Tuesday, 3 July 2012

Security Awareness

What is needed to ensure the success of a security awareness program.

This process, as defined in the NIST [1]  documentation consists of the following stages;
1.    Developing an IT policy that reflects business needs tempered by known risks;
2.    informing users on the key security responsibilities, as documented in the security policy and procedures; and
3.    Establishing processes for monitoring and reviewing the program.

It is crucial that the senior management and executives of an organization lead by example.

All users within the organization must be aware of the need for security and of their responsibilities in order for any security program to be successful.

It is crucial to understand that awareness is not training or education. Rather, awareness is the first stage in developing a culture of security within the organization. Security awareness allows people to understand their role within the organization from an information security perspective. Awareness helps people realize the need for further training and education.

In planning the development of awareness, training and education programs it is essential to first understand that each of these are a separate stage that builds upon the next. Initially security awareness sessions help users improve their behavior from an information security perspective. Awareness sessions allow users to become knowledgeable in their responsibilities as they are taught correct practice within the organization. Development of awareness across all users helps improve accountability, one of the key tenements of creating a secure environment.

It is important that employees are trained to understand their roles and responsibilities from an information security perspective in order to show that a standard of due care in protecting the organization’s information security assets has been implemented.

No staff member may be expected to conform to the organization’s policies standards and procedures until they have been informed adequately. As a result, these users pose a risk to the security of the information assets belonging to the organization. Security awareness program helps users understand their responsibilities, and allow the users to address the need for a security within their role.

Awareness starts as the first stage of an information security awareness, training, and education program. It by no means ends at this stage. Awareness is a continuing process that should be used to reinforce the training and education stages of the program.

Awareness is a continuing process to alter the user’s behavior and attitudes.

[1] NIST (National Institute of Standards and Technology) Special Publication 800-50


NoticeBored said...


Simply informing employees about their security obligations is not enough, for most people anyway. Naturally compliant people may just do what's expected of them, but most of us need to be persuaded and motivated and even reminded from time to time, which goes beyond merely providing information.

[Some may say that the threat of enforcement is a motivator, which is true but that't not exactly what I have in mind! Penalties for noncompliance are needed to deal with the worst recalcitrants, but for the rest there are better ways.]

Consider how we learn to drive: we don't just read an instruction manual and go for the test. There's much more to it than that. Same with security awareness.

Kind regards,
Gary Hinson

Craig Wright said...

I completely agree.

However, if staff are not made aware of what policy is, then there is no means to enforce it. You cannot simply say this is policy do it, you also need to make sure that it is applied.

NoticeBored said...

I guess we are violently agreeing Craig!

Informing people about policies is necessary ... but not sufficient.

Justferexample, the way policies are written affects how well they are understood. I can almost hear the whooshing noise as policies written in that horribly stilted excessively formalized 'legalese' style go whizzing past most employees, making next to no impression whatsoever.


Craig Wright said...

Yes, policy needs to be simple to understand, straightforward and to the point. Too complex and it fails. Too specific and it is outdated too soon.

Craig Wright said...
This comment has been removed by the author.
Peter Thomos said...

This the excellent post which I have seen and it helped me a lot , Thanks for sharing it!!
it security awareness course

Peter Thomos said...

This the excellent post which I have seen and it helped me a lot , Thanks for sharing it!!
it security awareness course