Many issues in security come from a combination of a lack of care and
awareness. Even a lack of care can be seen as a consequence of a lack of
If we take the issue of the TDSS botnet mining Bitcoins, many users see this as little more than an inconvenience. They do have issues with lost system performance as their CPU cycles to 100%, but the theft through the botnet’s mining of the coins is seen as somebody else’s problem.
Fraud impacts us all.
It is not simply some nebulous company out there and a nameless victim, we all suffer when criminals prosper.
Organizations are becoming increasing dependent on their information systems in order to function effectively. Therefore, the availability of their information systems, the integrity of their data and the confidentiality of corporate information are becoming critical. Even a loss to a criminal group of CPU cycles and bandwidth matters.
In most organizations, the education required and the need for good security controls and procedures have fallen way behind. Users of information systems often see security processes as punitive and unnecessary. Developers see controls as restrictive and counterproductive in their efforts to develop and introduce systems.
User awareness of security-related issues is becoming an essential component of an effective security program. In the nineteen seventies and eighties, centralized administration did not require as much training and communication for the end user community. Security issues were mostly addressed by MIS and security personnel. From the nineties on however, with the proliferation of client/server applications and decentralized data, it has become increasingly more important that a good and effective security awareness program be part of an overall security implementation.
Security awareness training is required to emphasis the need for security and effective controls in the development and use of information systems. Users of these systems must be educated in the positive benefits of information security and the fact that security measures can actually save time and money by reducing the numbers of errors and accidents which form the bulk of threats to information systems. The additional benefit of security awareness training is the introduction of the 'ethos' of good practice and will flow on into other areas of your organization. A greater understanding of information systems, how to use them and how to gain access to them will reduce the overhead on support services.
For any information security awareness and training program to be successful, detailed planning is essential. The planning of awareness and training programs must consider the whole life cycle from the beginning of the process to completion. The following seven steps as developed in the NIST CSAT program may serve as a starting pointing the development of the program:
- The programs Scope, Goals, and Objectives need to be identified;
- The program trainers need to be selected;
- Target audiences within the organization need to be selected;
- Motivational goals for all members of the organization are defined;
- The program is implemented;
- A routine of regular maintenance will keep a program up to date
- Periodic evaluations need to be done on the program to maintain IT relevance.
- Establishing the organizational culture (and the associated risk environment);
- Identifying the organization’s risks;
- Analysing the risks as identified;
- Assessing or evaluating the risks;
- Treating or managing the risks (using cost / benefit frameworks);
- Monitoring and reviewing the risks and the risk environment; and
- Continuously communicating and consulting with key parties.
- Awareness levels are inadequately raised during either induction activities or subsequent awareness sessions;
- Policies and procedures are not being updated;
- Information security training fails to provide staff with an adequate level of skills to handle the security needs of the organization
- Awareness sessions are not adequately focused on the policies procedures and standards of the organization;
- Senior management do not support the awareness and training regime adequately
- Awareness or training activities are not maintained and kept current.
- Internal politics reduce the effectiveness of the program.
To achieve this is necessary to:
- Determine the necessary competencies within the organization,
- Provide awareness sessions and training for staff,
- Evaluate the effectiveness of awareness and training sessions on a regular basis,
- Maintain sufficient training records on the experience skills and qualification of staff to enable the recognition and analysis of weaknesses within the organization.
Management needs to facilitate awareness, training and education strategies with their organization. Good awareness processes and management support will help in the overall security of an organization as:
- An organization’s personnel cannot be held responsible for their actions unless it can be demonstrated that they were aware of the policy prior to any enforcement attempts,
- Education helps mitigate corporate and personal liability, avoidance concerning breaches of criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement,
- Awareness training raises the effectiveness of security protection and controls; it helps reduce fraud and abuse of the computing infrastructure and increases the return on investment of the organization’s spending on both information security as well as in computing infrastructure in general.
 NIST Computer Security Awareness and Training (CSAT)
An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12)
This text has been taken, rewritten and modified from some other books and writings of my own.