The Organization’s Management of

Security – Training and Awareness

Jennita Appanah
Lecture 12 – 02 September 2022
TRAINING AND AWARENESS

• Protecting the organisation’s information is not usually at the top of most managers’
priorities.
• They are more likely to be concentrating on immediate pressures like hitting targets or
meeting deadlines.
• They may not have considered how reliant they are on their information systems to
help them achieve these goals, or whether these systems are vulnerable.
• Too often, the need to secure data properly is only brought to one’s attention after it is
lost or becomes corrupted.
• Ensuring that users therefore understand their assurance responsibilities and are aware
of the risks to their information systems is a key security control.
Purpose and role of security training (1)
• Organisations need both their staff and any third parties accessing their information to
comply with the information assurance policies and procedures in order to reduce the
likelihood of assurance issues.
• Providing appropriate security training will help individuals to understand their
assurance responsibilities, how the enterprise’s information assets can be put at risk
and how this can be avoided.
• Enterprises that do not implement awareness and training initiatives are more likely to
experience security related issues.
• Security training is, in relative terms, a low-cost assurance control that can create a
positive and lasting change in users’ behaviour.
Purpose and role of security training (2)
• By understanding the risks, your users are more likely to remember what they need to
do to protect the organisation’s information and the systems containing it.
• For example most people would realise that leaving their wallet on display in an
unlocked car could attract an opportunist thief.
• They would certainly have a personal appreciation of the loss and inconvenience
caused by its theft.
• However, they might not equate the loss of information assets in quite the same way.
• They also might not be aware that disclosure of sensitive information could lead to a
breach of current data protection legislation or that not following a set procedure, such
as a data backup, could result in a severe financial loss to the enterprise.
Purpose and role of security training (3)
• Anyone with access to the enterprise’s information systems should receive some form
of information security education and training.
• The level of training that they may need can vary with their role, but it should be
sufficient to ensure that they can carry out essential assurance procedures and have
sufficient understanding of the correct use of their information systems.
• It should always include awareness of the acceptable use policy, no matter who they
are.
• The key messages, tone and approach of a security training or awareness programme
must be relevant to the intended audience and consistent with the values and goals of
the enterprise.
Purpose and role of security training (4)
• Messages may contain common themes but the language and delivery should be
tailored to suit the audience.
• Therefore, when developing security training, thought should be given to the messages
to be conveyed and what needs to be achieved.
• It should consider the following questions:

• What does this group of people need to know?

• Why do they need to know it?

• What is their current understanding?

• What should they think and do after the messages have been delivered?
Purpose and role of security training (5)
• Use language that they will understand and avoid jargon.
• Examples and case studies will need to convey ‘real-life scenarios’ and be appropriate to
them.
• Security incidents that may have occurred previously within the enterprise, or within other
similar organisations, are always useful to get the message home.
• Security awareness and training should be seen as a continuous process rather than as a once-
only exercise.
• Its overall objective is to reduce information assurance risk by developing a positive security
culture.
• This is achieved by increasing the level of understanding about information assurance and
explaining to users what is expected of them to protect the organisation’s information assets.
Approaches to training and promoting awareness (1)
• There are two broad approaches to improving levels of knowledge; first, through
specific information security training, and second, through raising awareness of
information security.
• Training tends to be focused and addresses specific issues.
• Its primary aim is to achieve within the user a certain level of competence in a given
area.
• Awareness is more general and aims to create a change in user behaviour and influence
the perception of risk.
• Individual campaigns should be developed to target particular areas for improvement,
to cater for the various types of audiences or to cover some specific security matters.
Approaches to training and promoting awareness (2)
• Effective campaigns need to be meaningful to their audience to result in a long-lasting
change in user behaviour, and they should concentrate on what an individual can do to
improve security.
• As with other security activities, it is important to gain sponsorship from the senior
management of the enterprise.
• If senior management are seen to value and support positive security behaviour, then
line management and general staff members are more likely to adopt similar behaviour
themselves.
• Without senior sponsorship, line managers may be reluctant to release staff members to
take part in the campaign or communicate the need for security to them.
Approaches to training and promoting awareness (3)
• In turn, staff may fail to take the campaign seriously, as they may not have been given
sufficient time and support to be involved, and they may not appreciate the importance
of security within their roles, as this may not have been communicated to them.
• An awareness campaign or security training programme should be developed as a
formal project with agreed objectives so that it can be delivered efficiently and
measured for success.
• It is important to concentrate on the security issues that are relevant to the enterprise
and not on what the ‘hot topics’ are within the industry.
• The issues that will be addressed by the project and the training messages should be
identified. Each training message should explain the security issue and what can be
done to address it.
Approaches to training and promoting awareness (4)
• If users do not understand what the problem is and what is expected of them to help
address it, then they are less likely to adopt the desired behaviour.
• Constant repetition of the same messages or information presented in a dull manner
will create user disinterest.
• Some issues, like password sharing, are perennial problems, but it is important to try
and deliver them in a fresh way each time.
• The type of approach adopted will be constrained by a number of factors including the
size of the enterprise, its culture, available funds and either the scale or the scope of the
campaign.
Approaches to training and promoting awareness (5)
• If the organisation has a press office, communications specialist or perhaps a training
department, then try and involve them as they should be able to provide guidance and
advice on suitable approach.
• Timing is everything. To get the best attention from the target audience, schedule
campaigns to fit in with working schedules and enterprise priorities. Avoid busy times
such as year-end accounting, month ends, and peak sales or holiday periods.
Available training materials (1)
• There is a variety of methods and materials that can be used to support awareness and
training campaigns.
• Choice is usually constrained by budgets and the size and culture of the organisation.
• Face-to-face presentations are effective, as the participant is able to interact directly
with the trainer, but they can be resource-intensive, especially if many people need to
be trained.
• External training courses can be used to cover specialist topics.
• If there are sufficient numbers it is sometimes more cost-effective to get an external
trainer to carry out the training course on the premises.
Available training materials (2)
• As an alternative, courses or workshops could be developed in-house.
• Messages can then be tailored to each audience and the sessions repeated many times
over at little or no extra cost.
• Face-to-face training will take staff members away from their normal activities for
periods of time, so this approach could meet with resistance from line managers unless
support is gained from senior management.
• Training videos and DVDs can deliver a message that is consistent throughout the
organisation and have the benefit of being easily transportable.

• This could work out as a reasonably low-cost option if it needs to be viewed by users
across many office locations, branches, retail outlets or homes.
Available training materials (3)
• They are less personal than face-to-face training and it is less easy to track who has
viewed or completed the training.
• They can sometimes be costly to produce and they are not always easily adapted if
circumstances or technology change.
• There are companies that provide off-the-shelf training videos covering subjects that may
be appropriate to the enterprise or that can be adapted.
• With this approach there are potential issues over access to the necessary DVD-or video-
playing equipment and there is also often a loss of the actual media.
• Computer-based training (CBT) provides a similar solution to videos and DVDs, but can
be more interactive and have the advantage of being delivered directly to the user’s
desktop, minimising their time spent away from the workplace.
Available training materials (4)
• Obviously, it is only relevant to people who use, or have access to, a PC workstation as
part of their job function.
• Most CBT packages are able to offer a tracking system to record attendance and any
scores from tests.
• Again, external companies may be able to provide an off-the-shelf solution at a
reasonable cost.
• In some instances a CBT module can be used for an initial information security
campaign and then included as part of an induction course to ensure new personnel
understand the security culture and requirements of the enterprise when they start.
Available training materials (5)
• Electronic formats, such as workstation screen savers and emails, can also be a useful
way to deliver important or timely security messages straight to the desktop.
• Many organisations have intranets and these can also be used effectively, and at low
cost, to convey training and awareness messages.
• There are a number of external companies that produce awareness material, again at
low cost, that can be adapted for use on intranet sites.
• The distribution may be quick and easy but electronic methods rely on the end user
choosing to access and read the information.
• Systems for the effective management of not only security policies, but any other
policy too, are now available and gaining in popularity.
Available training materials (6)
• These can include asking the reader a number of pertinent questions before allowing
them to sign as having understood the policy.
• There are numerous visual aids that can be used to convey security messages.
• These include paper-based media such as posters, leaflets, booklets, brochures and
reference cards.
• They are relatively low cost to produce and can be effective.
• However, there is no guarantee they will actually reach your intended audience so they
need to be supported by other methods.
• For example posters can reinforce the messages delivered within a CBT module or a
face-to-face training session.
Available training materials (7)
• Leaflets or postcards could be sent by the director responsible for information
assurance by contacting all department managers and asking them to get their staff
members to read them.
• Finally, most people enjoy being given a small gift so personalized items such as pens,
mouse mats, puzzles or stress balls can play a part in delivering key information
security messages.
• Measurement of success is a difficult area.
• A test or quiz at the end of a face-to-face training session, video, DVD or CBT module
can gauge to some degree how much the participant has learned.
• It can also provide a record that the participant has successfully completed the course
for either regulatory, administrative or diligence purposes.
Available training materials (8)
• Effective security training should attempt to deliver a positive change in user
behaviour that will lead to a reduction in losses from security incidents and reduce risk,
but it is often difficult to properly quantify and measure how much value has been
gained by the organisation.
• However, compared with other control methods, awareness is a relatively low-cost
control and even a minor change in behaviour will far outweigh the costs of any
investment.
Sources of information for training material (1)

• As the approach and content of a training or awareness programme needs to be tailored

to the requirements of the enterprise, it is necessary to do a certain amount of research
in selecting appropriate material.
• Specialist training organisations can help to source information and also help to tailor
an approach, but there are many other sources of information, many of which are
online.
• Within the UK, the various government departments give advice to individuals and
organisations on how to protect their information, provide warnings of potential threats
and offer news about information security problems.
• Get Safe Online is a UK website that provides advice to individuals and smaller
businesses on protecting information.
Sources of information for training material (2)

• Much of the advice they provide for individuals can be adapted to help in awareness
campaigns.
• The European Network and Information Security Agency (ENISA) is an EU initiative
that has produced user guides on how to raise information security awareness.
• These are also available in French, German and Spanish. The Americans also have a
non-regulatory federal agency – the National Institute for Standards and Technology
(NIST) – which provides advice on security training. Information can be gained
through industry conferences and seminars.
• These can be a useful source of information as the issues discussed tend to be current
and topical.
Sources of information for training material (3)

• They also provide an opportunity to network with industry peers who are generally
facing similar challenges.
• Some conferences are run by vendors and may be free to attend.
• Trade bodies are also able to provide industry-specific content. Industry-based
magazines and publications often provide many useful articles and features on a wide
range of information security matters.
• There are numerous online newsgroups and bulletin boards that can provide relevant
information.
• Organisations such as the SANS Institute (Sysadmin, Audit, Network, Security) share
good security practice and provide a wealth of information, quite often at no cost.
Balance between physical, procedural and technical controls (1)
• Physical, procedural and technical controls can provide very effective security
mechanisms and do much to reduce the likelihood of incidents occurring.
• However, they each have their limitations and there are occasions where their use is
not appropriate.
• Possibly, their deployment would be far too complex or expensive given the perceived
value of the information and the associated risk.

• For example, a Rs. 1 million security application to protect a Rs.10,000 information asset does not
make much financial sense.

• In other cases a physical or technical control may be so intrusive that the

users are prevented from efficiently carrying out their work.
Balance between physical, procedural and technical controls (2)
• In many cases there may be no reasonable physical or technical controls that can be
deployed to prevent a particular security breach from occurring or it may be that the
security controls in place can be circumvented by the user in some way.
• Users need to access information systems in order to carry out their tasks and this
inevitably introduces a level of risk to the information.
• They may need to share this data with colleagues or external suppliers and make value
judgements as to whether it should be released to them.
• Reducing this kind of risk is difficult to achieve through technical controls alone.

• Technical controls introduced by a documental security system, for example, may well
provide a good level of security.
Balance between physical, procedural and technical controls (3)

• There will, however, always be exceptions and these need to be handled in a consistent
manner by having a policy and process in place.
• This might simply involve informing a senior colleague of the issue and the proposed
course of action to deal with it in the short term.
• Formal policies and procedures can be used to make users aware of their
responsibilities and the risks relating to the data to which they have access.
• The policies can empower individuals to make decisions as to whether others should
access this data.
• This can be an effective control measure but is obviously dependent upon users
complying with these policies and associated standards and procedures.
Balance between physical, procedural and technical controls (4)
• Occasionally, due to time pressures or perhaps because of expediency, policy rules may be
circumvented or ignored.
• Ignorance or failure to properly understand the policy will prevent compliance, and in these
instances users won’t understand the risks to their information assets and are very unlikely to
be fully aware of the threats to them.
• Policies and procedures rely on individuals knowing that the policy exists and understanding
what the policy expects of them as well as gaining their agreement to comply with it.
• So policy controls have limitations. There needs to be a sensible balance between using
physical, procedural and technical controls to manage the risks associated with information
assets.

• All three elements should be used to complement one another in a layered approach to manage
risk to an acceptable level.
Class work
Last month an employee left some papers containing details of some clients on a bus.
Fortunately they were handed in to the bus company who were able to return them.
There was also an attempted break-in to the office a while ago, during which a small
amount of money was taken. This caused a lot of disruption, as the thieves threw
membership papers over the floor whilst they were looking for cash. The CEO is
concerned that the level of assurance training within his organisation is not high and
needs to be improved as a priority, especially with regard to the protection of members’
information.

1. What would you include in an initial awareness campaign and why?

2. What methods would you use to get your message across?

Thank You