Awareness, awareness, awareness ... “stop eating dirt with dog sprinkles on it”

In the world of Info Sec we sometimes ask ourselves ‘why do people do such dumb things?’ well let me tell you, if they don’t know what is right, they don’t know it is wrong

In the world of Info Sec we sometimes ask ourselves ‘why do people do such dumb things?’ well let me tell you, if they don’t know what is right, they don’t know it is wrong. For example, when I was about four my Dad had to smack dirt out of my hands before I ate it and say ‘don’t eat that, yuk! Look at what that dog is doing on it over there” that was a good lesson for me.

Now please don’t get all hippy on me about “eating germs is good for the immune system”, whatever! My point is, I had to learn and/or experience that just because it’s brown, doesn’t mean it’s chocolate. I have not researched this, but I am pretty sure some kid out there has got sick eating dirt with dog sprinkles on it … anyway, back to the point.

If people in your business aren’t aware or trained about Information Security specifically related to their role, well… you can be sure that they are eating dirt daily and it’s only a matter of time before your business is dealing with an incident.

Any Information Security management function must have a robust Awareness and Training program. Personally, I think a well defined and implemented program is the cheapest, most effective control to minimise risk and improve the maturity of Information Security.

There are a lot of different approaches to what will work best within any given business, however, what I am attempting to do with this article is give readers a foundation for a simple Information Security Awareness and Training program.

Note: My definition of awareness and training is as follows:

  • Awareness

    The purpose of awareness is simply to focus attention on general or specific Information Security topics. Awareness presentations or any other associated material are intended to help staff become familiar with Information Security topics and respond accordingly when presented with certain situations.

  • Training

    The purpose of training is to develop a specific Information Security competency to minimise risk and protect information related to a role or function.

    The significant difference between training and awareness is that awareness seeks to focus an individuals attention on an issue or set of issues while training seeks to teach skills, practically apply knowledge and perform a specific function in a predictable and security aware manner.

The Program Structure

The program is comprised of three main elements:

  • An initial awareness campaign;
  • An ongoing awareness campaign, and;
  • A training schedule.

Note: For the awareness and training program to remain effective, I recommend applying the tried and tested continual improvement approach used in ISO27001 i.e. the Plan, Do, Check, Act (PDCA) Model. This will ensure the activities are continuously improved.

  • Initial Awareness Campaign

    The first stage of the program will be to kick off with an initial campaign and set a baseline of knowledge. As part of the initial campaign you will need to gather stakeholder requirements and objectives then develop a general Information Security awareness session that will be applicable to all staff.

    This campaign should be measured by collecting various metrics from the participants and stakeholders. Any lessons learnt, gaps or deficiencies should be analysed, and if required serve as an input to the ongoing campaign and/or training schedule.

  • Ongoing Awareness Campaign

    The ongoing campaign will continually clarify and refine stakeholder requirements and objectives regarding Information Security. Key audience groups should be identified and key messages should be defined for each of them. Tip: use the information in your risk register e.g. information assets and inherent risk profiles, that way there is a direct correlation between key messages and information risk. Get creative with the delivery methods and tailor your approach to ensure the best possible delivery of the key messages e.g. awareness sessions, email reminders, posters, questionnaires, computer based training, etc.

  • Training Schedule The training schedule runs in parallel and supports the ongoing campaign. It should be developed on an as needs basis depending on the requirement or situation.

    Some examples of relevant training that might be identified to mitigate a specific risk:

  1. An IT security session (delivered by an Information Security Specialist) for system administrators, which would address in detail the operational and technical controls that must be followed to implement and manage infrastructure.
  2. A ‘how to’ session on access management requirements (delivered by a Team Leader) for an operational team responsible for provisioning and management of access to a critical system.
  3. A ‘how to’ session (delivered by a Legal representative) with contract managers on identifying relevant security requirements and constructing clauses for master services agreements, and what to do to enforce them.
  4. A ‘how to’ session (delivered by a Bank representative) with HR staff whom process payroll files through custom portal i.e. how to use the application, what to be aware of, etc.

  • Continual Improvement of Ongoing Awareness Campaign and Training Schedule As mentioned above the Ongoing Awareness Campaign and Training Schedule will be continually improved through the application of the Plan, Do, Check, Act (PDCA) Model.

  1. Plan — Establish the Ongoing Campaign and Training Schedule, objectives, materials and timelines relevant to managing risk and improving Information Security.
  2. Do — Implement the Ongoing Campaign and Training Schedule
  3. Check — Assess and, where applicable, measure the performance of the Ongoing Campaign and Training activities against stakeholder objectives, staff experience and report the results to management for review.
  4. Act — Take corrective and preventive actions, based on the results of the surveys, incidents, internal audits, etc to continually improve the Ongoing Campaign and Training Schedule.

I hope this has given you some food for thought and/or enough information to help you to start building a program and raising awareness about security and how to avoid eating dirt with dog sprinkles on it.

Good luck.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags information securityInformation Security Awareness and Training program

More about CA TechnologiesISOLeaderLeaderO2

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Jones

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place