Making information security awareness and training more

Making information security awareness and training more effective

Mark Thomson

Port Elizabeth Technikon, South Africa

Key words: Information security, awareness, education, training Abstract:

This paper examines the importance of information security awareness

programs in modern organisations. An expanded program is suggested to cater for more employee groupings in the organisation. Techniques, which could make the presentation of the program more effective, are explained and the envisaged program is then presented.

1. INTRODUCTION

The proliferation of the use of computers in industry has brought about the problem of securing information stored on these computers. This problem has received a great deal of attention in recent years and has resulted in a large number of products and techniques which, when implemented, can help to negate this threat. While many of these products or techniques are of a very high quality and can be of great value to the company if implemented correctly, the human side of the equation is often neglected or even ignored. All users of information, and parties responsible for the well-being of information, must first be made aware of the value and importance of information as well as the security procedures that they are supposed to be following as part of their daily jobs. If they are not educated and trained, and made aware of security issues, on a regular basis, then it would be very easy to circumvent any security precautions that are in place.(Violino, 1996, p38)

1

2 Mark Thomson

2.

WHO SHOULD BE TARGETED BY THE AWARENESS PROGRAM?

Historically, security awareness and training programs have been aimed almost exclusively at the end-user population. The increasingly widespread use of, and dependence of organisations on, computers, means that this can no longer be the case.

In order to make the awareness program more effective, the following employee groupings need to be addressed:

– Top management, – IT personnel, and – End-users.

These are three diverse groupings and therefore each requires a very different type of program aimed specifically at each group.

The following section briefly highlights the aims of each program as well as some of the types of information that will be covered.

2.1 Top Management

Top management need to provide the lead and impetus for the awareness program. They must believe in the need for information security in order to provide the necessary backing needed to make the program a success. It therefore follows that this part of the program will be aimed at convincing top management that information security is crucial to the daily operations and long-term viability of the organisation. The following are the topics that will be covered in this phase of the program:

– Terminology and definitions

– Current integration of IT in the organisation – Potential future use of IT in the organisation – Business Continuity – Accreditation – Legal issues

– Ratification of the information security policy

As can be seen from the above, this part of the awareness program is concluded with top management’s review and endorsement of the information security policy.

Making information security awareness and training more effective

3

2.2 IT personnel

IT personnel are responsible for the identification, implementation, and management of controls which will ensure that the information security policy is adhered to. It therefore follows that this part of the program will be at a lower level and be more technical in nature. Some of the topics that will be covered are:

– Assignment of responsibilities

– Integration in the system life cycle for software development – Selection of risk analysis strategies – Making security recommendations – Implementation of safeguards – Follow-up

2.3 End-users

All end-users need information about the information security policy and controls so that they can carry out the laid down procedures, which are, designed to maintain information security. The type of information that would need to be covered in this part of the program would be:(PC security guidelines, 1995)

– Terminology and definitions

– Introduction to the information security policy – Possible threats

– Current computer usage in the organisation – Possible future expansion – Passwords – Viruses

– Backing-up of data – Environment – Ethics

The preceding sections have highlighted WHAT needs to be covered in the awareness program. The question of HOW this information is presented is of more importance since it has a direct effect on the success of the program. The rest of this paper will attempt to show some of the techniques that could be used and also why they could be useful.

4 Mark Thomson

3. EFFECTIVE PRESENTATION TECHNIQUES.

The most important part of the program when dealing with presentation techniques, is the end-user program. This is because the end-user is the person carrying out the day-to-day tasks, which could have a severe impact on information security if not carried out correctly. The end-user awareness program must therefore be geared at changing the attendees’ behaviour so that it is more “security friendly”. Changing a person’s behaviour implies that they must not have to consciously make an effort to do the correct thing, it should be second nature, an automatic response.

The realisation that behaviour modification was the ultimate aim of the end-user program resulted in a natural progression towards the social psychology discipline, where a great deal of research has been conducted into behaviour modification. This research played a major role in defining the structure of the end-user program. The following sections highlight some of the principles that have been implemented.

3.1 Length of education sessions

Course attendees find it difficult to pay attention fully for long periods of time. It therefore follows that the sessions must be kept short (1 hour maximum). This immediately implies that the program will have to be divided into a number of shorter sub-programs. The programs are as follows:

– Introductory session: The aim of this session is to provide the necessary background information that will ensure the attendees understand why they need to attend this sessions, as well as providing the motivation to attend the following sessions. The aspects that will be covered are the following:

a) Terminology and definitions

b) A brief introduction to the information security policy

c) Possible threats to the organisation should information security be compromised

d) Current computer usage in the organisation e) Possible future expansion

– Passwords: This session will cover all aspects relating to passwords. It will include why passwords are necessary, how to choose a good password, and how to maintain your password.

– Viruses: Anything to do with computer viruses is covered here. This includes knowing how to recognise if your machine is infected with a virus, what to do if your machine does become infected, and how to ensure that a virus cannot spread to your machine.

Making information security awareness and training more effective 5

– Backing up of data: Everything to do with backing up of data will be covered here. This will include why it is necessary to make back-ups, how to make back-ups, where to store back-up media, and how to restore previously backed-up data.

– Environment: This session covers anything related to the work

environment that could have a negative impact on information security. Some examples of this could be to position the computer screen in such a way that it cannot be read by someone else entering the office, always signing off when leaving the office, and only letting support personnel take care of repairing the computer.

– Ethics: This session will deal with appropriate, as well as inappropriate, uses of the computer within the organisation

Having short concise education sessions also makes it possible to add any new sessions to cover new threats that may arise.

3.2 Factors that can be applied during each session

As mentioned earlier, social psychology has provided a large amount of research in the area of behaviour modification. The following section highlights some of these factors, and also shows how they could be applied in an awareness program.

3.2.1 Instrumental learning

This refers to desired actions being rewarded with something good. If the attendees carry out the required actions specified in a previous education session, then they are rewarded with a small “token” as reward for their actions. These tokens must be small and be of little financial value. If they are too valuable, then the attendee could justify that this was the reason for carrying out the specified tasks. If, however, the reward is small, then this reasoning cannot apply, and the attendee has to justify his actions to some other reason. The other reason has to be a change in his attitude, and a change in attitude would result in a permanent change in behaviour.(Haber & Runyon, 1986, p73)

This would be applied in the awareness program by having the attendees evaluated after each session, preferably without their knowledge. This could be done by the presenter or by their fellow employees. Those who were showing the desired behaviour would be rewarded with one of these “tokens” at the start of the next session. The types of rewards envisaged include the following:

6 Mark Thomson

– Reminder stickers, – Mouse pad, – Mug, – Mascot, etc.

Each would contain a pertinent security message. 3.2.2 Social learning

This refers to the observation of someone else and how they are rewarded for the correct behaviour. This is achieved by instrumental learning of the previous section, since attendees are rewarded, and others can see this, and many will modify their own behaviour correspondingly.(Zimbardo & Leippe, 1991, p45) 3.2.3 Conformity

There will be groups of employees attending the awareness sessions, and group pressure can play a role in changing difficult individual’s attitudes and behaviour. If a person has no support for their point of view from the rest of the group, then they are likely to change their ideas to match those of the group.(Greenberg & Baron, 1993, p559)

This is applied in the awareness program by separating these difficult people, when they are encountered, into groups where the rest of the attendees do not support them, i.e. they are isolated. 3.2.4 Reciprocity

This refers to the returning of a favour, whether it is real or perceived. If a person feels that someone has done them a favour, then they would be more likely to carry out a request from that person.(Greenberg & Baron, 1993, p362)

A way that this could be implemented in an awareness program would be to set a number of tasks for the attendees to carry, and then, at the end of the session, reducing the number of tasks. The attendees would feel that the presenter had done them a favour, and be more likely to carry out the remaining tasks.

3.2.5 Commitment

A rule of society is that a person must stand by a promise, or commitment. By making attendees give a firm commitment to carry out the tasks

Making information security awareness and training more effective 7

specified, the likelihood is far greater that they will in fact do so. This commitment can be verbal, although a written commitment would be preferable.(Zimbardo & Leippe, 1991, p80) 3.2.6

Self persuasion (role-playing)

The whole aim of the awareness program for end-users is to change the user’s behaviour by persuading them of the importance of information security. Forcing a person into a role-playing exercise where they are required to play a role that is in support of information security will often be more effective that the presenter trying to persuade them. Research has shown that people know themselves better than anyone else, and will always come up with a better argument to convince themselves that the behaviour they are exhibiting is correct.(Zimbardo & Leippe, 1991, p102) 3.2.7

The importance of the presenter

The importance of the person who presents the awareness program cannot be underestimated. In order to make a success of the program, there are some crucial factors the presenter needs ensure are present, namely

– Knowledge: He/she must have a detailed knowledge of the subject

matter. The attendees’ acceptance and adoption of the information being presented is strongly influenced by their belief that the presenter is an expert in the field.

– Preparation: Sessions must be well prepared so that they can stand up to the scrutiny of the attendees. Various media and techniques should be used to try and minimise the chances of attendees becoming bored. If at all possible, the presenter should try and get to know the group of

attendees and personalise the presentation in such a way that it refers to their hobbies, interests, work environment, etc.

– Presentation: This refers specifically to the grooming of the presenter. There are unfortunately people who attend courses and use very superficial, or heuristic, reasons for adopting the course content. The types of reasons that they would use are: – Do they think the presenter is an expert – Do they like the presenter as a person

– Do they like the way the presenter dresses, etc.

This shows that by merely being well groomed, and presentable, the presenter can convert some people to his beliefs.

8 Mark Thomson

– Humour: Humour can be used to get a point across more effectively, to make the attendees more relaxed, and to therefore help ensure their constructive participation in the session.

– Techniques: These are techniques that can be employed by the presenter during a session, which could make it more effective. The following are examples:

a) A written summary of complex parts of the session, so that attendees can refer back to them at their leisure, or whenever necessary. b) Repetition of important parts of the presentation, to help improve retention by the attendees.

c) Systematic analysis of complex arguments.

– Additional aids: There are a number of additional aids that could also be employed to make the program more effective and to maintain

information security uppermost in the minds of the attendees, even when they are not in the education session. These could include the following: d) Posters

e) Pamphlets and brochures f) Internal magazines/newsletters g) Security newsletters h) Alert memos

i) Electronic bulletin boards j) Videos k) Screen savers l) Login scripts

4.

OVERALL STRUCTURE OF THE AWARENESS

PROGRAMS

The previous sections have dealt with the detail of what is contained in each session and some of the factors that the presenter needs to keep in mind. This section will aim to give an overview of when each of these programs will run and how they affect each other.

4.1 Top management

This program will be run once. It’s objective is to ensure that top management understand the importance of information security and also endorse the information security policy. It would also benefit the IT personnel if they could attend this course, since they would then have a broader understanding of the scope of information security. Since this program will only be run once, and the objective is not to change behaviour,

Making information security awareness and training more effective 9

some of the techniques and psychological principles mentioned earlier would not apply here. It is envisaged that this would be a straightforward lecture type presentation.

4.2 IT personnel

This program will also be run once. All relevant IT personnel will have to attend and it will be a straightforward lecture type presentation, for the same reasons given above.

4.3 End-users

This is the program where the most changes need to be implemented. There are a number of awareness sessions that will be run, as specified earlier in this document. The cycle that will be followed for these end-user programs can be represented as follows:

– Comprehensive first session – Shorter follow-up session – Consolidation – Evaluation – Reward

– Go back to next follow-up session

The phases that follow after the comprehensive first session will be repeated in the form of a life cycle until all the end-user sessions have been completed.

5. SUMMARY

This paper has shown that there is a definite need for security awareness programs in the workplace. They do, however, need to be properly implemented to ensure that they are as effective a tool as they should be. This means that the correct employee groupings need to be addressed, i.e. top management need to understand the importance of information security since the necessary resources need to be made available; IT personnel need to understand the threats so that adequate controls can be built into the systems; and the end-user population also need to understand the importance of information security and their day to day behaviour must be information security friendly.

10 Mark Thomson

The end-user program, since it is aimed at changing the attendees’ behaviour, is very suitable to the adoption of techniques refined after many years of research in the social psychology discipline. If the presenter is made aware of these techniques, the chances are that the awareness program will become far more effective.

In summary, to make an awareness program more effective, ensure that the correct information is being addressed at the correct audience, and make use of techniques that will ensure that the attendees will adopt the guidelines presented so that they will become second nature in their day to day operations.

BIBLIOGRAPHY

Greenberg, J & Baron, RA. (1993). Behaviour in organisations. Allyn and Bacon

Haber, A & Runyon, R.P. (1986). Fundamentals of psychology (4th ed). Random House. New York

PC Security Guidelines. (1995). [On-line]. University of Toronto. Available from Internet: URL http:/www.utoronto.ca/security/pcsec.htm#PC Security.

Violino, B. (1996, March 18). Stop, Thief! Information Week (n571). Pp 36-38

Zimbardo, P.G. & Leippe, M.R. (1991). The psychology of attitude change and social influence. McGraw-Hill.