The true value of
In a keynote speech at the IDG World Expo SecurityWorld Conference & Showcase in Singapore in November 2005, George Wang, CISO of Reuters Asia, attributed security failure to three factors: people concentrating too much on security itself, security measures not aligned with business strategy, and the existence of a communication gap between senior management and IT professionals. Seeing the “big picture”, he said, begins with positioning - that is, establishing a security position that suited both company resources and business direction. “It has to be a long-term commitment and sustainable,” he said. Along the lines of business strategy, the plethora of factors requiring consideration stretches from corporate positioning to the culture of the organisation. “Does your risk strategy suit your company’s security culture ?” asked Wang. Battling with legalities and regulations sometimes places a damper on an organisation’s capacity to pursue the right security measure. Proper risk assessment is also crucial in establishing a company’s “risk appetite” - how much risk it can comfortably afford to handle within its security plan. Corporate culture is important too, he said. He addressed the problem of the communication gap that exists between senior management and the executives proposing the security measures, saying that the problem lay with ineffective explanation of security objectives. Senior management is often not aware or concerned with the measures. “Transform management into stakeholders,” he recommended, so as to place personal interest in the hands of management. This transparency he advocates is seen in his other measures for clear and elaborate communication: not just upwards with management, but across the departments as well, “so that security gets embedded in the value chain.” Engaging the entire organisation involves the technical people as well as Legal, Human Resources and even Public Relations (PR).
Information security controls improve the organization’s profitability by reducing both the number and the extent of information security breaches, reducing both the direct and indirect costs (e.g. lost productivity through time lost investigating and resolving breaches and hoaxes; irrecoverable loss of data; expenses incurred in recovering and securing compromised data and systems; notification of customers and regulators; fines for breaching laws and regulations; damaged reputation leading to customer defections and brand devaluation).
Furthermore, comprehensive and reliable information security controls reduce the organization’s overall risk profile. Good information security builds management’s confidence and trust, allowing the organization to press ahead with business opportunities (such as eBusiness) that might otherwise be too risky to contemplate. Part of this arises from better knowledge of the extent of security breaches that occur: consistently reporting information about actual and potential (near-miss) security breaches to management is a sign of a mature information security framework.
Richard Menta commented on ‘recent research of the top 350 UK companies listed on the Financial Times’ saying “Four out of five investors indicated that a significant breach in security would have a major impact on share price. Two thirds said it would influence a decision to buy or sell shares. Nearly nine in ten expected board members to be aware of, and to be able to review, their company’s infosec vulnerabilities, and 57 percent thought they should know about the company’s information risk strategy”. [Richard went on to make a case for keeping stakeholders informed about an organization’s information security status - an interesting perspective on security awareness. Topping the list of ‘nine steps to safety’ was “Persuade senior managers to embrace a security culture and give staff continuous access to security and privacy information and training”.]
We have invested in firewalls, antivirus systems and other security technology. Every one of those products was no doubt sold to us on the basis of its effectiveness but we still suffer severe information security breaches and the problems are getting worse, not better. What’s going wrong? The answer according to Gartner is that “80% of unplanned downtime is due to people and processes.” COSO makes the point that “Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.”
In other words, the real issue with information security is PICNIC.
The 3rd annual (ISC)²-sponsored Global Information Security Workforce Study looked at this issue in some depth. “According to more than 4,000 information security professionals from more than 100 countries in the largest study of its kind, the most important elements in effectively securing their organization’s infrastructure are (in order of importance):
According to the study, the top three success factors highlight the need for public and private entities to focus more time and attention on policies, processes and people, all areas which have been traditionally overlooked in favor of trusting hardware and software to solve security problems. Survey respondents say organizations are now beginning to recognize that technology is an enabler, not the solution, for implementing and executing a sound security strategy.”
The 2008 information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value, such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.”
The PwC survey found an increase in the proportion of organizations running security awareness programs but nearly half still don’t have them.
The question of whether to spend the budget on security technology or awareness, training and education highlights a false dichotomy. These are not alternatives but complementary and mutually supportive approaches . Technical security controls are strong but they have to be correctly specified, designed, developed, implemented, configured, used and maintained - all of which steps involve human beings. Simply put, security-aware managers, staff and IT professionals make better use of technical security controls.
In their network security survey report, Meta estimated that “30% of IT security relates to technology, and 70% relates to people and practices.” According to Forrester “Technology alone can’t address one of the most difficult aspects of any security programme, the human element. In the end, it is usually people who make the simple mistakes – or commit the crimes – that lead to most security breakdowns.” Martin Smith, principal of The Security Company, puts it thus: “We must stop developing increasingly technical solutions for increasingly obscure problems at the expense of the blindingly obvious. Systems malfunctions and human error or ignorance will cost you far more than viruses, cybercrime, phishing or Denial-of-Service attacks.” I couldn’t agree more Martin!
The UK’s FSA (Financial Services Authority i.e. the industry regulator for banks, insurance and investment companies operating in Britain) found that “Data security is not simply an IT issue. The responsibility for ensuring data security should be coordinated across the business. Senior management, information security, human resources, financial crime, physical security, IT, compliance and internal audit are all examples of functions that have an important role to play in keeping customer data safe.” While the FSA’s 2008 report Data Security in Financial Services: Firms’ controls to prevent data loss by their employees and third-party suppliers was principally concerned with the way companies protect consumers’ personal data, the same principle applies equally to corporate data, and to information in non-electronic formats.
In 2005, Verisign famously reported that most people asked were willing to reveal their passwords for a $3 Starbucks coffee token. “According to the company, one executive who was too busy to respond to questions but still wanted a gift card sent his administrative assistant back to complete the survey. The assistant promptly revealed both the executive’s password and her own.” The take-home message in terms of a general disregard for information security is pretty clear. A similar 2004 survey used chocolate bars to bribe people out of their passwords. So many other studies have found basically the same thing that this is no longer considered newsworthy. Remember this the next time you see an online “security survey” ...
Expenditure on security technologies such as firewalls, antivirus and PKI should be matched by spending on security processes, including of course security awareness. Formal security policies, no matter how carefully they are written, are of little value unless employees know about them, understand their obligations and actively comply. What’s more, there are some security threats for which there are no effective technical controls. Broad awareness throughout the organization is the only realistic way to counter social engineering, for instance.
“People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with,” said Claudia Warwar, managing consultant at IBM BCS Security and Privacy Practice (quoted from www.theage.com.au). Claudia, people are the weakest links and have been for ages!
A security report by the State of Texas Department of Information Resources (no longer online) noted that security requires “more than a ‘technology fix’: formulating a strategic approach to information security management is a matter of addressing two basic issues: process and technology infrastructure. Ensuring Internet security requires more than simply the right technology resources. Like a bank vault, no amount of technology will provide adequate security in and of itself. To ‘keep the money secure’ the vault must be used correctly. Security is breached when procedures are not followed, when the wrong people are admitted to the vault, or if the vault is left open and unattended. Often we look to technology to solve business problems when in fact the processes are the more important solutions.”
In Confessions of a Master Jewel Thief, Bill Mason says “A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.” This gets to the very heart of the security awareness issue: while locks and other security technologies can help, the most important factor is the security/risk alertness and motivation of people. Faced with two shops, one with attentive security guards and other employees versus one whose staff appear to be in a world of their own, the robber has an obvious choice. Even if the second shop has better security technology, the chances are that staff will not respond as quickly and effectively as the first. Remember this parable as you plan your Network Intrusion Detection System!
The Honeynet project said “The primary threat is changing from machine-focused to human-focused. There is a growing trend towards social engineering, attacking the people using computers. In some cases, it is no longer the computer that is valuable, but the individual’s information that resides on it. Also, its often becoming easier to attack the user as opposed to the system, as newer installations are more secure by default. As a result, considerably more effort is being expended in strategies such as phishing to extract valuable information from targets, or malicious websites and mobile code that compromise client systems.”
Information security awareness, a specific form of information security control, helps secure information assets by:
The phrase ‘To err is human ...’ encapsulates a fundamental difference between people and computers. People often make mistakes, are sometimes lazy, forgetful or inattentive, and often misunderstand complex situations. We seek shortcuts to avoid boring, repetitive tasks and may cheat, bend or break the rules to get things done. Even perfectionists occasionally settle on being good enough. We react emotionally, sometimes irrationally. Computers, in contrast, slavishly and precisely follow logical program instructions. Boredom is not a factor - computers simply take longer to process more data or resolve more complicated problems. If we are to improve information security, we must take these fundamental differences into account. We need to think holistically: ‘systems’ are not just the computers but include the users and administrators plus the management and operational processes. “Errors are caused by faulty systems, processes and conditions that lead people to make mistakes or fail to prevent them.” (Institute of Medicine).
It is pointless to put stronger and stronger links in our security chain unless we address the weakest links. Technology alone is clearly not enough to ensure information security: it has to be implemented and managed professionally and of course it has to be used properly. The problem lies not so much with technology itself but with the people and processes in the organization. General staff, technologists and managers must actually use the security controls properly in order for them to be effective. People and processes are the weakest links. Until we measure and improve security awareness, this will inevitably remain true.
The Awareness Principle, one of the fundamental Pervasive Principles defined in the Generally Accepted Systems Security Principles (GASSP), states: “All parties with a need to know, including, but not limited to, information owners and information security practitioners, should have access to available principles, standards, conventions, or mechanisms for the security of information and information systems, and should be informed of applicable threats to the security of information. Rationale: This principle applies between and within organizations. Awareness of information security principles, standards, conventions, and mechanisms enhances and enables controls and can help to mitigate threats. Awareness of threats and their significance also increases user acceptance of controls. Without user awareness of the necessity for particular controls, the users can pose a risk to information by ignoring, bypassing, or overcoming existing control mechanisms. The awareness principle applies to unauthorized and authorized parties.”
The UK FSA report Data Security in Financial Services cited earlier found that “in some firms, senior management wrongly assumed their staff were aware of good data security practice even when there was no formal training in place to explain relevant policies and procedures. In addition, there was often an assumption that otherwise well-trained and honest staff would instinctively understand data security risk and know how to deal with it. These assumptions were misguided and we found that most front-line staff expected precise instructions from management about the procedures they should follow.” In other words, both the industry regulator and employees expect employees to receive suitable training and awareness on information security matters from their employer. Why wouldn’t you do it?
Ernst & Young said “It has long been generally accepted that authorized users and employees pose the greatest security threat to an organization and that raising and maintaining the awareness level of those people is a crucial part of an effective information security strategy. In spite of this knowledge, this remains a significant challenge and a significant issue for many organizations. While most organizations (74%) have a security awareness program, less than half of all respondents indicated that their program includes such things as:
Furthermore, only 20% of respondents indicated that they measure the effectiveness of their awareness programs and modify those programs based on the results ... many current security training and awareness programs are not working as well as they could be. It should also be noted that 73% of respondents have no plans to outsource their security training and awareness programs. Yet, when we look closer at the 12% of respondents who currently outsource this activity, does not make it into the top three challenges for these organizations. This may illustrate the fact that more organizations should begin to look for outside help to design, execute, monitor and (or) measure the effectiveness of their security training and awareness programs.”
Among other things, NIST Special Publication SP 800-53 Recommended Security Controls for Federal Information Systems, says “An effective information security program should include ... security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks.” It recommends awareness programs should at least cover the topics identified in SP 800-50 Building an Information Technology Security Awareness and Training Program.
NIST FIPS PUB 200 (Minimum Security Requirements for Federal Information and Information Systems) notes: “Awareness and Training: Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.”
Effective security awareness programs bind the whole Information Security Management System together, complementing and supporting technical, physical and procedural controls. Awareness links policies to practices, aligning what people actually do with what they are supposed to do. It helps them understand their obligations and motivates them to comply - not just because they are told to do so but out of self interest.
NERC Critical Infrastructure Protection standard CIP-004 explicitly mandates security awareness and training for those in the US electricity industry. “Awareness — The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:
• Direct communications (e.g., emails, memos, computer based training, etc.);
• Indirect communications (e.g., posters, intranet, brochures, etc.);
• Management support and reinforcement (e.g., presentations, meetings, etc.).”
The US Computer Security Act of 1987 requires that "Each agency shall provide for the mandatory periodic training in computer security awareness and accepted computer practices of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of that agency." Unfortunately, ‘periodic’ is not explicitly defined, so “Once in a blue moon” seems to be the accepted norm among those who fail to appreciate the commercial value of ongoing or continuous awareness programmes.
Federal Information Security Management Act 2002 (FISMA) requires that an “agency-wide information security program shall include security awareness training to inform personnel, including contractors and other users of information systems that support the operation and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”
NIST’s Introduction to Computer Security: The NIST Handbook (SP 800-12) says “People, who are all fallible, are usually recognized as one of the weakest links in securing systems. The purpose of computer security awareness, training, and education is to enhance security by:
Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures (and to how to use them), users cannot be truly accountable for their actions.”
Gartner considers an information security awareness training program to be “an essential tool for all companies, regardless of size ... IT security managers must create clear, enforceable security policies and lead by example to promote a ‘security-aware’ corporate culture. Employee education and accountability will be key components of the program.”
In a piece abou5 balancing risk against cost, Gideon Rasmussen said “Establishing a culture of security is critical. Information security managers must be well versed in the breadth of the IT career field and other disciplines as well (e.g. physical security, accounting and human resources management). In addition, a security manager must be a passionate advocate and an effective communicator. Interpersonal skills should include the ability to communicate in non-technical terms.”
The Institute of Internal Auditors’ electronic Systems Audit and Control says “Effective security is not only a technology problem, it is a business issue. It must address people’s awareness and actions, training, and especially the corporate culture, influenced by management’s security consciousness and the tone at the top.”
Security guru Bruce Schneier said “Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, don’t properly delete critical files, and they bypass security policies. They’re susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, they’re a huge security problem. ... Most of the time security problems are inherently people problems, and technologies don’t help much. Photo IDs are a great example. Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs in fake names. Technology that makes the IDs harder to forge doesn’t solve that problem.” Bruce describes what he calls semantic attacks (some refer to cognitive hacking) that target the human users rather than the computers themselves. He is also reported to have said “Always remember: amateurs hack systems. Professionals hack people.”
A State of Information Security survey by CIO Magazine and PricewaterhouseCoopers noted “Respondents also identified several top strategic priorities for the coming year. In descending order, these are: disaster recovery and business continuity; employee awareness programs; data backup; enterprise information security strategy; enhanced network firewalls; a centralised information security management system; periodic security audits; employee monitoring; monitoring security reports such as log files or vulnerability reports; and protecting intellectual property.” Things are looking up at last!
The 2005 Australian Computer Crime and Security Survey noted: “The top vulnerabilities reported closely matched the top security management challenges for organisations. Inadequate staff training in computer security management (47%) and poor security culture within organisation (40%) were among the top vulnerabilities reported. This compares to 61% of respondents who identified changing users’ (staff) attitudes and behaviour towards computer security practices a challenge for them.” Survey respondents overwhelmingly acknowledged that they “need to do more to ensure an appropriate level of IT security qualification, training, experience or awareness for general staff, IT security staff and management.”
Broadly similar findings were reported by Deloitte’s Global Security Survey of financial services companies. “Respondents ... point to a host of continuing challenges to the business. Chief among them are the increasing sophistication of threats (63%) and the lack of employee awareness and training (48%), both of which may create an environment of exploitable vulnerabilities and weak operational practices. It is clear why executives consistently cite risk management as the most important reason for investing in security.”
The Information Security Forum’s Standard of Good Practice for Information Security contains explicit advice on the need for a structured security awareness program, as indeed does ISO/IEC 27002 and HIPAA (organizations should “implement [a] security awareness and training program for all members of its workforce (including management)”).
In a submission to a Senate Committee, Harris Miller (President of the Information Technology Association of America ITAA) said “Too many times, the assumption is made that improving cyber security and fighting cyber crime can be done with technology alone. That is wrong .. . Failures in the ‘process and people’ part of the cyber crime solution may, in fact, be the majority of the problems we see ... the challenge is to make cyber security a top priority issue. Moving from platitudes to practical action requires the sustained commitment of senior management. The goal is to embed cyber security in the corporate culture ... Organizations must be willing to invest in the development of comprehensive security procedures and to educate all employees--continuously ... the scope of the effort must also take into account the extended organization—supply chain partners, subcontractors, customers, and others that must interact on a routine basis.”
A planned and coordinated security awareness program helps secure the organization’s information assets by:
Those of you reading this who think security awareness is simply a matter of putting up a few posters should heed a US Army security training manual: “after a while, a security poster, no matter how well designed, will be ignored; it will, in effect, simply blend into the environment. For this reason, awareness techniques should be creative and frequently changed.” People get bored seeing the same old posters, month after month, and soon become oblivious to them (a process known as ‘accommodation’ in biology - something even Pavlov’s dogs exhibited after a while). [In contrast, the US Air Force Travis base evidently still favors the old once-a-year security awareness approach. Come on guys, get with the program.]
It’s obvious why people sometimes fail to use IT security features correctly: IT is difficult for nontechnical people to understand. What’s more, even technical people struggle with complex modern technologies and nobody is an expert in all fields. Effective security awareness programs need to find a balance between glossing-over important points and getting buried in the jargon, acronyms and fine details all too common in technical manuals. It is vital that awareness materials are written in a clear yet engaging style, and that the information content is interesting, relevant and useful. This is arguably the biggest challenge in security awareness.
The following advice on security awareness is extracted from the Information Security Forum’s excellent Standard of Good Practice for Information Security (section SM2.4):
“Specific activities should be undertaken, such as a security awareness programme, to promote security awareness to all individuals who have access to the information and systems of the enterprise. [The] objective [is] to ensure all relevant individuals understand the key elements of information security and why it is needed, and understand their personal information security responsibilities. Specific activities should be performed to promote security awareness (the extent to which staff understand the importance of information security, the level of security required by the organisation and their individual security responsibilities – and act accordingly) across the enterprise. These activities should be:
Security awareness should be promoted to top management, business managers/users, IT staff and external personnel by providing information security education/training, such as via computer-based training (CBT) and by supplying specialised security awareness material, such as brochures, reference cards, posters and intranet-based electronic documents. Staff should be provided with guidance to help them understand the meaning of information security (i.e. the protection of the confidentiality, integrity and availability of information), the importance of complying with information security policy and applying associated standards/procedures, and their personal responsibilities for information security. The effectiveness of security awareness should be monitored by measuring and periodically reviewing the level of security awareness in staff, and the effectiveness of security awareness activities, for example by monitoring the frequency and magnitude of incidents experienced. Security-positive behavior should be encouraged by making attendance at security awareness training compulsory, publicizing security successes and failures throughout the organisation, and linking security to personal performance objectives/appraisals.”
Section SM2.5 of the standard on security education continues:
“Staff should be educated/trained in how to run systems correctly and how to develop and apply security controls. [The] objective [is] to provide staff with the skills required to run systems correctly and fulfill their information security responsibilities. Education/training should be given to provide staff with the skills they need to assess security requirements, propose security controls and ensure that security controls function effectively in the environments in which they are applied. Education/training should be carried out to provide:
“With identity theft spinning out of control, and so many respondents concerned with the lack of employee awareness, it is troubling that only 65% of organizations have trained their employees on how to identify and report suspicious behavior” was one of the key findings of Deloitte’s 2005 Global Security Survey. “Many (64%) are slowly increasing security training and awareness programs, with methods ranging from classroom settings (32%) to posters (20%) to information on web sites (42%) to Lunch & Learns (18%). Regardless, these programs are only effective if people feel motivated by the overall security objective. Organizations must introduce and maintain “motivators” to help their people be ever-vigilant about the security function. Motivators can be both positive and negative - recognition programs as well as penalties and dismissals.”
According to Ernst & Young, the key to security awareness is “communicating with the entire organization regarding the threats that exist and the countermeasures that are available. Information security places a heavy emphasis on the judgment of individuals at all levels - particularly middle management. However, uninformed judgment, even in the presence of genius or intuition, is no substitute for accurate and timely information about the threats that an organization faces. Awareness also helps ensure that individuals understand security risks and the importance of security in their daily functions.”
A factsheet on security awareness published by the UK Department of Trade and Industry (DTI) states that “A well-trained, well-informed workforce is one of the most powerful weapons in an information security manager’s arsenal. There are many reasons why, including:
The key word is motivation. Without sound motivation, no amount of knowledge or understanding will change staff behaviour. What is needed is appropriate knowledge and understanding accompanied by appropriate action.”
Organizations need to have effective information security policies in place but this means more than simply ‘publishing’ policy statements written in some horribly stilted legalese. According to the Scotland Yard Computer Crime Unit, employers are:
Way back in 1993, Michel Kabay published a seminal paper Social Psychology & INFOSEC, exploring the psychological reasons why conventional approaches to security awareness are ineffective. “A couple of hours of lectures followed by a video, a yearly ritual of signing a security policy that seems to have been written by Martians--these are not methods that will improve security. These are merely lip service to the idea of security.” Amongst Mich’s conclusions were the following excellent points:
[Mich’s paper was updated and republished in the Computer Security Handbook 4th Edition, a recommended text on many CISSP courses.]
William Beer, information security director at PriceWaterhouse Coopers said “The biggest misconception is that security awareness training can be done once at staff induction with a computer-based training programme”. I have no issue with either staff induction training or computer-based training, indeed both are valid and worthwhile activities: the problem is expecting the two of these alone to be sufficient. Just imagine if drivers were taught to drive in a similar way!
Charles Cresson-Wood, famous author of Information Security Policies Made Easy, says “Repetition of information security policy ideas is essential; repetition impresses users and other audiences with the importance that management places on information security.” Perhaps that’s why the latest version of his book has well over 1,300 ‘policies’ ...
NoticeBored is creative product that contributes to awareness, training and educational (ATE) activities - but what do we actually mean by these terms? In Special Publication 800-50 NIST explains:
NoticeBored includes elements from all three but its primary aim is to raise awareness, provide information and guidance to the identified audience groups (staff, managers and IT professionals) and motivate them to change their behaviors. It is important to emphasize that security awareness supplements, rather than replaces, technical security controls. Security awareness is just one of several essential security measures.
NoticeBored helps customers:
People, not technologies, are the focus of NoticeBored
Find out more about what NoticeBored can do for you elsewhere on this website, or contact us for further information. As you might have guessed, we’re passionate about security awareness. We’d love to share some of that passion with you.
April 13: added a quote from the Common Sense Guide to Mitigating Insider Threats (fourth edition), another outstanding product from Carnegie Mellon’s Software Engineering Institute.
July 12: excised broken URLs.
May 11: quoted from NIST security advice for small businesses, and a piece by Fred Scholl.
Apr 10: added a further quote from PwC’s survey.
Feb 10: cited the UK FSA report Data Security in Financial Services which contains excellent advice (plus case-study materials suitable for security awareness purposes) on the need for awareness and training around security policies and procedures for staff using and handling confidential information. Also quoted William Beer from PwC.
Jan 10: quoted from Ernst & Young’s latest survey about the limitations of most home-grown security awareness programs.
Aug 09: quoted from the ISF’s workshop report on the effectiveness of security awareness and from a white paper by the ePrivacy Group.
Apr 09: quoted Microsoft’s Mohammad Akif.
Feb 09: quoted BT’s switched-on Group Security Director Mark Hughes and Adele Melek from Deloitte’s 2009 security survey.
Nov 08: commented on the 2008 information security survey by PwC.
Oct 08: quoted Benjamin Craig of River City Bank and Chris Burgess of CISCO.
Aug 08: quoted from Luther Martin’s blog. Added the “three E’s” model - no, nothing to do with Ecstasy.
Jul 08: quoted from the US Computer Security Act and FISMA, plus James Dorrian’s security awareness piece in INSECURE Magazine vol 17. Cited Travis air base’s sheep-dip approach to security awareness. Added a quote about the limitations of humans when it comes to behaving securely, from a Carnegie Mellon research paper on designing systems so humans make better security decisions.
Jun 08: quoted Chris Potter on 2nd generation approaches to security awareness. Quoted from ISACA’s Information Security Governance paper. Quoted from the MAGERIT risk management method. Added PICNIC.
Mar 08: incorporated a quote about security awareness being the glue.
Feb 08: integrated the Information Security Forum’s advice previously on a separate page on this website. Quoted Martin Smith and Gideon Rasmussen. Included a graph from the CSI Survey 2007.
Jan 08: quoted Susan Thunder, cited in Hafner and Markoff’s “Cyberpunk” book. Extracted from NERC standard CIP-004.
Dec 07: quoted from Creativity Fringes by Karl Mettke.
Oct 07: quoted ASIS from their Information Asset Protection Guideline. Quoted Greg Newby from a CERT podcast on security awareness. Quoted Rebecca Herold.
Apr 07: quoted Carnegie Mellon University’s CyLab.
Feb 07: quoted Symantec’s Luis Navarro.
Jan 07: two quotes from Ryan Silkin’s excellent article on Law dotcom.
Nov 06: quoted from the 2006 global workforce survey by (ISC)2. Quoted Alisdair McKenzie, ISACA’s Wellington NZ Chapter President, and John C Glover, CISSP trainer based at the University of British Columbia, Canada.
Sep 06: quoted Brian Contos, author of Enemy at the Water Cooler.
Jul 06: quoted from a Kroll paper at the BECCA site.
Apr 06: quoted from a CompTIA security survey report. Quoted Jan Babiak, head of the information security practice at Ernst & Young.
Mar 06: quoted from TheAge.com.au
Feb 06: quoted Esther Czekalski from a discussion about standards on CISSPforum.
Dec 05: added quotes from George Wang at the IDG World Expo SecurityWorld conference, Alex Ryskin at Interop and Steve Hunt in Computing magazine. Referenced a CIO/PwC report.
Oct 05: noted US military advice not to rely on old security posters.
Sep 05: added more explanation about the value of information security controls, security awareness and a planned security awareness program. Quoted Gideon Rasmussen. Added links to a further handful of relevant NIST Special Publications.
Aug 05: quoted from GASSP.
Jul 05: published the first PDF version. Referenced NIST FIPS 200.
2003-4: published and started updating this ‘living white paper’.
Copyright © 2013 IsecT Ltd.