programme the second document describes role-based training details at a lower tactical leve. Although the documents are targeting federal agencies in the USA, they may be used by any other organisation and are not subject to copyright. Other governments provide similar guidance, such as "Information Security: Raising Awareness" prepared by the Treasury Board of Canada Secretariat (2000), and "A Users' Guide: How to Raise Information Security Awareness" published in 2006 by the European Network and Information Security Agency (ENISA). In 2006 The Australia government released the "Australian Government Information and Communications Technology Security Manual". In New Zealand, the Government Communications Security Bureau (GCSB) maintains the New Zealand Security of Information Technology (NZSIT) publications and training programme (GCSB, 2006). All these guidelines promote security awareness to organisations and the public and are supported by government offices and agencies. As They share similar approaches, this paper will concentrate on the guidelines provided by NIST. 3. The Sate Concept Security awareness, training and education are the three parts that make up the IT SATE learning continuum. It starts with raising awareness, develops the programme for training, and then evolves into education (NIST, 1998, p.14). The diagram below illustrates the three-layered structure of the IT security learning continuum recommended by NIST (1998, p.13). The three main layers are Awareness, Training, and Education. The interrelationships shown in Figure 1 may serve as a reference framework for building SATE programmes. Figure 1. IT security learning continuum (Source: NIST, 1998, p.13) Awareness is a wide coverage of security aspect that are communicated to broad audiences. An IT SATE programme aims to raise people's attention to things that they take for granted without being aware of the related security issues. Activities at this particular level are especially targeted at workers who have only recently an information system. The middle layer is more formal and is aimed at enhancing workers' skills and providing security knowledge for daily tasks. This layer places emphasis on role-based training in

which programmes can be designed specifically for particular positions of an organisation. Education is at the highest level of integration of the framework where a combination of skills and competences is required for producing security specialists and professionals who are in the position of overseeing the whole information structure of the organisation. 3.1. General Training Areas A comprehensive SATE programme should cover an organisation's entire user population. Following their role-based training methodology NIST divide training into three general areas: Laws and regulations, security Programme, and systems life cycle security. Six generic organizational roles are also identified: Manage, acquire, design and develop, iimplementand operate, review and evaluate, and use (NIST, 1998, pp. 57-93). NIST recommend an IT security training matrix model (NIST, 1998, p.44) which relates the three training areas with the six organisational user roles. In the matrix (Figure 2) the numbers in the cells corrrespond tpo the numbered sections of the NIST document describing training requirements. Figure 2. IT security training matrix (Source: NIST 1998, p. 44) The matrix arrangement in Figure 2 is a rather generalised framework that has the "one-programme-fits-all" approach. Researchers may find it similar to Shultz's (2004) idea of "fitting a square peg in a round hole". It may not work effectively for security training, as a SATE programme, as mentioned in earlier sections, must be designed for particular audiences. For example, to build a training programme for a Chief Information Officer using the above matrix, all of the cells 1A, 2.2A, 2.1C, 2.2C, 2.1D 2.1E and 3.4E will be selected. To guide the reader, the documentation developed by NISTprovides a number of examples referring to individual organisational roles featuring a selection matrix, samples of training metrics, and a programme. 3.2. Technical vs Non-technical Training Areas When training technical or professional personnel the materials must be arranged up to the technical level required for that particular position. For example, tests and specific programming guidelines for database applications are required when training database security control. Program code and templates are required when training software developers so that the developers can use and apply them to their daily tasks (Steven & Peterson 2006). However, that does not mean that general security awareness is not necessary as well. SATE programmes should be customised to start with an initial training scheme that all staff must attend to raise their awareness and then form groups for further in-depth technical aspects. Steven and Peterson (2006) suggested a three- tier model for awareness training for

software developers. The management aspect can be divided into three tiers, namely: executive, management and development, and security. Tthis concept is somewhat similar to the NIST six role model albeit with a smaller number of roles. The higher level roles focus on vision, goals and objectives. The middle level roles have the task to manage the implementation and validation. The lowest level is where the actual tasks are carried out. Further on the technical aspect, developers can be divided into beginners, intermediate and advanced levels. To compare with the NIST guidlines, this further customisation is moving into the education level for professionals and specialists. Non-technical areas can be classified as public or community level. This is covered by NIST's Security Basics and Literacy (NIST, 1998, pp.23-32). A somewhat controversial example of "Community Security Awareness Training" was reported by Endicott- Popovsky, Orton, Bailey and Frincke (2005). It was a security awareness event in the form of "Google-Hacking Contest". The aim was to alert the general public to the risks of identity theft. The contest gathered groups of attendees, ranging from students to senior professionals in computer security, trying to use the technique of "Google- Hacking" to look for exposed personal identity details. 4. Making Training Efficient COBIT (Control Objective for Information and related Technology) identified ' people' as one of the four IT resources that form the IT organisation (ITGI, 2005, p.12). People are the key players who use skills and technology infrastructure to carry out the set of defined processes to run the business; any faulty actions by people directly affect the organisation. This is the reason why in many reports and papers it is stated that that people are the key, but also are one of the weakest links (NIST, 2003, p.1). Therefore a SATE programme should be designed for the people who work in the targeted organisation. The programme will lose its effectiveness, if materials are overloaded with unnecessary content whcih the audience may find irrelevant to their work. People will lose attention and become bored!. Steven and Peterson (2006) note that "Only when training gives prescriptive design and coding guidance of what to do to resist attack does it stand a chance of sticking in a developer's mind." In fact, not only technical people but also general computer users would prefer a "you do what I do" practical training rather than just sittin and watching a demonstration. The more chances that people get for a ' hands on' training experience, the more deeply they will understand the concepts related to security. Further, the training programme must be related to daily tasks. The closer it resembles a daily task, the more attention it will get from the audience. The "Google-Hacking" event mentioned earlier is an example of a very effective and efficient exercise. The event was highly technical, but the outcome was a surprise to all as millions of highly confidential records were retrieved from the Internet through a wireless network provided by a university. Although it was not an official training programme and only the highly-technical attendees gained most of the benefits, the event served well tor alert the general public and was a very efficient security awareness exercise. It was also cost-effective as the organisers paid for the venue and the wireless network connections while attendees contributed to the cost of labour and the equipment. nd equipment. The event gained high publicity world-wide. 5. Measurements and Improvements Every business or non-business process is measured for its effectiveness, efficiency and ROI, and SATE is nt an exception. ENISA described an "Overall strategy for executive awareness initiatives and programmes" in their users' guide. The strategy is divided into three phases: Plan and assess, execute and adjust, and evaluate and adjust. The document gives guidelines on cost analysis and identifying the benefits, and on establishing a baseline and evaluation. Evaluation and feedback can be done by questionnaires (ENISA, 2006, pp.33-37). However, most of the benefits are non-measurable and intangible, such as "motivated to adopt security practices". Although not measurable, comparisons on certain performance criteria can be carried out. For example, statistical data on security

breaches and incidents can be collected before and after the SATE programme and regularly for a number of periods, and analysed. Another example is software application development where a security analyst is normally employed to look into loopholes and bugs in applications. Analysis can be done before and after the SATE programme and comparisons can be made to look for continuous improvement. 6. Conclusion This paper addresses some aspects of security awareness training and education in organisations. A brief review of significant guidance documents provided by governments has been carried out. The concept of the people factor in security awareness training and education is introduced and discussed as a backdrop to the further introduction of ideas on how to formalise, design and measure an efficient and useful SATE programme. A number of examples are used to draw practical recommendations for educators and practitioners in the field, with referencing models and frameworks sourced from the literature reviewed.. Acknowledgements Special thanks to the anonymous reviewers for their constructive comments, and to Krassie Petrova and the members of BACIT editorial board for supporting my work on the article. References Australia Government (2006). Australian Government Information and Communications Technology Security Manual. Retrieved October 18, 2006, from http://www.dsd.gov.au/library/infosec/acsi33.html ENISA (2006). A users' guide: How to raise information security awareness. Retrieved October 18, 2006, from http://www.iwar.org.uk/comsec/resources/enisa/infosecawareness.pdf Endicott-Popovsky B., Orton I., Bailey K., & Frincke, D. (2005). Community security awareness training. Systems, Man and Cybernetics (SMC) Information Assurance Workshop. Proceedings of the Sixth Annual IEEE, pp,373 379 GCSB (2006). The NZ Security of Information Technology (NZSIT) publications and training programme. Retrieved October 18, 2006, from http://www.gcsb.govt.nz/publications/nzsit/index.html ITGI (2005). COBIT (Control Objective for Information and related Technology) 4.0. Retrieved September 30, 2006, from http://www.isaca.org/template.cfm? Section=Downloads3&Template=/MembersOnly.cfm&ContentID=23325 IWS (2006). The Information Warfare Site. Retrieved October 18, 2006, from http://www.iwar.org.uk/index.htm NIST (2005). National Institute of Standards and Technology. Retrieved October 18, 2006, from http://csrc.nist.gov/ate/index.html NIST (1998). Information technology security training requirements: A role- and performance-based model. Retrieved October 18, 2006, from http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf NIST (2003). Building an information technology security awareness and training program. Retrieved October 18, 2006, from http://csrc.nist.gov/publications/nistpubs/800-50/nist-sp800-50.pdf Schultz E. (2004). Security training and awareness Fitting a square peg in a round hole. Computers and Security, 23(1), 1-2 Steven J., & Peterson G. (2006). Essential factors for successful software security awareness training. Security & Privacy Magazine, 4(5), 80 83 Treasury Board of Canada Secretariat (2000). Information security: Raising awareness. Retrieved October 18, 2006, from http://www.iwar.org.uk/comsec/resources/canadaia/infosecawareness.htm Copyright 2007 Tsui, C.

The author(s) assign to NACCQ and educational non-profit institutions a non-exclusive licence to use this document for personal use and in courses of instruction provided that the article is used in full and this copyright statement is reproduced. The author(s) also grant a non-exclusive licence to NACCQ to publish this document in full on the World Wide Web (prime sites and mirrors) and in printed form within the Bulletin of Applied Computing and Information Technology. Authors retain their individual intellectual property rights. Copyright 2007 NACCQ. Krassie Petrova, Michael Verhaart, Beryl Plimmer (Eds.) An Open Access Journal, DOAJ # 11764120, ( zotero)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information