#113 Keeping Information Security Awareness …...Session 113 20. June 2005 Abstract Keeping...

Session 113 20. June 2005

#113 Keeping Information Security

Awareness Training Fresh

Peter R. Bitterli, CISAPrincipal, Bitterli Consulting AG

http://[email protected]

Please observe the copyright: You are allowed to use and further distribute this presentation only with this copyright

notice attached. If you use parts of this documentation in presentations or other diagrams you have to refer to the

source. Any commercial use of this presentation is only allowed with written consent of the author.


AbstractKeeping information security awareness training fresh

This session will provide insight into the tricks of running a

successful information security awareness campaign. It will

explain both a scientific and pragmatic means of analyzing the

need for improvement and will help the information security

manager recognize the importance of structuring the

campaign for different target audiences (e.g., managers,

employees, IT staff) and their specific cultural and

professional backgrounds. The session will show typical

unwanted behaviour of the target audiences and some of their

special characteristics that can help in convincing them of

something they may not initially be keen to implement …


Learning ObjectivesThe participants will learn about

Developing and running an international

awareness campaign

Analyzing the needs for a campaign and its

specific goals and objectives

The advantages and disadvantages of

typical campaign components (e.g.,

brochures, training, video, e-learning)

Taking advantage of successful marketing

and sales techniques

Measuring the success of campaign elements


ContentKeeping information security awareness training fresh

Why is it so difficult to sell security?

The basics of selling security

Target audience analysis

More scientific approaches

How to use awareness “tools”

Awareness video (Swiss Re)

Wrap-up


Part 1:

Introduction to Information

Security Awareness


Need for a formal ProgramSecurity awareness is a combination of culture and behaviour

It is a fact that the attitude and behaviour

of staff have a high impact on the quality

and security of any type of services

It is therefore inevitable to prompt all

persons involved to be careful when

creating, processing, using or handling

information and information systems


Target of any CampaignOnly a longer lasting program will raise awareness to the necessary level

time

contact

pers

on

al co

mm

itm

en

t

high

low

awareness

understanding

positive image

adoption

acceptance

internalization

Level 1

Level 3

Level 2

The overall target of any

awareness campaign should be

to convey the correct security

and quality aware behaviour so

that a high level of personal

commitment can be achieved.


Level 1:

Basic Understanding

The goal of level 1 is to introduce a basic

understanding

why quality and security are needed

for the necessity to personally contribute

through correct behaviour

Level 1 typically addresses all employees

(users of IT) and all levels of management


Level 2:

Quality & Security Thinking

The attitude of every member of staff must

be changed sustainable. To do this, we must

show them how they as affected person can

contribute to a high level of quality and

security

Level 2 typically also addresses more

specific target groups (e.g. software

developers, system administrators, business

managers responsible for internal controls)


Level 2:

Quality & Security Thinking

Level 2 can only be reached with the

support of management and through the

integrations of quality and security into

their daily tasks, e.g.

Fixed item on agenda of regular meetings

Integration into strategy and planning processes

Integration into objectives for subordinates

Monitoring and compliance reviews of policies

…


Level 3:

Towards Internalization

Only where quality and security are

considered “automatically”, an adequate

level of security will be reached

Level 3 means that any person involved

considers quality and security aspects with

every action or decision


Level 3:

Towards Internalization

An “internalization” will only be reached,

where the following requirements can be

met:

Binding and understandable regulations for

quality and security

Incentives for correct conduct

Sanctions for non-compliance, based on concise

criteria

Ongoing comparison between different areas

using benchmarking

…


Part 2:

Selling Information Security

Awareness: the Basics


Selling Security is difficultSome of the most common reasons for failure of awareness campaigns

Unsuccessful track record

Failure to fulfil management’s expectations

Lack of organisational understanding by

security staff

Failure in coordination between the control

functions

Evolving organisation structures

Lack of coordinated security sales program

…


Business ObjectivesHow to sell (IT) security

Know your organisation’s primary business

objectives

Familiarise with industry / business

operations:

Annual reports

Organisational charts

Strategic plans

Interviews of business managers

Analyse business needs and what could

threaten the objectives being met


Sales StrategyHow to sell (IT) security

Sell to more than one level of management

Sell the security professional (yourself) first

Avoid negative security messages

Know sales techniques

General marketing techniques

Variety of approaches available

Don’t forget:

Personal presentations

One-to-one selling

…


Selling to Managers (I)How to sell (IT) security

Security Policy, Baseline Control,

Guidelines

Present and discuss; ask for feedback

Let the managers explain them to subordinates

Awareness materials

Present and discuss; ask for accompanying letter

Have them talk about this during meetings

Distribute articles about security

With a commenting letter

In person (“have you seen this?)


Selling to Managers (II)How to sell (IT) security

Report on security matters

In person once every month

Fixed item on agenda for meetings

Encourage managers to attend

Meetings, seminars, conferences on security

Be prepared before facing management

Anticipate questions and objections (FAQ)

Ask them for a decision

Handout material

Follow-up visit


More Marketing AspectsHow to sell (IT) security

Make people want to be secure

Display high-level support

Encourage people to be alert

Point out the risks

Be simple but comprehensive

Be targeted and never assume knowledge

Be entertaining and amusing

Be two-way


Part 3:

Analyse the Target Audiences


Select your Target Groups (I)Whom do you want to address with your awareness campaign?

Users

“Normal”

With access to sensitive

data

Home office

Travelling users

With laptop, PDA,

agenda, handy

Temps

New joiners

…

Management

Your boss

Business managers

Executive management

Control related

Legal

Compliance

Human Resources

Controlling

Data Protection Officer


Select your Target Groups (II)Whom do you want to address with your awareness campaign?

IT

Manager(s)

Developers

Operations

Administrators

Help Desk

External

Clients

Business partners

Audit committee

Outsourcing providers


Analyse your “Target Groups”Know your “enemy” if you want to be successful

For every target group collect:

Description

Major (security) concerns of target

group members

Unwanted behaviour

Expected behaviour

Possible delivery mechanisms

(marketing ideas)

You will find examples on the following

slides for three of the many target

groups: managers, users, IT staff


Target Group: Management (I)Typical example of the results of target group analysis

Description

Persons responsible for

a department

a (large) team

a specific area/topic

(e.g. Data Protection

Officer, Compliance)

Hierarchically senior

Better paid

(Often) better educated

Career oriented

Major (security) concerns

Unavailability of data and

computing resources

Unauthorised access to

data (e.g. sensitive or

confidential data)

Too high a level of access

for temps etc.

Internet & third party

access


Target Group: Management (II)Typical example of the results of target group analysis

Unwanted behaviour

Are not all concerned

about (IT) security

See no need to provide

resources for quality

and/or security

Do not monitor their area

of responsibility

Are often under high

pressure to perform

Keep problems to

themselves

Unwanted behaviour (cont)

Set bad examples

Pass on their passwords to

secretaries

Grant too much access to

3rd parties (consultants,

business partners)

…


Target Group: Management (III)Typical example of the results of target group analysis

Expected behaviour

Really care about security

Provide resources for

quality and/or security

Check back whether their

orders have been met

…

Possible delivery mechanisms

Security is part of

agenda in all regular

meetings

MbO and will impact bonus

standard management

trainings

Train-the-trainers

Quarterly security

management report

…


Part 4:

Analyse the Target Audiences

– a more Scientific Approach


Behaviorism can helpMany different scientific approaches

Behaviorism shows,

how persons really

behave

what persons really

think

Scientific approach

Questionnaires

Interviews

Observation (video,

measuring brain

currents, …)

Supports effectiveness

Problems/concerns

Behaviour

Motivation

You know “what makes

them tick”

Supports efficiency

Focus on target

group(s)

Focus on important

issues


Behaviorism can helpTwo of the many approaches explained

4ways of Life Analysis

Grouping based on

predefined criteria

Supports focussing on

most common types,

e.g.

Hierarchists

Individualists

Risk & Security Perceptions

Grouping based on

common criteria

Supports focussing on

just a few factors

Will produce highly

valuable starting-points

for campaign


Fatalist Hierarchist

EgalitarianIndividualist

High degree ofsocial regulation

Low degree ofsocial regulation

Low degree of social contact

High degree of social contact

Views• Nature is a lottery, capricious• Outcomes are a function of chance

Preferences• Weigh gains against losses

Views• Nature is tolerant if treated with care• Outcomes can be managed to be sustainable

Preferences• Regulators/contract to facilitate commerce• Voluntary arrangements brokered by markets and

prices

Views• Nature is vulnerable• Outcomes require altruism and common effort

Preferences• Precaution (irresponsible to take action which could

harm the current or future state)

Views• Nature is resilient• Outcomes are a personal responsibility

Preferences• Personal responsibility• Free of control• Oppose top down intervention• Dislike organised societal learning

Emphasise responsibility

Emphasise impact

Emphasise risk assessment Emphasise gains and losses

4ways of life analysis Prof. DakeSystematic and scientific assessment of cultural biases


4ways of life analysis Prof. DakeUsing the results of such a scientific analysis to our advantage

Hierarchists

Emphasize importance of

technology for decision

making

Focus on rules and

expected norms of

behaviour

Message must be delivered

by, or jointly, with line

management

Individualists

Appeal to personal

responsibility

Do not emphasize strict

rules, policies and

procedures

Use other distribution

channels than organized

training

Use MbO and appraisal

processes to reward desired

behaviour

We can/should focus on most frequent types


Risk and Security PerceptionsScientific background

All persons simplify information to enable

decisions

Using questionnaires and mathematical

methods to find out how persons perceive

and simplify complex information

The different ways of combining

information can provide insights into

thinking, blind spots, …


Overall risk

Frequency

Likelihood

Stress

Accidental/deliberate

Recovery

Technology/human cause

Costs

Individual/ organizationaleffects

Effects containedwithin/outside organisation

Embarrassment

Reputation

Major/minor consequences

Risk and Security PerceptionsAssessment methodology

18 risk scenarios

(stimuli)

13 risk elements

(attributes)

7-point bipolar scale

(yardstick)

Employee uses p/w

Data entry error

Coffee damages equip

Y2k failure

Slow machines

No training

Power cut

Credit cards stole

Internet use in work

Hacker steals

Payroll data lost

Disc stolen

Computer virus

Disclose personal data

Eye strain

Software fault

Poor software

Obsolete system


Risk and Security PerceptionsPresenting the results (UK Financial Sector)

Frequency 0.803Likelihood 0.592

Recovery 0.940Reputation 0.902Consequences 0.895Effects in/out 0.867Overall risk 0.814Costs 0.711 Tech/Human causes 0.808

Technology/Human causesSeriousness

disc stolen

credit cards stolen

hacker steals

employee uses p/wdisclose personal data

data entry errorno training

poor s/w

slow machines

22

-1

computer virus

obsolete system0

1

internet use in work

1

s/w fault

1

eye strain

2

coffee damages equip

payroll data lost

3

00

y2k failure

-1-1 -2

power cut

Pro

bab

ility


Security Perceptions SurveyResults of such a survey give valuable insight (managers)

Managers concentrate for

their personal risk

evaluation on:

impact on themselves

(embarrassment) and

organization (reputation)

past events (frequency) and

not likelihood of an event

happening in future

Managers should (also)

observe:

Recoverability

Overall consequences

(impact)

Causes of possible problems

Probability not freqency


Security Perceptions SurveyResults of such a survey give valuable insight (IT staff)

IT staff think about:

whom they can blame

(human cause or technical

failure)

how to manage risks

costs alone (don’t use other

factors i.e. reputation,

embarrassment, …)

IT staff should focus more

on:

Individual and/or

organizational effects

Accidental/deliberate

causes

Embarrassment and stress


Part 5:

How to use Awareness “Tools”


Awareness Tool Set (I)Wide range of possible marketing elements

Paper based

Articles

Brochures

Hand books

Posters, mini-posters

Stickers

Ads

Tips & tricks

…

Electronic

CBT

Videos

Intranet web site

E-learning / E-lab

Others

1-to-1 marketing

Security training

Security reps


Awareness Tool Set (II)Wide range of possible marketing elements

Useful things

Mouse mat

Screen saver

Calendar

Office material

Note pads

Post-it

Pencils

Others

Table stand

Magnetic signs

Napkins, mugs

Toilet paper

Security calculator

Security games

Other give-aways


Security BrochuresMarketing and communication elements for awareness: Example A

Advantages

Highly attractive

Can really raise

understanding for

security

Can be produced to

appeal reader

Disadvantages

Difficult to ensure, that

they are read

by everybody

completely

Tendency to contain

too much text and be

too long winded

Outdated when

printed

One-way

communication


Security BrochuresMarketing and communication elements for awareness


Articles in MagazinesMarketing and communication elements for awareness: Example B

Advantages

High attentiveness

Interesting and

attractive messages

Disadvantages

Not personalised

Need to be done very

professional

Articles soon loose

attractiveness

One-way

communication


VideosMarketing and communication elements for awareness: Example C

Advantages

Simple short messages

Can be easily

integrated into other

events

Huge variety possible

Many highly

professional videos

available for sale

Disadvantages

Very expensive, esp. if

individually produced

Have a tendency to be

exaggerated

Boring for trainers

that use videos

One-way

communication


Posters, Mini-postersMarketing and communication elements for awareness: Example D

Advantages

Highly visible

Memorable

Concentration on most

important messages

Disadvantages

Distribution often

difficult or costly

Need space to hang

One-way

communication


Security TrainingsMarketing and communication elements for awareness: Example E

Advantages

Easily tailored

Personal

Participation can be

fun

Intensive knowledge

transfer

Opportunity for

questions

Highly satisfactory for

security officers

Disadvantage

Time consuming

Needs highly

sophisticated approach

Needs highly qualified

trainers

Rollout can be

organisationally

demanding


VisualisationDefine the corporate identity of the awareness campaign

Logos

define a security logo

Brand / CI

define a recognisable

brand

B/W or colour

not just a matter of cost

Photographs

of people

of “negative” scenes?

Cartoons

not at all?

for specific elements,

e.g.

e-learning

posters

in brochures?


Cross-linking Elements (II)Some successful examples

Example C (2002)

Slogan

Logo (inofficial)

Articles

Brochure

Posters

Training

End users

Laptop users

Give-aways

Example C (cont)

E-learning for IT

Regulations

Developer

Operations/Admin

E-lab

Developer

Operations/Admin


Awareness Life Cycle

unconscious incompetence

consciousincompetence

conscious competence

unconscious competence

Awareness

TrainingExperience

Complacency

Level 0

Level 1

Level 2

Level 3


The optimal CampaignMy personal experiences of the last 13 years

Do a proper project

Project leader

Steering committee

Detailed time plan

Set of deliverables

Budget for 2-3 years

Address campaign to

different target

audiences

A good campaign:

Goals defined

Target audience

analysed

Staged over a longer

period

Multi-channel

approach

Highly cross-linked


If you

have any

awareness

material

for my

collection

…

#113 Keeping Information Security Awareness …...Session 113 20. June 2005 Abstract Keeping...

Documents

Transcript of #113 Keeping Information Security Awareness …...Session 113 20. June 2005 Abstract Keeping...