The National Institute of Standards and Technology developed a document on how to create a Security Awareness Program that fairly ok.
Employees require additional training to increase their awareness, knowledge, skills, and abilities in security. They are the last defense against intentional or unintentional actions that may cause harm; whether it be a physical item, information on paper or digital, actions of destruction, or compromise. Success of a security program is based on employees understanding the importance of their role in protecting the organization’s assets and their own personal lives and how they fit into the overall picture and change their behavior and organization’s culture.
Learning is a continuum; it starts with awareness, builds to training, and evolves into education. The following definitions explains the difference in the continuum:
- Awareness: The purpose of awareness is to focus attention on security o allow individuals to recognize security concerns and respond accordingly.
- Training: The purpose of training is to produce relevant and needed security skills and competencies by practitioners of functional specialties other than security (e.g., management, systems design and development, acquisition, auditing) that seeks to teach skills).
- Education: Integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce security specialists and professionals capable of vision and proactive response.
Training is provided in many forms as determined by the content, target audience, and maximizing effectiveness. The following methods may be employed: required reading, computer-based, web-based, off-site professional training, classroom, testing like phishing campaigns, posters, or infographics. This training has a level of force and complexity applied depending upon the target audience such as a general employee/user receives basic awareness and or training at a specified interval; however, some critical roles will receive additional training in other methods such as security professionals, management, or technical administrators that is tailored to their functions.
Most training forces on the general employee/user. The employee/user is the largest audience of an organization and considered the weakest link to security because they are capable of bypassing safeguards. However, they are capable of being the greatest defender of the system. An awareness and training program is the vehicle for communicating security requirements to the user population. The content explains:
- Proper rules of behavior of the subject like use of systems and information
- Specifies policies and procedures that need to be followed
- Stating sanctions imposed due to noncompliance
- Advising the expectations from a user
Changing the behavior is key; however, less than 15 percent of security professionals have a background in soft skills such as training, marketing, or communications. Lance Spitzner the “Three C's of Security Awareness” for success of the program: communication, collaboration, and culture. This is accomplished through clearly explaining why they should care, work on how to communicate what we need them to do in simple terms, and validate that people are exhibiting those behaviors. A picture is worth a thousand words, the following are two awareness examples.
Figure 1: Poster
Figure 2: Infographic
No comments:
Post a Comment