Properly planned and executed staff education makes employees more responsible and reaps tangible business benefits. Paul Hansford reports.
The concept of a “security-aware culture” has been around for some time, and many organisations believe they have it. But often all they really do is inform, and issue edicts about security and company policy.
That's fine as far as it goes, but simply informing staff often fails to improve security behaviours because it addresses the procedural level and not the “Why?” or “What's In It For Me?” factors that challenge the underlying attitudes and beliefs that prevent staff from taking on responsibility for security.
Those attitudes and beliefs are probably all too familiar: they include “Nothing to do with me, it's someone else's responsibility”, “It'll never happen here” and “It must be OK, because everybody else does it”. Simply telling staff they can't do this or that without justification doesn't get past those barriers.
To be effective, and demonstrate a real ROI, security awareness needs to do more than simply promote better knowledge. It needs to be planned as a campaign: to develop in staff a solid appreciation of, and motivation to support, the security issue. In short, real awareness is all about cultural change.
A security awareness campaign needs:
- Demonstrable support from senior management – active and continued endorsement is the key.
- A budget – creating security awareness is a long-haul job.
- Project management – plans, deliverables, checkpoints and measurements.
- Three broad delivery strategies – education for knowledge and understanding, training for skills, and integration to incorporate security into working practices.
Just as a good risk analysis is the basis of a sound security strategy, so a training needs analysis (TNA) delivers a statement of the awareness gap on which to base the education, training and integration strategies of your training.
Many awareness initiatives focus only on the knowledge gap, which can result in prescriptive training that fails to address the attitudes and beliefs that underpin a general failure to comply with security requirements.
The awareness gap can be defined by comparing what is needed to exist (external legal and other compliance requirements) and what is supposed to exist (corporate security policy) against what actually exists (incident reporting, observation and interviews). Investigations might include document inspection, staff questionnaires, focus groups and interviews.
The key factor here is identifying what is causing the security shortfall. Is it simply a lack of knowledge or understanding, or are staff failing to comply with security procedures because of an attitude or a deeper belief? This is where focus groups and interviews help. Take an almost psychoanalytic approach – what lies behind the words? Identifying attitudes and beliefs that need to be challenged will influence how the security messages are delivered.
The designing and development of a campaign are quite separate. Design is about placing security awareness objectives and messages into a logical hierarchical structure. Development is about phrasing those messages appropriately and selecting the delivery method.
The design should start with objectives, based on your overall campaign goal and specific elements of the awareness gap defined in the TNA. Then, from each objective, a number of security messages may be defined which, when accepted by staff, will combine to meet the objective.
Once the objectives and messages are defined, they should be arranged in a logical order for delivery. This might be based on security priorities, or a cognitive approach that places messages that are most likely to be accepted first, then more contentious or complex -messages that build on these.
Delivery strategies for education and training vary tremendously – from live training events, discussion groups and trade fairs, to e-learning packages and freebie awareness gimmicks.
Role-playing can be very effective. Rolf Moulton, interim president and CEO of (ISC)2 and former head of IT risk management at Unilever, says: “A contest can be a very effective means to ensure the full participation of practitioners, as well as stimulating senior management interest and buy-in, for information security programmes and practices”.
With colleague Robert Coles, he set up an attack-defend exercise for technical staff who managed system servers. The contest was designed to test the risks and security measures involved in such a scenario, and the staff were split into teams of defenders and attackers.
The exercise raised staff awareness of the security issues, provided an opportunity to improve their security skills, and even identified some risks previously not known, which could then be solved. A similar contest might be set up for non-technical general staff, based around, say, social engineering attacks.
Winn Schwartau is the author of many books and articles on information security and founded The Security Awareness Company, which specialises in awareness training in the US. Many of his training events centre around game-playing and three fundamental principles.
The first is that security awareness must be entertaining or people will simply turn off the message.
Second, security awareness must be made personal. Unless there is a direct impact on the individual's life – other than the threat of losing their job – your programme will fail. People care about themselves first and foremost. Use that to your advantage.
And finally, you must employ metrics. Unless you can measure it, you cannot manage it.
Integration is the strategy most often overlooked in an awareness campaign, yet it can be the cheapest and most effective. This is about integrating security into strategic and tactical working practices so they become core concerns. To achieve this, you need to work with the people in HR and even the legal department.
Many organisations develop or adopt skills or core competency sets, which are used to describe roles and provide benchmarks in staff appraisals. Specific security skills are sometimes included in these for technical support staff, but base-level security skills can be included for staff more generally. The simple phrase “…with due regard for security” in a job specification makes security an aspect of annual appraisal. But how many organisations do this?
Including security modules in other -training courses helps to emphasise that security is an important part of business processes and is not a separate, bolt-on subject. If your organisation doesn't have a security forum, consider whether this can be established, to pull in business heads across the organisation.
Many campaigns comprise a series of mandated workshops or similar events and, when they are over, nothing more is heard about security. But such strategies tend to fail, because the audience was not prepared for the learning or supported to apply it thereafter. So however the message is delivered, the campaign should be planned in three-parts.
First, prepare staff to accept the campaign to create interest beforehand. By involving staff in the TNA, design and development stages you raise awareness of the campaign itself before it launches. Consider announcing the campaign and raising some security issues via corporate newsletters and other media, and setting up a page on the corporate intranet.
Next, roll out the principal awareness events, poster campaigns and so on. Initially, these events should comprise input from the awareness campaign and gradually change until, at the end, the target audience develops a level of autonomy in their learning. For example, after a training event, provide trainer training to enable staff themselves to cascade that event to others in their areas.
You could also run a focus group to discuss IT security, then hand over responsibility for the content, and then management of further meetings, to staff.
Finally, tail off. While the awareness campaign must have an end point, it should establish some facilities – such as focus groups, intranet website or chat groups – that will encourage staff to maintain their awareness.
Evaluation is needed throughout the campaign, to ensure it is effective and to react to any shortfalls or negative staff responses. Evaluation should take place during the awareness events themselves, to improve them the next time they run, and at prescribed milestones and at the end of the campaign itself.
The evaluation methods might be the same as those used in the TNA. Prior and post-testing using questionnaires can be used to assess knowledge levels, and focus groups and similar interactive events can be used to assess attitudes. Ironically, incident reporting might rise following a successful campaign, not because the level of incidents has actually risen, but because staff are more aware and well motivated to report incidents.
Give feedback to staff who attend the awareness events, reporting the general reaction to those events and any points that emerge. Of course, there should be a full report to the board sponsor, including an evaluation of the outcomes against the original objectives for the campaign.
In planning the campaign, include some time and budget to review awareness at an appropriate period after the formal campaign ends. Just like system security audits, agree the frequency of awareness audits and review exception criteria such as new compliance requirements, high staff turnover and changes in business processes that might indicate a need to review security awareness.