Security and your Staff

1
Security and your Staff Information Assurance
Training An Essential Part of an Effective
Security Strategy March 22, 2005
Pamela Halpern Easy i, Inc.
2
Common sense is not so common. -
Voltaire (1694-1778)
3
The Human Element of Information Security Training
A survey of office workers at Liverpool Street
Station found that 71 were willing to part with
their password for a chocolate bar.
-- Infosecurity Europe 2004
"This survey proves people are still not as aware
as they could be about information security, this
often comes down to poor training and procedures.
Employers should make sure that their employees
are aware of information security policies and
that they are kept up-to-date.



-- Claire Sellick, Event Director for
Infosecurity Europe 2004
The best security awareness will provide the
right messages to the right people at the right
time, provide the tools to all to practice what
has been learned and provide a mechanism to
measure progress.
-- Gary Sheehan,
Information Security Project Leader
4
This Session

• The Key Challenges to getting employee buy-in
  
• Getting Started Some Common
  Misconceptions
• Issues to Consider
• Key Principles for Making IS training truly
  effective

5
The Key Challenges

• Systems alone are not enough
• Overcoming complacency
• Different target audiences
• Delivering the program
• Ongoing program
• Cost-effective
• Measuring the results
• Demonstrating compliance

6
Developing training solutions - A double challenge

• Meeting the needs of
• The General Audience
• Management

7
Bringing about meaningful behavioral changefrom
information to understanding
                     
 
Awareness (I know it exists)
                     
                     

• what is it?
• why is it important?
• how does it apply to me?

Understanding (I know what it is)
Development (Ill help enhance it)
Enterprise Security Cycle
Value (I know why it is worthwhile)
Communication (Ill promote it)
Ownership (I like it)
Commitment (Ill do it)
8
How do you get started?
9
These are the no-nos!
Common misconceptions about IS training

• Just publishing IS policies and procedures is NOT
  the solution
• The IS Officer should NOT be responsible for ALL
  of the planning, development and implementation
  of an awareness program
• Annual or one-off training will NOT work

10
Strategic planning

• Who gets the training and how many?
• What training they get
• Where the training takes place
• When the training takes place
• How the training is delivered
• Over the short, medium and long term
• Aligned with corporate goals and objectives
• Clear business case for all elements

11
Training Needs Analysis (TNA) and Scoping
12
TNA - Key factors to be considered
Critical factors for success

• Needs of technical vs. non-technical audience
  groups
• Generic, customized or created from scratch
  content
• Appropriate media and delivery channels
• Cultural factors
• Languages
• Time scales
• Support requirements

13
Critical factors for success

• TNA - Learning Technologies Audit
• Current infrastructures
• Desktop / bandwidth issues
• Existing Learning Management System (LMS)?
• Learning standards? (AICC/SCORM)
• Section 508 compliance?
• SCORM Shareable Content Object Reference Model
• AICC Aviation Industry CBT Committee

14
Creating the Team
15
Planning and Implementation Process
Needs Analysis Planning Design Development Impleme
ntation Evaluation
16
Critical factors for success

• Project planning
• Develop an overall communications plan
• e-learning is just one component
• Communicate with and gain buy-in from senior
  management
• Plan beyond initial training
• Include technology and integration requirements
• Clearly defined roles and responsibilities
• Agreed realistic timescales and clear milestones
• Regular reporting and reviews

17
Developing the right solution
18
What is best?
This depends on you!
What objectives have you set? What is the size of
your organization? What resources do you
have? What budget do you have? Can you get
management buy-in? a marketing campaign
19
An Awareness Campaign

• Core training
• Refresher training/awareness
• Ongoing awareness/Internal Marketing

20
(No Transcript)
21
Refresher Training
Posters
22
Refresher Training
Newsletters
Interactive emails
Awareness materials
23
Newsletters vary the format of the message
24
Ongoing Awareness
Information Security Portal What should this
mean in practice?
A system for gathering, organizing and
communicating information and knowledge that is

• User-friendly
• Intuitive
• Flexible

Web Portals
25
Feedback and Measurement is Crucial
26
Feedback and Measurement
Feedback and measurement are ESSENTIAL!
Delivering awareness solutions via the intranet
presents many options. These generally fit into
two key categories 1. Audit/tracking system 2.
Learning Management System
27
Feedback and Measurement

• 1. Audit/tracking system
• built into the main training program
• provides information on the progress and
  performance of each user
• may allow you to export information into other
  applications
• generally provided free with the program
  purchased

28
Feedback and Measurement

• 2. Learning Management System
• provides the infrastructure needed to track,
  record, schedule and deliver corporate wide
  learning
• many different kinds of LMS offering different
  types of functionality
• allows you to manage the variety of training
  programs/resources available from one central
  point including, online learning, classroom
  training, registration, instructor availability
  etc
• can be very expensive! (may be included with
  courseware if its from same provider)

29
Feedback and Measurement

• How do you choose whats right for your campaign?
• Assess how feedback and measurement is currently
  undertaken for training in other business units
  perhaps an LMS is already in place?
• What requirements do you and your organization
  have now and in the future?
• Size of organization
• Budget
• AICC/SCORM Compliant

30
Learning Management System
The medieval rule of parsimony, or principle of
economy, frequently used by Occam came to be
known as Occam's Razor. The rule states that
plurality should not be assumed without necessity
or, in modern English, keep it simple, stupid.
31
Nine Key Principles for effective IS training
32
Principle 1

• Clarity of Ownership with Executive Buy-In
• Clear and unequivocal ownership
• Accommodates goals of all business lines
• Avoids gaps between words and actions

33
Principle 2

• Integrated Compliance
• Its hard to do compliance of any kind department
  by department
• An integrated approach yields consistent, cost
  effective and comprehensive results

34
Principle 3

• Less is always more
• Its about understanding, not just information
• We cant all be experts
• Reference materials can be made available, as
  needed
• Retention AND commitment plummet after 60 minutes

35
Principle 4

• Value vs. Cost
• Costs relate to scale
• The real measure is the effectiveness of the
  outcome, not the cost per head
• Security breaches are much more expensive!

36
Principle 5

• The Right Combination of Spirit and Structure
• Keep it light, humorous
• But also reinforce personal responsibility and
  the corporate commitment to getting it right

37
Principle 6

• Relevant Context Setting
• Relevant, appropriate, realistic
• Actual examples from archives or recent
  situations are best
• The goal is understanding how it fits into their
  daily routines

38
Principle 7

• Consistency
• Messages should be consistent
• Training and awareness should be delivered so
  that it fits within the organizations culture

39
Principle 8

• Technology Should Enable
• And no more!
• Be careful of adding too many bells and whistles
• Its better to avoid the possibility of technical
  glitches
• The content is the key

40
Principle 9

• Project Management
• Its the key ingredient
• Get everyone on board with the plan
• Allow time for testing, feedback and fine-tuning

41
Information Security Assurance
Getting the message through
42
Questions?
Pamela Halpern Easy i pamela.halpern_at_easyi.com
310 414-0731 www.easyi.com
43