Saturday, 17 September 2011

Security Awareness and Training

Many issues in security come from a combination of a lack of care and awareness. Even a lack of care can be seen as a consequence of a lack of awareness.

If we take the issue of the TDSS botnet mining Bitcoins, many users see this as little more than an inconvenience. They do have issues with lost system performance as their CPU cycles to 100%, but the theft through the botnet’s mining of the coins is seen as somebody else’s problem.

Fraud impacts us all.
It is not simply some nebulous company out there and a nameless victim, we all suffer when criminals prosper.

Organizations are becoming increasing dependent on their information systems in order to function effectively. Therefore, the availability of their information systems, the integrity of their data and the confidentiality of corporate information are becoming critical. Even a loss to a criminal group of CPU cycles and bandwidth matters.

In most organizations, the education required and the need for good security controls and procedures have fallen way behind. Users of information systems often see security processes as punitive and unnecessary. Developers see controls as restrictive and counterproductive in their efforts to develop and introduce systems.

User awareness of security-related issues is becoming an essential component of an effective security program. In the nineteen seventies and eighties, centralized administration did not require as much training and communication for the end user community. Security issues were mostly addressed by MIS and security personnel. From the nineties on however, with the proliferation of client/server applications and decentralized data, it has become increasingly more important that a good and effective security awareness program be part of an overall security implementation.

Security awareness training is required to emphasis the need for security and effective controls in the development and use of information systems. Users of these systems must be educated in the positive benefits of information security and the fact that security measures can actually save time and money by reducing the numbers of errors and accidents which form the bulk of threats to information systems. The additional benefit of security awareness training is the introduction of the 'ethos' of good practice and will flow on into other areas of your organization. A greater understanding of information systems, how to use them and how to gain access to them will reduce the overhead on support services.

For any information security awareness and training program to be successful, detailed planning is essential. The planning of awareness and training programs must consider the whole life cycle from the beginning of the process to completion. The following seven steps as developed in the NIST CSAT[1] program may serve as a starting pointing the development of the program:

  1. The programs Scope, Goals, and Objectives need to be identified;
  2. The program trainers need to be selected;
  3. Target audiences within the organization need to be selected;
  4. Motivational goals for all members of the organization are defined;
  5. The program is implemented;
  6. A routine of regular maintenance will keep a program up to date
  7. Periodic evaluations need to be done on the program to maintain IT relevance.
The process requires the completion of the following tasks:
  1. Establishing the organizational culture (and the associated risk environment);
  2. Identifying the organization’s risks;
  3. Analysing the risks as identified;
  4. Assessing or evaluating the risks;
  5. Treating or managing the risks (using cost / benefit frameworks);
  6. Monitoring and reviewing the risks and the risk environment; and
  7. Continuously communicating and consulting with key parties.
The key risks associated with the training and awareness process include:
  1. Awareness levels are inadequately raised during either induction activities or subsequent awareness sessions;
  2. Policies and procedures are not being updated;
  3. Information security training fails to provide staff with an adequate level of skills to handle the security needs of the organization
  4. Awareness sessions are not adequately focused on the policies procedures and standards of the organization;
  5. Senior management do not support the awareness and training regime adequately
  6. Awareness or training activities are not maintained and kept current.
  7. Internal politics reduce the effectiveness of the program.
Failure to mitigate the risk associated with poor awareness and training techniques increases the likelihood and exposure to other risks within the organization. It is difficult to enforce controls on systems when staff are either unaware of the requirements or in adequately trained in securing those systems. Is important to remember that the success of the organization’s information security strategy requires all personnel to have sufficient knowledge of the awareness requirements of the organization and that key personnel maintain key competencies in their areas of the ISMS.
To achieve this is necessary to:
  1. Determine the necessary competencies within the organization,
  2. Provide awareness sessions and training for staff,
  3. Evaluate the effectiveness of awareness and training sessions on a regular basis,
  4. Maintain sufficient training records on the experience skills and qualification of staff to enable the recognition and analysis of weaknesses within the organization.
Awareness Programmes need to be implemented to be effective
Management needs to facilitate awareness, training and education strategies with their organization. Good awareness processes and management support will help in the overall security of an organization as:
  1. An organization’s personnel cannot be held responsible for their actions unless it can be demonstrated that they were aware of the policy prior to any enforcement attempts,
  2. Education helps mitigate corporate and personal liability, avoidance concerning breaches of criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement,
  3. Awareness training raises the effectiveness of security protection and controls; it helps reduce fraud and abuse of the computing infrastructure and increases the return on investment of the organization’s spending on both information security as well as in computing infrastructure in general.
In most organizations, the level of education required, as well as the need for good security controls and procedures have fallen way behind the requirements. Users of information systems often see security processes as punitive and unnecessary. Developers see controls as restrictive and counterproductive in their efforts to develop and introduce systems. An initial security awareness workshop developed at management level for the security personnel and the security governance team is a good initial phase with which to identify business requirements, the security key threats and perils that must be addressed, and to develop a management plan to meet these new challenges.


[1] NIST Computer Security Awareness and Training (CSAT)
An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12)
This text has been taken, rewritten and modified from some other books and writings of my own.

No comments: