Over the past few years there has been a massive increase in security- and privacy-oriented compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA and Gramm-Leach-Bliley (GLBA), to name just a few. Several of these mandate that companies implement security awareness as part of their information security programs. As a result, this often-neglected area of infosec has had some new life breathed into it.
Security practitioners love to argue about the effectiveness of employee security awareness training. Opponents claim the proliferation of security incidents is proof that it doesn't work, whereas proponents claim that no system is perfect, but something is better then nothing. Various studies have been published to support both sides, but one thing is certain: Several compliance regulations exist that mandate employee training about the various security and privacy policies.
But what makes for a good security awareness and education program? Most user training misses the point completely and is as useless as its detractors say it is. That's because it focuses on what users should and shouldn't do, as opposed to why and how those actions can have serious consequences.
Here are some examples of bad training:
- Telling users not to open emails from people they don't know.
- Telling users not to click on random links on Web pages.
- Making users responsible for patching their own systems.
Everyone has heard this sort of advice, and while in theory it's good, it doesn't take business realities into consideration. Good IT security awareness training focuses on broader problems that don't lend themselves to pure technology solutions. Training can be broken down into two major categories: general and group-specific. General security training is appropriate for all employees regardless of their job role. Group-specific security training focuses on particular skills that are relevant to only a portion of the company.
The following are examples of topics that should be covered in general security training:
- Education on policies and procedures.
- Information on who to contact if an employee believes he or she has identified a security threat or risk.
- Rules for how to handle confidential information.
General security training has the advantage of aligning with common sense emergency preparedness and professional behavior. It is well suited to mass communication channels such as email, Web-based training, newsletters and posters. Regularly reminding employees about what to do (and not to do) and how to do it is a cornerstone of a strong security posture. Educating users about policies and procedures is key for maintaining a smoothly running operation and is absolutely necessary from the standpoint of compliance liability mitigation. Regular reinforcement is particularly necessary in organizations with high turnover rates such as call centers, help desks and those that rely heavily on contract or temporary staff.
Confirming how well the awareness program is working can also be difficult. The most common metric looks for a downward trend in the number of incidents over time. It's also important to look not only at the total number, but also at the severity of the incidents. Keep in mind, however, that as people's awareness of these issues increases, there may be an increase in incidents, given that the staff knows what to look for. This is why it's necessary to look at the total trend over time.
These are examples of topics that should be included in group-specific training:
1. For IT operations staff: Disaster recovery and business continuity planning
2. For the development organization: Design/architecture/coding training
3. For finance staff: Fraud-detection training
Group-specific training tends to be in-depth and should be treated like any other subject-specific training. As such, it may include dedicated classroom time or attendance at conferences to bring teams up to speed in a timely fashion.
This training does more then fulfill a compliance requirement, it actually enables the company to be more compliant. This training gives employees the specific knowledge they need to actively make the necessary changes -- protect their passwords, handle sensitive data with care or refrain from accessing social networking sites -- to make the company compliant and keep it that way.
The above are examples of areas that would benefit from specific security training; they are also areas in which most enterprises could easily realize a benefit. A properly implemented security awareness-training program will not only provide the HR department with necessary documentation for pursuing actions against employees who disregard security practices, but will also reduce the number of disciplinary actions.
Most employees have the best interest of the company at heart and want to see it succeed; they want to comply. But first they need to know what the assorted requirements are. A tightly managed security awareness-training program can accomplish this, making an enterprise more compliant, and more importantly, more secure.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in January 2009