approaches to user education

3
September 2008 Network Security 15 The standard of security awareness varies dramatically from organisation to organisation and from department to department. Traditionally, certain areas of an organisation have a higher level of security awareness and under- standing. For example, IT, HR and facilities all have experience and their own views on security; and they have more commitment to security than most areas. However, even in these three areas the level of understand- ing of particular aspects of security varies. IT usually concentrates on technical issues, HR on policy, and facilities on physical security. This approach to security is understand- able but rather restrictive, and the vast majority of organisations fail to recognise the value of a complete awareness campaign. “Why rely on the guard at the door only? What happens if someone gets by the guard?” Raising everyone’s understanding of the information security requirements of the business serves as a common baseline and multiplies the security effort many fold. Why rely on the guard at the door only? What happens if someone gets by the guard? Who is going to stop that person stealing a laptop? Everyone should be thinking, ‘It’s up to me; I need to report this!’ That is not going to happen, however, without a good level of understand- ing that security is everyone’s respon- sibility. The best technical security measures in the world can be rendered totally ineffective by the careless or ignorant attitude of ‘that’s not my problem!’ Good security awareness can pay huge dividends. It can reduce inci- dents and legal and regulatory sanc- tions and provide greater resilience and business continuity. However, management commonly sees such edu- cation as an overhead or unnecessary distraction from the core business. It follows, therefore, that the initial hur- dle is to educate management. If they understand the key issues, and you can gain their support, you are halfway there, because they will be more likely to give staff time to take the awareness training. How do you go about ensuring the right message is given when the opportunity arises? A good aware- ness programme needs to be relevant, attractive and well presented. Here are a few tips to help you develop an effective information security aware- ness programme. Make it personal People relate to their own circumstances and interests. A diatribe of the importance of security to the business is highly likely to go in one ear and out the other. You need to make sure staff members identify with the issues you are trying to convey. Presentations, e-learning modules, bulletins, posters, etc. need to be designed to stick in people’s minds by making the message something they can identify with in their personal life. For example, a long slog through a presentation on data protection is likely to thoroughly bore the audience, whereas a presentation on the dangers of using an unsecured home computer (including theft of personal data) is much more likely to grab their interest and stick in their minds. Match the message to the audience Nothing switches off an audience quicker than pitching the message at the wrong level. A technical presenta- tion, full of technical acronyms, will lose the attention of non-technical staff very quickly indeed. Likewise a business-related presentation, full of financial considerations, will soon lose a technical audience. Many pre- senters or authors of training material are not great at getting the right mes- sage across. They often see security issues from their own viewpoints and fail to place themselves in the shoes of the intended audience, either making it too technical or political. “Many presenters or authors of training material are not great at getting the right message across“ Different training material will, therefore, be needed for different audiences. This material can be cre- ated by getting the right people involved in its development. Enlisting the help of experienced staff from the target departments of the business helps to ensure buy in to the training initiative and also ensures the pitch Approaches to user education Clifford May, security consulting manager, Integralis Ltd Security education can be a daunting task. Many IT professionals and senior managers feel it is an uphill battle to make everyone understand that they have a part to play in the overall security of the organisation. As more reports of incidents involving the loss of sensitive information hit the press, you would think that the job of education had been half done. Certainly, these incidents have raised awareness of security in everyone’s minds; but the assumption that this will be enough is a problem. Many employees have little idea of what infor- mation is and is not important to their employer. Obviously good communica- tion is vital and there is a great deal to be gained from an effective information security awareness programme. USER EDUCATION

Upload: clifford-may

Post on 05-Jul-2016

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Approaches to user education

September 2008 Network Security15

The standard of security awareness varies dramatically from organisation to organisation and from department to department. Traditionally, certain areas of an organisation have a higher level of security awareness and under-standing. For example, IT, HR and facilities all have experience and their own views on security; and they have more commitment to security than most areas. However, even in these three areas the level of understand-ing of particular aspects of security varies. IT usually concentrates on technical issues, HR on policy, and facilities on physical security. This approach to security is understand-able but rather restrictive, and the vast majority of organisations fail to recognise the value of a complete awareness campaign.

“Why rely on the guard at the door only? What happens if someone gets by the guard?”

Raising everyone’s understanding of the information security requirements of the business serves as a common baseline and multiplies the security effort many fold. Why rely on the guard at the door only? What happens if someone gets by the guard? Who is going to stop that person stealing a laptop? Everyone should be thinking, ‘It’s up to me; I need to report this!’ That is not going to happen, however, without a good level of understand-

ing that security is everyone’s respon-sibility. The best technical security measures in the world can be rendered totally ineffective by the careless or ignorant attitude of ‘that’s not my problem!’

Good security awareness can pay huge dividends. It can reduce inci-dents and legal and regulatory sanc-tions and provide greater resilience and business continuity. However, management commonly sees such edu-cation as an overhead or unnecessary distraction from the core business. It follows, therefore, that the initial hur-dle is to educate management. If they understand the key issues, and you can gain their support, you are halfway there, because they will be more likely to give staff time to take the awareness training.

How do you go about ensuring the right message is given when the opportunity arises? A good aware-ness programme needs to be relevant, attractive and well presented. Here are a few tips to help you develop an effective information security aware-ness programme.

Make it personalPeople relate to their own circumstances and interests. A diatribe of the importance of security to the business is highly likely to go in one ear and out the other. You need to make sure staff members identify with the issues you are trying to convey.

Presentations, e-learning modules, bulletins, posters, etc. need to be designed to stick in people’s minds by making the message something they can identify with in their personal life. For example, a long slog through a presentation on data protection is likely to thoroughly bore the audience, whereas a presentation on the dangers of using an unsecured home computer (including theft of personal data) is much more likely to grab their interest and stick in their minds.

Match the message to the audience

Nothing switches off an audience quicker than pitching the message at the wrong level. A technical presenta-tion, full of technical acronyms, will lose the attention of non-technical staff very quickly indeed. Likewise a business-related presentation, full of financial considerations, will soon lose a technical audience. Many pre-senters or authors of training material are not great at getting the right mes-sage across. They often see security issues from their own viewpoints and fail to place themselves in the shoes of the intended audience, either making it too technical or political.

“Many presenters or authors of training material are not great at getting the right message across“

Different training material will, therefore, be needed for different audiences. This material can be cre-ated by getting the right people involved in its development. Enlisting the help of experienced staff from the target departments of the business helps to ensure buy in to the training initiative and also ensures the pitch

Approaches to user educationClifford May, security consulting manager, Integralis Ltd

Security education can be a daunting task. Many IT professionals and senior managers feel it is an uphill battle to make everyone understand that they have a part to play in the overall security of the organisation. As more reports of incidents involving the loss of sensitive information hit the press, you would think that the job of education had been half done. Certainly, these incidents have raised awareness of security in everyone’s minds; but the assumption that this will be enough is a problem. Many employees have little idea of what infor-mation is and is not important to their employer. Obviously good communica-tion is vital and there is a great deal to be gained from an effective information security awareness programme.

USER EDUCATION

nese_sept08.indd 15nese_sept08.indd 15 08/09/2008 14:49:2508/09/2008 14:49:25

Page 2: Approaches to user education

16Network Security September 2008

is at the right level, with appropriate references and considerations.

When training senior management, remember that their time is short and they want summary information only that goes straight to the point. Try to view things from their point of view; do not bombard them with techni-cal details, acronyms and volumes on policy. Keep messages relevant and appropriate.

Keep it short

Have you experienced a mass of docu-ments to read when starting a new job? Do you read them? The chances are you glance at them, decide they are dull and uninteresting, and then file them with the thought that you will look at them later if you need to. Few of us have the patience and memory to absorb a 50-page policy that covers every eventuality. Policies are supposed to be one of the most important security controls in them-selves; but they are often poor and ineffective.

To get your message across, keep it short. Do not go into infinite detail about an issue unless you are targeting the material at a very specific audience that is used to it, e.g. a legal or IT audi-ence. For everyone else, brief, meaning-ful messages are more likely to stick. You can also support the message with real-life case studies.

“Even a long presentation will feel short if it is interesting. Approach the subject from the point of view of the audience”

Break the learning into small dis-crete modules, e.g. 10-15 minutes, wherever possible. Do not sit some-one in front of an e-learning package for an hour at a time. Smaller and more manageable modules allow mes-sages to be absorbed more easily. In addition, the training will not inter-fere with the working day, and the audience will not be deterred from completing additional training when required.

Make it interesting

Have you sat through dire presenta-tions, given by people with poor presentational skills, intent on going through every sentence or paragraph of every slide? Problems occur in the presentation of policies and in e-learning when authors are comfort-able with their subjects and, although they want to convey all they know to the audience, they are not natural communicators.

“Nothing pushes home the security message more than the use of real-life examples; a straight presentation of ‘what might happen‘ is nowhere near as compelling“

The solution to the problem is to make the learning interesting. Even a long presentation will feel short if it is interesting. Approach the subject from the point of view of the audience. If you want them to absorb what you are saying or writing it is vital to make it relevant and interesting. Don’t just explain a set of rules; explain why they are necessary and how they make a dif-ference to the individual and the busi-ness. A little humour goes a long way to making a message more interesting. Some of the most effective educational material on security has been based on comical situations, which are more exciting and effective than a 50-page policy.

Use real-life examplesNothing pushes home the security message more than the use of real-life examples; a straight presentation of what might happen is nowhere near as compelling. All organisations have security incidents, they are a fact of life, because your organisation is never 100% secure. Why not learn from security incidents and use them as examples of the things to be avoid-ed? Although these examples should not compromise confidentiality, a few carefully sanitised real-life ones from the organisation receiving the training

will help the audience identify with the issues at stake.

If this is too radical an approach for your organisation, the internet and newspapers abound with examples of information losses, hacking cases, and frauds. Using examples from other organisations will help drive home the message, especially when related to personal issues. Threats to online banking, the security of email, instant messaging and even physical security are all relevant topics that help educate staff in information security-related considerations.

Make it part of everyday business

Most resistance to security aware-ness programmes comes directly from management. If the topic is interest-ing and well presented most staff will undertake the training readily; it gives them a break from their daily routine. Even ‘pressed men’, who really do not want to take any training because they feel they know it all, may not mind if it is presented in a sufficiently inter-esting manner.

A lot of resistance to security educa-tion stems from the way it is present-ed. A lengthy and complex e-learning presentation followed by an exam is hardly attractive to the average audi-ence. A better solution is to incorpo-rate security messages into everyday business. Posters, interesting and short news clips and emails, signs (e.g. who to report incidents to), and person-alised advice on information security issues all work together to convey a very strong message. This more sub-liminal approach takes little from the working day and is the most effective way of developing a security-conscious culture in an organisation.

“New staff members give the organisation an opportunity to deliver the right security message from the outset”

Another arguably more difficult way to ensure that security awareness

USER EDUCATION

nese_sept08.indd 16nese_sept08.indd 16 08/09/2008 14:49:2608/09/2008 14:49:26

Page 3: Approaches to user education

September 2008 Network Security17

becomes part of everyday business is to add specific objectives and key performance indicators to staff job descriptions and appraisals. This is the favoured approach of ISO/IEC27001, the international standards for infor-mation management systems. It helps to make the whole process self manag-ing, adds little in the way of adminis-trative overheads, and ensures every-one’s buy in.

All staff members have a respon-sibility for security; e.g. to report incidents, avoid using virus-infected exchangeable media, report strangers on the premises, and more. Usually, however, they are not conscious of this required commitment and think it is someone else’s responsibility. This in itself should be the biggest driver to make security part of eve-ryday responsibilities: make people accept the part they have to play in it; and raise its importance to the organisation.

Use the right delivery methodThe adage horses for courses is appli-cable to security education. When you educate, you need to match the deliv-ery medium to the target audience. Placing an inch-thick policy in front of the average employee will be imme-diately counter productive; except for those who work in the legal profes-sion and who are more familiar with policy. Sometimes legal and regulatory requirements dictate that the message be delivered in a prescriptive manner and include testing to confirm under-standing. A common approach in these cases is to oblige new staff members to work through an uninteresting e-learn-ing module before they are allowed to access systems they need to do their

job. While this approach may satisfy legal obligations, it is frequently inef-fective in educating, so careful thought needs to be given to more effective training methods. New staff members give the organisation an opportunity to deliver the right security message from the outset. An informative and authoritative presentation on security to new staff members, particularly covering their personal responsibili-ties, can be effective and reduce mis-demeanours and disciplinary issues. It is not always possible to provide presentations to all staff, particularly in large or geographically dispersed locations, so there is a definite place for e-learning and the other delivery methods mentioned in this article (e.g. posters and newsletters). There is no excuse nowadays for making the learning dull and uninteresting. Dull training messages are gone and for-gotten in an instant! If the intended audience is more creative than IT lit-erate then make the message creative – use graphics, cartoons, colour, and more, to make the message attractive and memorable. If your target audi-ence is highly IT literate make the presentation appropriately technical. Consider using podcasts, bulletins on the latest security vulnerabilities, and so on.

"New staff members give the organisation an opportunity to deliver the right security message from the outset"

For the average audience make the messages easy and attractive to under-stand. Some of the best examples of effective educational material on security have been simple two-sided brochures that cover the salient points in an enter-taining fashion.

Summary

To sum up, information security education is a significant challenge to all. The messages that need to be conveyed are complex, they are not everyone’s cup of tea, and delivery can be a significant challenge. However, with a bit of thought and originality, a good awareness campaign can provide huge benefits to an organisation. A reduction in security incidents, improved accountability, and a better image to customers, trading partners, shareholders and regulatory bod-ies, can easily outweigh the effort required to stage an effective security programme.

Remember the key pointers:1. Make it personal2. Match the message to the audience3. Keep it short4. Make it interesting5. Use real-life examples6. Make it part of everyday business7. Use the right delivery method

And … good luck!

About the authorClifford May heads the security consulting practice at Integralis and has an exten-sive experience of some 37 years in both the public and private sectors. A career of over 27 years as senior executive officer for HM Customs & Excise, where he headed computer audit and computer forensics teams, was followed by some ten years in the private sector where he headed security consultancy and forensic investigation teams. A BS7799 qualified lead auditor, Certified Information Systems Security Professional (CISSP) and qualified systems analyst, Cliff has headed and performed a wide range of security consultancy, audit, certification, and testing projects for a diverse range of clients.

USER EDUCATION

nese_sept08.indd 17nese_sept08.indd 17 08/09/2008 14:49:2608/09/2008 14:49:26