This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."

Download it now to read this article plus other related content.

Creating a Security Culture

    Requires Free Membership to View

Awareness is all about continued exposure. Al Decker and Rebecca Whitener from the IT services firm EDS have compiled the following list of methods for working security into your employees' everyday lives:

  1. Implement a culture of security at the top.
  2. Offer annual training programs.
  3. Encourage a clean desk policy — any desk that is located in an open space and any unlocked office are easy targets for information theft.
  4. Activate an information classification policy to impress upon employees which information is critical.
  5. Dispose of information securely.
  6. Guard your conversations outside company premises.
  7. Approach security in multiple layers — both physical and technological. Your annual training programs must emphasize to employees the importance of restricting physical access to allow in only those authorized to enter the premises.
  8. Make sure employees can answer two vital questions: "Would you know a security violation if it occurred? Who would you tell if you learned of one?"
  9. Don't underestimate the power of social engineering.
  10. Ensure that the corporate audit function includes a security policy and practical reviews.

Active Duty
Now that you've put your users through security boot camp, how can you measure the effectiveness of their training? Measurements are indicators that your users are paying attention: How many are accessing the security awareness Web site or clicking on the e-mail link to download the monthly newsletter? Whether you're using a prepackaged metrics program or designing your own, choose your yardsticks to assess their effectiveness before you start.

More direct measurements typically start with the number of users who have taken the security awareness training, and the average score on the end-of-class test and ongoing training exams. The real metric though, is how training is impacting security; the number of monthly help desk calls is a good indicator. But, don't be fooled — having more calls is a good sign: It means your users are being more vigilant about security and are using their training in everyday practices. The cost of the help desk calls will be offset by flagging issues early, before they impact your bottom line.

Use your tools: If you have a good software inventory tool, track the number of workstations that has unapproved software installed. By reinforcing with awareness training the nature of this threat, the number of noncompliant desktops will decrease dramatically. Once you have selected your metrics, implement them as soon as possible, even before your awareness program kicks off. Measuring your program's effectiveness requires that you know the previous state of awareness in your organization. By establishing a baseline for the metrics you want to measure, you'll have the data necessary to get a true picture of how well things are going right from the start. Battle Ready

Awareness programs are long-term security strategies. The most effective thing you can do to help your program succeed is to work within your existing corporate culture to change it from the inside. Choose the training delivery methods and marketing campaigns that complement the way your employees live their daily corporate lives, or they'll reject your lessons out of hand. Similarly, don't try to teach too much at once. Through careful planning of your training strategy and by choosing metrics that integrate well with your existing processes, you can ensure that your organization — and your users — are ready for the battle ahead.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: