Executive Summary
After an association has defined the policies that will direct its security agenda, chosen a general security form by producing and/or adapting a security framework and a corresponding detailed blueprint for implementation, it is important to execute a security education, training and awareness (SETA) program. The SETA program is the responsibility of the CISO and is a control measure designed to reduce the incidences of accidental security breaches by employees. SETA programs are designed to complement the general education and training programs that numerous associations have in place to educate staff on information security. For instance, if an association perceives that the usage of e-mail attachments by employees is unsuitably, they can be educated and trained on the most convenient and secure mode of using e-mails. To make it more meaningful, it is important to include user training in system development life cycles during the implementation phase.
Introduction
Information security and privacy training as well as awareness programs are important. Basically, knowledge may, and should be made use of as a foundation for competitive strategy. When personnel learn more about the business, what business requires with reference to security and privacy, and what is anticipated of them when performing business activities; the organization will be more guaranteed not only of security and privacy success, but also of business success. The firm may have the best as well as a perfectly drafted information security and privacy policies in addition to procedures in the world, but if its personnel do not understand or implement them within their own job responsibilities and activities, then the firm will have ineffective security or privacy. Indeed, the more personnel know about information security and privacy issues, requirements and impacts, the more the firm will be guaranteed of success with implementing security and awareness measures, complying with applicable regulations, and having business success with information security and privacy goals. Moreover, the overall success of any awareness and training program depends on using a thoughtful, systematic approach for delivering effective awareness activities as well as instructional sessions to the target audiences.
Several types of approaches are presented for practitioners to consider and modify to make most effective within their environment. Policies are not enough to protect an organization and therefore, users must develop user-awareness programs so that other users know about specific policies and are trained to carry out actions specified in security policies. The overall process to accomplish this generally involves security education, training and awareness.
Discussion
One of the best ways to develop and motivate employees in an organization to counter information security threats properly is through the implementation of security awareness programs. With appropriate knowledge, staff can better prevent information security breaches, detect malicious activities of other staff members and efficiently and effectively respond to security incidents. Generally, there are three main elements of security education, training and awareness including security education, security training and security awareness.
Security education
There is great need to train everyone in an organization and make them aware of information security, but not all need formal certificate in information security. The security education is important for adding knowledge to the workers thus increasing the probability of good management of the equipments. The objective of security education is to develop and maintain the skill sets of the enterprise security organization. While a security awareness program focuses on end users and topics that address operational systems, an education program addresses the technical skills of the organization as needed to ensure that knowledge of the leading practices, industry or regulatory issues, and new technology is maintained.
Security training
Security training provides detailed information and hand-on skills to the employees to prepare them to perform their duties securely. In this case, management of information security can develop customized in-house training or outsource the training program.
Security awareness
Security awareness is very important despite the fact that is frequently neglected. The process of making the employees aware of the importance of information security should be a continual influence during the employment life cycle of each individual.
Information security and privacy professionals must effectively, and often, communicate the impact of information privacy, security and personnel activities. In addition, executives must clearly and visibly support policies and practices on information security and privacy, and in this case, the information security strategy and the appropriate levels of security within the organization – the policies, standards and procedures are the source of information for any information security campaign. They reflect the security strategy of the organization and address the appropriate levels of security required within the organization. Normally, the aim of a security awareness campaign is realizing and sustaining security-positive behavior that is within the policies, standards and procedures.
The current security awareness level of the people – past risk analysis, security incident statistics and reports on the adequacy of information security provide an insight to the current security awareness level of people. Therefore, there is need for the security department to perform an overall security compliance assessment or an awareness assessment based on interviews with people within the organization.
Security awareness needs and content
The security needs of each organization determine the security awareness program to be covered in education. However there are topics that are basic and relevant and ought to be covered within every security awareness program. Each security awareness program should cover some general information security principles as well as the security topics that are inherent to every organization. Moreover, the security policy (security policy documents, standards and security procedures) constitute the basic approach to the commitment and management of information security within an organization.
Computer security and organization’s mission
Computer security mainly focuses on the protection of the valuables resources of an organization that may include both tangible and intangible assets and reputation, thus the need for security education, training and awareness.
“Security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers and systems;” 6 however, to avoid this, well chosen security rules and procedures are put in place to protect important assets and thereby support the overall organizational mission.
Installation security education
This is very important when dealing with a new employee or when a new task is to be performed. There is great importance for the new person to be educated on security because it might be the first time the person in executing that job. However, if there is change of job, it is the responsibility of the organization to make sure that these people know their responsibilities in their new positions. Generally, the change of environment of an organization requires that people are informed and educated on the possible aftermaths, for instance, if an organization changes its location from an old building to a new one that is at a distance from the old one, this may affect the employees as well as the customers and thus requires to be communicated and awareness created as early as possible.
Although the assets to be protected – trade secrets, proprietary information and marketing data are the same and the tasks to be accomplished are the same, the new environment may have a significant effect. It is therefore important that the staff will require some security education and awareness training. Installation security education is what can be done to enable and motivate people to do things that are new to them or do the same things in new environment.
Maintenance security education
Vehicles are good examples of security programs that require maintenance, thus security education must be a central part of that maintenance. Awareness of threats and the need for security tend to fade into the backgrounds of busy people’s lives unless they are reminded about them. People need to be reminded that security is an important part of their jobs, and that managers also believe that security is important. Thus security education and awareness training is not done to teach people new things or correct problems in the program, but it is done to keep the program running at an optimum level. Normally, there is tendency to take corrective measures when things go wrong, but to keep hands off when things are going well. It is therefore important to do some evaluation planning so as to specify in details what the training and awareness evaluation activities will include.
Enhancement security education
Enhancement security education is done when there is need to improve the performance of tasks in the security programs. This includes improvements that can be done even when things are going well. Enhancement security education is done whenever there is need to improve the level of performance from unacceptable to acceptable and when there is need to boost it from acceptable to even better levels. This is done when the organization wants to stop certain behaviour like propping the door of a secure area open so that they would not have to key in their access code as they go in or out. The security education is helpful in assisting the employees to sharpen their skills or gain more information, like how to more effectively use security classification guides or how to be find guides that would be useful. It is also useful when the people are needed to pay more attention to security tasks and put more effort into them, like being more alert for suspicious loiterers in the hospital parking lot. It is important to make people aware and make them understand when you are doing this to improve the performance to better levels.
Conclusion
The information assurance environment is shaped by new technologies, unknown threats, increasing vulnerabilities, a national security workforce crisis, and a lack of sufficient security education. New security education initiatives and programs are being established to expand the human resource capacity. While several initiatives intend to address this need, there are many unanswered and unasked questions about the impact of such programs and the extent to which these initiatives succeed. There is a common misconception in education that evaluation does not need to be seriously considered until the end of the awareness, training and education program. Once all the administrative security tasks, like policies, procedures, plans and processes are in place, those that are expected to comply with them must know about them. This makes it very important to carry out security education and training awareness.
Bibliography
Desman, Mark. Building an information security awareness program. NW, CRC Press, 2002.
Doll, Mark, et al. Defending the digital frontier: a security agenda. NJ, John Wiley and Sons, 2003.
Futcher, Lynn. Fifth World Conference on Information Security Education: proceedings of the IFIP TC11 WG 11.8, WISE 5, 19 to 21 June 2007, United States Military Academy, West Point, New York. MA, Springer, 2007.
Guttman, Barbara. An Introduction to Computer Security: The Nist Handbook USA. DIANE Publishing, 1995.
Herold, Rebecca. Managing an Information Security and Privacy Awareness and Training Program. NW. CRC Press. 2005.
Irvine, Cynthia and Helen, Armstrong. Security education and critical infrastructures: IFIP TC11/WG11.8 third annual World Conference on Information Security Education (WISE3). MA, Springer. 2003.
Kovacich, Gerald L. and Edward, Halibozek. Security metrics management: how to measure the costs and benefits of security. Oxford, Butterworth-Heinemann, 2006.
Roper, Carl A, et al. Security education, awareness, and training: from theory to practice. Oxford, Butterworth-Heinemann, 2006.
Whitman, Michael and Herbert Mattord. Principles of Information Security. London, Cengage Learning EMEA, 2007.
Wulgaert, Tim and ISACA. Security Awareness: Best Practices to Secure Your Enterprise. IL, ISACA, 2005.