The true value of information security awareness

Awareness of the rules is not the same as complianceAddressing the rhetorical question:
why do we need security awareness?

 

by Dr Gary Hinson PhD MBA CISSP

 

First published in 2003

Updated most recently in February 2014

 

Introduction

This white paper has been updated repeatedly as security awareness has evolved over the last decade or so. It reflects the opinions of numerous organizations and individuals quoted herein, as well as those of its opinionated author.

The importance of information security

Information is the lifeblood of organizations, a vital business asset in today’s IT-enabled world. IT systems and networks link every internal department and connect us with a myriad of suppliers, partners and markets. Access to high-quality, complete, accurate and up-to-date information makes managerial decision-making relatively easy by reducing the margin for error. This begs the question: how do we guarantee access to high-quality information? The answer: (1) we design and build information systems that are effective at gathering, analyzing and outputting the information we need; and (2) we secure our information systems against risks to their confidentiality, integrity and availability of information.

Protecting and enhancing the value of our information and IT systems has become a central strategic objective in most businesses, second only to making profits. Information security is not just a simple matter of having usernames and passwords. Regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), Basel II, Sarbanes Oxley Act (SOX), Federal Information Security Management Act (FISMA), and various privacy and data protection laws impose a raft of obligations on us. Our people sometimes make careless mistakes and occasionally defraud us. Meanwhile, viruses, worms, hackers, phishers and social engineers threaten us on all sides.

In a keynote speech at the IDG World Expo SecurityWorld Conference & Showcase in Singapore in 2005, George Wang, CISO of Reuters Asia, attributed security failure to three factors: people concentrating too much on security itself, security measures not aligned with business strategy, and the existence of a communication gap between senior management and IT professionals. Seeing the “big picture”, he said, begins with positioning - that is, establishing a security position that suited both company resources and business direction. “It has to be a long-term commitment and sustainable,” he said. Along the lines of business strategy, the plethora of factors requiring consideration stretches from corporate positioning to the culture of the organisation. “Does your risk strategy suit your company’s security culture?” asked Wang. Battling with legalities and regulations sometimes places a damper on an organisation’s capacity to pursue the right security measure. Proper risk assessment is also crucial in establishing a company’s “risk appetite” - how much risk it can comfortably afford to handle within its security plan.  Corporate culture is important too, he said. He addressed the problem of the communication gap that exists between senior management and the executives proposing the security measures, saying that the problem lay with ineffective explanation of security objectives. Senior management is often not aware or concerned with the measures. “Transform management into stakeholders,” he recommended, so as to place personal interest in the hands of management. This transparency he advocates is seen in his other measures for clear and elaborate communication: not just upwards with management, but across the departments as well, “so that security gets embedded in the value chain.” Engaging the entire organisation involves the technical people as well as Legal, HR and even Public Relations (PR).

Information security controls improve the organization’s profitability by reducing both the number and the severity of breaches, cutting direct and indirect costs (e.g. lost productivity through time spent investigating and resolving breaches and hoaxes; irrecoverable loss of data; expenses incurred in recovering and securing compromised data and systems; notification of customers and regulators; fines for breaching laws and regulations; damaged reputation leading to customer defections and brand devaluation).

Visit Carnegie Mellon's cyber security lab site for moreFurthermore, comprehensive and reliable information security controls reduce the organization’s overall risk profile. Good information security builds management’s confidence and trust, allowing the organization to press ahead with business opportunities (such as eBusiness) that might otherwise be too risky to contemplate. Part of this arises from better knowledge of the extent of security breaches that occur: consistently reporting information about actual and potential (near-miss) security breaches to management is a sign of a mature information security framework.

Commenting on research of the FT350, Richard Menta said “Four out of five investors indicated that a significant breach in security would have a major impact on share price. Two thirds said it would influence a decision to buy or sell shares. Nearly nine in ten expected board members to be aware of, and to be able to review, their company’s infosec vulnerabilities, and 57 percent thought they should know about the company’s information risk strategy”. [Richard went on to make a case for keeping stakeholders informed about an organization’s information security status - an interesting perspective on security awareness. Topping the list of ‘nine steps to safety’ was “Persuade senior managers to embrace a security culture and give staff continuous access to security and privacy information and training”.]

Why technical security controls alone are insufficient

We have invested in firewalls, antivirus systems and other security technology. Every one of those products was no doubt sold to us on the basis of its effectiveness but we still suffer severe information security breaches and the problems are getting worse, not better. What’s going wrong? The answer according to Gartner is that “80% of unplanned downtime is due to people and processes.” COSO makes the point that “Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

In other words, the real issue with information security is PICNIC

 

Visit the ISC2 website An (ISC) Global Information Security Workforce Study looked at this issue in some depth. “According to more than 4,000 information security professionals from more than 100 countries in the largest study of its kind, the most important elements in effectively securing their organization’s infrastructure are (in order of importance): management support of security policies; users following security policy; qualified security staff; software solutions; hardware solutions. According to the study, the top three success factors highlight the need for public and private entities to focus more time and attention on policies, processes and people, all areas which have been traditionally overlooked in favor of trusting hardware and software to solve security problems. Survey respondents say organizations are now beginning to recognize that technology is an enabler - not the solution, for implementing and executing a sound security strategy.

An information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value, such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.” The PwC survey found an increase in the proportion of organizations running security awareness programs but nearly half still don’t have them.

Whereas throwing technology and money at the problem may be worthwhile in the early stages of maturity of an organization’s information security management system, there are diminishing returns. More technology becomes less and less effective at improving security. Instead of continually installing and patching the technology, and forever scrambling to deal with security incidents and emerging risks, it’s time to take a step back and find a better, more comprehensive approach.

The question of whether to spend the budget on security technology or awareness, training and education highlights a false dichotomy. These are not alternatives but complementary and mutually supportive approaches. Technical security controls are strong but they have to be correctly specified, designed, developed, implemented, configured, used and maintained - all of which steps involve human beings. Simply put, security-aware managers, staff and IT professionals make better use of technical security controls.

In their network security survey, Meta estimated that “30% of IT security relates to technology, and 70% relates to people and practices.” According to Forrester “Technology alone can’t address one of the most difficult aspects of any security programme, the human element. In the end, it is usually people who make the simple mistakes – or commit the crimes – that lead to most security breakdowns.” Martin Smith, principal of The Security Company, puts it thus: “We must stop developing increasingly technical solutions for increasingly obscure problems at the expense of the blindingly obvious. Systems malfunctions and human error or ignorance will cost you far more than viruses, cybercrime, phishing or Denial-of-Service attacks.” I couldn’t agree more Martin!

The UK’s FSA (Financial Services Authority i.e. the industry regulator for banks, insurance and investment companies operating in Britain) found that “Data security is not simply an IT issue. The responsibility for ensuring data security should be coordinated across the business. Senior management, information security, human resources, financial crime, physical security, IT, compliance and internal audit are all examples of functions that have an important role to play in keeping customer data safe.

Back in 2005, Verisign famously reported that most people asked were willing to reveal their passwords for a $3 Starbucks coffee token. “According to the company, one executive who was too busy to respond to questions but still wanted a gift card sent his administrative assistant back to complete the survey . The assistant promptly revealed both the executive’s password and her own.” The take-home message in terms of a general disregard for information security is pretty clear. A similar 2004 survey used chocolate bars to bribe people out of their passwords. So many other studies have found basically the same thing that this is no longer considered newsworthy. Remember this the next time you are asked to take a “security survey” ...

Expenditure on security technologies such as firewalls, antivirus and PKI should be matched by spending on security processes, including of course security awareness. Formal security policies, no matter how carefully they are written, are of little value unless employees know about them, understand their obligations and actively comply. What’s more, there are some security threats for which there are no effective technical controls. Broad awareness throughout the organization is the only realistic way to counter social engineering, for instance.

People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with,” said Claudia Warwar, managing consultant at IBM BCS Security and Privacy Practice (quoted from www.theage.com.au). Claudia, people are the weakest links and have been for ages!

Cited in Cyberpunk bookA security report by the State of Texas Department of Information Resources (no longer online) noted that security requires “more than a ‘technology fix’: formulating a strategic approach to information security management is a matter of addressing two basic issues: process and technology infrastructure. Ensuring Internet security requires more than simply the right technology resources. Like a bank vault, no amount of technology will provide adequate security in and of itself. To ‘keep the money secure’ the vault must be used correctly. Security is breached when procedures are not followed, when the wrong people are admitted to the vault, or if the vault is left open and unattended. Often we look to technology to solve business problems when in fact the processes are the more important solutions.

In Confessions of a Master Jewel Thief, Bill Mason says “A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.” This gets to the very heart of the security awareness issue: while locks and other security technologies can help, the most important factor is the security/risk alertness and motivation of people. Faced with two shops, one with attentive security guards and other employees versus one whose staff appear to be in a world of their own, the robber has an obvious choice. Even if the second shop has better security technology, the chances are that staff will not respond as quickly and effectively as the first. Remember this parable as you plan your Network Intrusion Detection System!

The Honeynet project said “The primary threat is changing from machine-focused to human-focused. There is a growing trend towards social engineering, attacking the people using computers. In some cases, it is no longer the computer that is valuable, but the individual’s information that resides on it. Also, its often becoming easier to attack the user as opposed to the system, as newer installations are more secure by default. As a result, considerably more effort is being expended in strategies such as phishing to extract valuable information from targets, or malicious websites and mobile code that compromise client systems.

The value of, and need for, information security awareness

Information security awareness, a specific form of information security control, helps secure information assets by:

  • Informing people about information security risks and controls in a general sense, and providing more specific information and guidance where necessary.
  • Emphasizing management’s support for, and commitment to, information security.
  • Promulgating the organization’s information security policies, standards, procedures and guidelines, and externally imposed laws, rules and regulations.
  • Motivating people to behave in a more security-conscious manner, for example taking security risks into account in business decision making.
  • Speeding up the identification and notification of security breaches.

The phrase ‘To err is human ...’ encapsulates a fundamental difference between people and computers. People often make mistakes, are sometimes lazy, forgetful or inattentive, and often misunderstand complex situations. We seek shortcuts to avoid boring, repetitive tasks and may cheat, bend or break the rules to get things done. Even perfectionists occasionally settle on being good enough. We react emotionally, sometimes irrationally. Computers, in contrast, slavishly and precisely follow logical program instructions. Boredom is not a factor - computers simply take longer to process more data or resolve more complicated problems. If we are to improve information security, we must take these fundamental differences into account. We need to think holistically: ‘systems’ are not just the computers but include the users and administrators plus the management and operational processes. “Errors are caused by faulty systems, processes and conditions that lead people to make mistakes or fail to prevent them.” (Institute of Medicine).

Quotation from Richard HackworthIt is pointless to put stronger and stronger links in our security chain unless we address the weakest links. Technology alone is clearly not enough to ensure information security: it has to be implemented and managed professionally and of course it has to be used properly. The problem lies not so much with technology itself but with the people and processes in the organization. General staff, technologists and managers must actually use the security controls properly in order for them to be effective. People and processes are the weakest links. Until we measure and improve security awareness, this will inevitably remain true.

The Awareness Principle, one of the fundamental Pervasive Principles defined in the Generally Accepted Systems Security Principles (GASSP), states: “All parties with a need to know, including, but not limited to, information owners and information security practitioners, should have access to available principles, standards, conventions, or mechanisms for the security of information and information systems, and should be informed of applicable threats to the security of information. Rationale: This principle applies between and within organizations. Awareness of information security principles, standards, conventions, and mechanisms enhances and enables controls and can help to mitigate threats. Awareness of threats and their significance also increases user acceptance of controls. Without user awareness of the necessity for particular controls, the users can pose a risk to information by ignoring, bypassing, or overcoming existing control mechanisms. The awareness principle applies to unauthorized and authorized parties.

The UK FSA report Data Security in Financial Services cited earlier found that “in some firms, senior management wrongly assumed their staff were aware of good data security practice even when there was no formal training in place to explain relevant policies and procedures. In addition, there was often an assumption that otherwise well-trained and honest staff would instinctively understand data security risk and know how to deal with it. These assumptions were misguided and we found that most front-line staff expected precise instructions from management about the procedures they should follow.” In other words, both the industry regulator and employees expect employees to receive suitable training and awareness on information security matters from their employer. Why wouldn’t you do it?

Ernst & Young said “It has long been generally accepted that authorized users and employees pose the greatest security threat to an organization and that raising and maintaining the awareness level of those people is a crucial part of an effective information security strategy. In spite of this knowledge, this remains a significant challenge and a significant issue for many organizations. While most organizations (74%) have a security awareness program, less than half of all respondents indicated that their program includes such things as: updates and alerts on current threats (44%); informational updates on new hot topics (42%); specific awareness activities for high-risk groups such as social networking users (35%). Furthermore, only 20% of respondents indicated that they measure the effectiveness of their awareness programs and modify those programs based on the results ... many current security training and awareness programs are not working as well as they could be. It should also be noted that 73% of respondents have no plans to outsource their security training and awareness programs. Yet, when we look closer at the 12% of respondents who currently outsource this activity, does not make it into the top three challenges for these organizations. This may illustrate the fact that more organizations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs.”

Control 7.2.2 of ISO/IEC 27002 :2013 - Information security awareness, education and training - says All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.” The standard’s implementation guidance is well worth reading too.

NIST Special Publication SP 800-53 Recommended Security Controls for Federal Information Systems, says “An effective information security program should include ... security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks.”  It recommends awareness programs should at least cover the topics identified in SP 800-50 Building an Information Technology Security Awareness and Training Program.

NIST FIPS PUB 200 (Minimum Security Requirements for Federal Information and Information Systems) notes: “Awareness and Training: Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.”

HIPAA requires that an organization should “implement [a] security awareness and training program for all members of its workforce (including management)”.

Effective security awareness programs bind the whole Information Security Management System together, complementing and supporting technical, physical and procedural controls. Awareness links policies to practices, aligning what people actually do with what they are supposed to do. It helps them understand their obligations and motivates them to comply - not just because they are told to do so but out of self interest.

NERC Critical Infrastructure Protection CIP-004a standard on personnel and training explicitly mandates security awareness and training for those in the US electricity industry. “Awareness — The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: direct communications (e.g., emails, memos, computer based training, etc.); indirect communications (e.g., posters, intranet, brochures, etc.); and management support and reinforcement (e.g., presentations, meetings, etc.).

The US Computer Security Act of 1987 requires that "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency." Unfortunately, ‘periodic’ is not explicitly defined, so “Once in a blue moon” seems to be the accepted norm among those who fail to appreciate the commercial value of ongoing or continuous awareness programmes.

Federal Information Security Management Act 2002 (FISMA) requires that an “agency-wide information security program shall include security awareness training to inform personnel, including contractors and other users of information systems that support the operation and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

NIST’s Introduction to Computer Security: The NIST Handbook (SP 800-12) says “People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The purpose of computer security awareness, training, and education is to enhance security by: improving awareness of the need to protect system resources; developing skills and knowledge so computer users can perform their jobs more securely; and building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems. Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and to how to use them), users cannot be truly accountable for their actions.”

Gartner considers an information security awareness training program to be “an essential tool for all companies, regardless of size ... IT security managers must create clear, enforceable security policies and lead by example to promote a ‘security-aware’ corporate culture. Employee education and accountability will be key components of the program.

In a piece about balancing risk against cost, Gideon Rasmussen said “Establishing a culture of security is critical. Information security managers must be well versed in the breadth of the IT career field and other disciplines as well (e.g. physical security, accounting and human resources management). In addition, a security manager must be a passionate advocate and an effective communicator. Interpersonal skills should include the ability to communicate in non-technical terms.

The Institute of Internal Auditors’ electronic Systems Audit and Control says “Effective security is not only a technology problem, it is a business issue. It must address people’s awareness and actions, training, and especially the corporate culture, influenced by management’s security consciousness and the tone at the top.

Security guru Bruce Schneier said “Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, don’t properly delete critical files, and they bypass security policies. They’re susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, they’re a huge security problem. ... Most of the time security problems are inherently people problems, and technologies don’t help much. Photo IDs are a great example. Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs in fake names. Technology that makes the IDs harder to forge doesn’t solve that problem.” Bruce describes what he calls semantic attacks (some refer to cognitive hacking) that target the human users rather than the computers themselves. He is also reported to have said “Always remember: amateurs hack systems. Professionals hack people.

A State of Information Security survey by CIO Magazine and PricewaterhouseCoopers noted “Respondents also identified several top strategic priorities for the coming year. In descending order, these are: disaster recovery and business continuity; employee awareness programs; data backup; enterprise information security strategy; enhanced network firewalls; a centralised information security management system; periodic security audits; employee monitoring; monitoring security reports such as log files or vulnerability reports; and protecting intellectual property.” Things are looking up at last!

The 2005 Australian Computer Crime and Security Survey noted: “The top vulnerabilities reported closely matched the top security management challenges for organisations. Inadequate staff training in computer security management (47%) and poor security culture within organisation (40%) were among the top vulnerabilities reported. This compares to 61% of respondents who identified changing users’ (staff) attitudes and behaviour towards computer security practices a challenge for them.” Survey respondents overwhelmingly acknowledged that they “need to do more to ensure an appropriate level of IT security qualification, training, experience or awareness for general staff, IT security staff and management.

Broadly similar findings were reported by Deloitte’s Global Security Survey of financial services companies. “Respondents ... point to a host of continuing challenges to the business. Chief among them are the increasing sophistication of threats (63%) and the lack of employee awareness and training (48%), both of which may create an environment of exploitable vulnerabilities and weak operational practices. It is clear why executives consistently cite risk management as the most important reason for investing in security.

In a submission to a Senate Committee, Harris Miller (President of the Information Technology Association of America ITAA) said “Too many times, the assumption is made that improving cyber security and fighting cyber crime can be done with technology alone. That is wrong .. . Failures in the ‘process and people’ part of the cyber crime solution may, in fact, be the majority of the problems we see ... the challenge is to make cyber security a top priority issue. Moving from platitudes to practical action requires the sustained commitment of senior management. The goal is to embed cyber security in the corporate culture ... Organizations must be willing to invest in the development of comprehensive security procedures and to educate all employees- -continuously ... the scope of the effort must also take into account the extended organization—supply chain partners, subcontractors, customers, and others that must interact on a routine basis.

How to raise awareness of information security

Quotation by Chris Potter, leader of the biannual UK security surveys
A planned and coordinated security awareness program helps secure the organization’s information assets by:
  • Bringing a disparate range of security awareness, training and educational measures under management control.
  • Providing a management and measurement framework, and a variety of communications techniques and tools.
  • Facilitating disciplinary or legal action against those who fail to comply with their information security obligations.
  • Improving the consistency of application of information security controls.
  • Improving the effectiveness information security controls e.g. through the implementation of new cost-effective and acceptable controls, and the retirement or redesign of ineffective controls.
  • Satisfying the organization’s legal obligations in respect of security awareness imposed by acts such as HIPAA, GLBA, SOX, FISMA and others.

Those of you reading this who think security awareness is simply a matter of putting up a few posters should heed the advice in a US Army security training manual: “After a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.” People get bored seeing the same old posters, month after month, and soon become oblivious to them (a process known as ‘accommodation’ in biology - something even Pavlov’s dogs exhibited after a while). [In contrast, the US Air Force Travis base evidently still favors the old once-a-year security awareness approach. Come on guys, get with the program.]

Quote from Mich KabayIt’s obvious why people sometimes fail to use IT security features correctly: IT is difficult for nontechnical people to understand. What’s more, even technical people struggle with complex modern technologies and nobody is an expert in all fields. Effective security awareness programs need to find a balance between glossing-over important points and getting buried in the jargon, acronyms and fine details all too common in technical manuals. It is vital that awareness materials are written in a clear yet engaging style, and that the information content is interesting, relevant and useful. This is arguably the biggest challenge in security awareness.

The following advice on security awareness is extracted from the Information Security Forum’s excellent Standard of Good Practice for Information Security (section SM2.4):

    “Specific activities should be undertaken, such as a security awareness programme, to promote security awareness to all individuals who have access to the information and systems of the enterprise. [The] objective [is] to ensure all relevant individuals understand the key elements of information security and why it is needed, and understand their personal information security responsibilities. Specific activities should be performed to promote security awareness (the extent to which staff understand the importance of information security, the level of security required by the organisation and their individual security responsibilities – and act accordingly) across the enterprise. These activities should be:

    • Endorsed by top management
    • The responsibility of a particular individual, organisational unit, working group or committee
    • Supported by a documented set of objectives
    • Delivered as part of an on-going security awareness programme
    • Subject to project management disciplines
    • Kept up-to-date with current practices and requirements
    • Based on the results of a risk assessment
    • Aimed at reducing the frequency and magnitude of incidents
    • Measurable.

    Security awareness should be promoted to top management, business managers/users, IT staff and external personnel by providing information security education/training, such as via computer-based training (CBT) and by supplying specialised security awareness material, such as brochures, reference cards, posters and intranet-based electronic documents. Staff should be provided with guidance to help them understand the meaning of information security (i.e. the protection of the confidentiality, integrity and availability of information), the importance of complying with information security policy and applying associated standards/procedures, and their personal responsibilities for information security. The effectiveness of security awareness should be monitored by measuring and periodically reviewing the level of security awareness in staff, and the effectiveness of security awareness activities, for example by monitoring the frequency and magnitude of incidents experienced . Security-positive behavior should be encouraged by making attendance at security awareness training compulsory, publicizing security successes and failures throughout the organisation, and linking security to personal performance objectives/appraisals.”

Section SM2.5 of the Information Security Forum’s standard on security education continues:

    “Staff should be educated/trained in how to run systems correctly and how to develop and apply security controls. [The] objective [is] to provide staff with the skills required to run systems correctly and fulfill their information security responsibilities. Education/training should be given to provide staff with the skills they need to assess security requirements, propose security controls and ensure that security controls function effectively in the environments in which they are applied. Education/training should be carried out to provide:

    • Systems development staff with the skills they need to design systems in a disciplined manner and develop security controls
    • IT staff with the skills they need to run computer installations and networks correctly and apply security controls
    • Business users with the skills they need to use systems correctly and apply security controls
    • Information security specialists with the skills they need to understand the business, run security projects, communicate effectively, and perform specialist security activities.

With identity theft spinning out of control, and so many respondents concerned with the lack of employee awareness, it is troubling that only 65% of organizations have trained their employees on how to identify and report suspicious behavior” was one of the key findings of Deloitte’s 2005 Global Security Survey. “Many (64%) are slowly increasing security training and awareness programs, with methods ranging from classroom settings (32%) to posters (20%) to information on web sites (42%) to Lunch & Learns (18%). Regardless, these programs are only effective if people feel motivated by the overall security objective. Organizations must introduce and maintain “motivators” to help their people be ever-vigilant about the security function. Motivators can be both positive and negative - recognition programs as well as penalties and dismissals.

Duncan Harris (Security Assurance Director for Oracle Corporation) said “Corporate culture ultimately sets the course for process, people, plans, policies, but changing corporate culture is like turning an oil tanker. Process, plans, policies, people cannot protect against indifference. Security must become part of corporate genetic material (nature) as implemented by plans, policies, process (nurture).

According to Ernst & Young, the key to security awareness is “communicating with the entire organization regarding the threats that exist and the countermeasures that are available. Information security places a heavy emphasis on the judgment of individuals at all levels - particularly middle management. However, uninformed judgment, even in the presence of genius or intuition, is no substitute for accurate and timely information about the threats that an organization faces. Awareness also helps ensure that individuals understand security risks and the importance of security in their daily functions.

A factsheet on security awareness published by the now-defunct UK Department of Trade and Industry (DTI) stated that “A well-trained, well-informed workforce is one of the most powerful weapons in an information security manager’s arsenal. There are many reasons why, including: people are very good at spotting irregularities, much better than machines; a significant proportion of information security incidents occurs through staff not knowing or understanding; and well-motivated staff will report (and act upon) trends and incidents that no mechanised process could realistically hope to detect. The key word is motivation. Without sound motivation, no amount of knowledge or understanding will change staff behaviour. What is needed is appropriate knowledge and understanding accompanied by appropriate action.

Organizations need to have effective information security policies in place but this means more than simply ‘publishing’ policy statements written in some horribly stilted legalese. According to the Scotland Yard Computer Crime Unit, employers are: failing to address the company’s own security issues; not making staff aware of the policy; not ensuring that employees have signed up to the policy; failing to remind staff regularly what is acceptable and what is not; and offering no warning to staff of the dangers of being conned by hackers into giving away access information.

Way back in 1993, Michel Kabay published a seminal paper Social Psychology & INFOSEC, exploring the psychological reasons why conventional approaches to security awareness are ineffective. “A couple of hours of lectures followed by a video, a yearly ritual of signing a security policy that seems to have been written by Martians--these are not methods that will improve security. These are merely lip service to the idea of security.”  Amongst Mich’s conclusions were the following excellent points:

  • Presenting case-studies is likely to have a beneficial effect on participants’ readiness to examine security requirements.
  • Security awareness programs should include many realistic examples of security requirements and breaches.
  • We must inspire a commitment to security rather than merely describing it.
  • Emphasize improvements rather than reduction of failure.
  • Employees who dismiss security concerns or flout the regulations should be challenged on their attitudes, not ignored.
  • Identify the senior executives most likely to succeed in setting a positive tone for subsequent security training.
  • Security awareness programs should include repeated novel reminders of security issues.
  • Build a corporate culture which rewards responsible behavior such as reporting security violations.
  • Develop clearly written security policies and procedures.
  • Encourage social activities in the office ... Pay special attention to social outliers during instruction programs ... Work with the outliers to resist the herd’s anti-security bias.
  • Include small gifts in your security awareness program.
  • Start improving security a little at a time and work up to more intrusive procedures.
  • Bring in experts from the outside when faced with groupthink.

[Mich’s paper was updated and republished in the Computer Security Handbook, a recommended text on many CISSP courses.]

William Beer, information security director at PriceWaterhouse Coopers said “The biggest misconception is that security awareness training can be done once at staff induction with a computer-based training programme”. I have no issue with either staff induction training or computer-based training, indeed both are valid and worthwhile activities: the problem is expecting the two of these alone to be sufficient. Just imagine if drivers were taught to drive in a similar way!

Charles Cresson-Wood, famous author of Information Security Policies Made Easy, says “Repetition of information security policy ideas is essential; repetition impresses users and other audiences with the importance that management places on information security.” Perhaps that’s why the latest version of his book has well over 1,300 ‘policies’ ...


Document change record

Feb 14: the paper having become unwieldly, it was time to trim down the quotations and excise a stack of broken links.

Jan 14: quoted from the newly-revised standard ISO/IEC 27002.

Apr 13: added a quote from the Common Sense Guide to Mitigating Insider Threats (fourth edition), yet another outstanding product from Carnegie Mellon’s excellent Software Engineering Institute.

Jul 12: excised broken URLs.

May 11: quoted from NIST security advice for small businesses, and a piece by Fred Scholl.

Apr 10: added a further quote from PwC’s survey.

Feb 10 : cited the UK FSA report Data Security in Financial Services which contains excellent advice (plus case-study materials suitable for security awareness purposes) on the need for awareness and training around security policies and procedures for staff using and handling confidential information. Also quoted William Beer from PwC.

Jan 10 : quoted from Ernst & Young’s latest survey about the limitations of most home-grown security awareness programs.

Aug 09 : quoted from the ISF’s workshop report on the effectiveness of security awareness and from a white paper by the ePrivacy Group.

Apr 09: quoted Microsoft’s Mohammad Akif.

Feb 09 : quoted BT’s switched-on Group Security Director Mark Hughes and Adele Melek from Deloitte’s security survey.

Nov 08: commented on the 2008 information security survey by PwC.

Oct 08: quoted Benjamin Craig of River City Bank and Chris Burgess of CISCO.

Aug 08 : quoted from Luther Martin’s blog. Added the “three E’s” model - no, nothing to do with Ecstasy.

Jul 08 : quoted from the US Computer Security Act and FISMA, plus James Dorrian’s security awareness piece in INSECURE Magazine. Cited Travis air base’s sheep-dip approach to security awareness. Added a quote about the limitations of humans when it comes to behaving securely, from a Carnegie Mellon research paper on designing systems so humans make better security decisions.

Jun 08: quoted Chris Potter on 2nd generation approaches to security awareness. Quoted from ISACA’s Information Security Governance paper. Quoted from the MAGERIT risk management method. Added PICNIC.

Mar 08: incorporated a quote about security awareness being the glue.

Feb 08 : integrated the Information Security Forum’s advice previously on a separate page on this website. Quoted Martin Smith and Gideon Rasmussen. Included a graph from the CSI Survey 2007.

Jan 08 : quoted Susan Thunder, cited in Hafner and Markoff’s “Cyberpunk” book. Extracted from NERC standard CIP-004.

Dec 07: quoted from Creativity Fringes by Karl Mettke.

Oct 07 : quoted ASIS from their Information Asset Protection Guideline. Quoted Greg Newby from a CERT podcast on security awareness. Quoted Rebecca Herold.

Apr 07: quoted Carnegie Mellon University’s CyLab.

Feb 07: quoted Symantec’s Luis Navarro.

Jan 07: two quotes from Ryan Silkin’s excellent article on Law dotcom.

Nov 06: quoted from the 2006 global workforce survey by (ISC)2. Quoted Alisdair McKenzie, ISACA’s Wellington NZ Chapter President, and John C Glover, CISSP trainer based at the University of British Columbia, Canada.

Sep 06: quoted Brian Contos, author of Enemy at the Water Cooler.

Jul 06: quoted from a Kroll paper at the BECCA site.

Apr 06: quoted from a CompTIA security survey report. Quoted Jan Babiak, head of the information security practice at Ernst & Young.

Mar 06: quoted from TheAge.com.au

Feb 06: quoted Esther Czekalski from a discussion about standards on CISSPforum.

Dec 05 : added quotes from George Wang at the IDG World Expo SecurityWorld conference, Alex Ryskin at Interop and Steve Hunt in Computing magazine. Referenced a CIO/PwC report.

Oct 05: noted US military advice not to rely on old security posters.

Sep 05 : added more explanation about the value of information security controls, security awareness and a planned security awareness program. Quoted Gideon Rasmussen. Added links to a further handful of relevant NIST Special Publications.

Aug 05: quoted from GASSP.

Jul 05: published the first PDF version. Referenced NIST FIPS 200.

2003-4: published and started updating this ‘living white paper’.

HomeFreebies > Value of awareness >

Copyright © 2017 IsecT Ltd.