Awareness, awareness, awareness ... “stop eating dirt with dog sprinkles on it”

In the world of Info Sec we sometimes ask ourselves ‘why do people do such dumb things?’ well let me tell you, if they don’t know what is right, they don’t know it is wrong
  • Mark Jones (CSO Online)
  • — 13 October, 2011 10:52

In the world of Info Sec we sometimes ask ourselves ‘why do people do such dumb things?’ well let me tell you, if they don’t know what is right, they don’t know it is wrong. For example, when I was about four my Dad had to smack dirt out of my hands before I ate it and say ‘don’t eat that, yuk! Look at what that dog is doing on it over there” that was a good lesson for me.

Now please don’t get all hippy on me about “eating germs is good for the immune system”, whatever! My point is, I had to learn and/or experience that just because it’s brown, doesn’t mean it’s chocolate. I have not researched this, but I am pretty sure some kid out there has got sick eating dirt with dog sprinkles on it … anyway, back to the point.

If people in your business aren’t aware or trained about Information Security specifically related to their role, well… you can be sure that they are eating dirt daily and it’s only a matter of time before your business is dealing with an incident.

Any Information Security management function must have a robust Awareness and Training program. Personally, I think a well defined and implemented program is the cheapest, most effective control to minimise risk and improve the maturity of Information Security.

There are a lot of different approaches to what will work best within any given business, however, what I am attempting to do with this article is give readers a foundation for a simple Information Security Awareness and Training program.

Note: My definition of awareness and training is as follows:

  • Awareness

    The purpose of awareness is simply to focus attention on general or specific Information Security topics. Awareness presentations or any other associated material are intended to help staff become familiar with Information Security topics and respond accordingly when presented with certain situations.

  • Training

    The purpose of training is to develop a specific Information Security competency to minimise risk and protect information related to a role or function.

    The significant difference between training and awareness is that awareness seeks to focus an individuals attention on an issue or set of issues while training seeks to teach skills, practically apply knowledge and perform a specific function in a predictable and security aware manner.

The Program Structure

The program is comprised of three main elements:

  • An initial awareness campaign;
  • An ongoing awareness campaign, and;
  • A training schedule.

Note: For the awareness and training program to remain effective, I recommend applying the tried and tested continual improvement approach used in ISO27001 i.e. the Plan, Do, Check, Act (PDCA) Model. This will ensure the activities are continuously improved.

  • Initial Awareness Campaign

    The first stage of the program will be to kick off with an initial campaign and set a baseline of knowledge. As part of the initial campaign you will need to gather stakeholder requirements and objectives then develop a general Information Security awareness session that will be applicable to all staff.

    This campaign should be measured by collecting various metrics from the participants and stakeholders. Any lessons learnt, gaps or deficiencies should be analysed, and if required serve as an input to the ongoing campaign and/or training schedule.

  • Ongoing Awareness Campaign

    The ongoing campaign will continually clarify and refine stakeholder requirements and objectives regarding Information Security. Key audience groups should be identified and key messages should be defined for each of them. Tip: use the information in your risk register e.g. information assets and inherent risk profiles, that way there is a direct correlation between key messages and information risk. Get creative with the delivery methods and tailor your approach to ensure the best possible delivery of the key messages e.g. awareness sessions, email reminders, posters, questionnaires, computer based training, etc.

  • Training Schedule The training schedule runs in parallel and supports the ongoing campaign. It should be developed on an as needs basis depending on the requirement or situation. Some examples of relevant training that might be identified to mitigate a specific risk:

  1. An IT security session (delivered by an Information Security Specialist) for system administrators, which would address in detail the operational and technical controls that must be followed to implement and manage infrastructure.
  2. A ‘how to’ session on access management requirements (delivered by a Team Leader) for an operational team responsible for provisioning and management of access to a critical system.
  3. A ‘how to’ session (delivered by a Legal representative) with contract managers on identifying relevant security requirements and constructing clauses for master services agreements, and what to do to enforce them.
  4. A ‘how to’ session (delivered by a Bank representative) with HR staff whom process payroll files through custom portal i.e. how to use the application, what to be aware of, etc.

  • Continual Improvement of Ongoing Awareness Campaign and Training Schedule As mentioned above the Ongoing Awareness Campaign and Training Schedule will be continually improved through the application of the Plan, Do, Check, Act (PDCA) Model.

  1. Plan — Establish the Ongoing Campaign and Training Schedule, objectives, materials and timelines relevant to managing risk and improving Information Security.
  2. Do — Implement the Ongoing Campaign and Training Schedule
  3. Check — Assess and, where applicable, measure the performance of the Ongoing Campaign and Training activities against stakeholder objectives, staff experience and report the results to management for review.
  4. Act — Take corrective and preventive actions, based on the results of the surveys, incidents, internal audits, etc to continually improve the Ongoing Campaign and Training Schedule.
I hope this has given you some food for thought and/or enough information to help you to start building a program and raising awareness about security and how to avoid eating dirt with dog sprinkles on it.

Good luck.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: information security, Information Security Awareness and Training program

Fake-police ransomware reaches Australia

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.