Security Awareness The Weakest Link Case Study

Length: 30 pages Sources: 10 Subject: Education - Computers Type: Case Study Paper: #52504223 Related Topics: Security Breach, Computer Security, Airport Security, August Wilson
Excerpt from Case Study :

To offer an information security awareness training curriculum framework to promote consistency across government (15).

Security awareness is needed to ensure the overall security of the information infrastructure. Security awareness programs is the can help organizations communicate their security information policies, as well as tips for users, to help keep systems secure, and the practices the entire organization should be utilizing. However, as Kolb and Abdullah reiterate, "security awareness is not about training but rather designed to change employee behavior" (105).

A program concerning security awareness should work in conjunction with the information technology software and hardware JCS utilizes. In this way, it mitigates the risks and threats to the organization. Security awareness is a defensive layer to the information system's overall security structure. Although not a training program, per se, security awareness does provide education to the end users at JCS, regarding the information security threats the organization faces, and the role that these end users play.

Culnan, Foxman and Ray make note that all employees who are in any way involved with the company's IT systems, should be made aware of the possible security threats. In addition, security awareness includes an understanding of security basics, with a general security literacy. Training is underpinned by security basics and literacy, through providing a base of knowledge regarding key security concepts as well as security vocabulary.

The definition of security awareness does not simply apply to being aware of the challenges of information security at the JCS office, it also includes off-site challenges as well. Culnan, Foxman and Ray note that with the distributed computing environment used by JCS today, the threat of security breaches from outside JCS's boundaries has increased. The researchers' study found that employee security awareness and training programs can have a positive impact on off-site computer security. For this reason, the definition of security awareness has to include building knowledge regarding information security threats that also occur at home, coffee shops, hotels, airports, or other places. Security awareness will become part of JCS's comprehensive risk management strategies.

As the NIST notes, people are fallible, as such security awareness enhances security. Components of awareness include developing the employee's skills and knowledge so they can perform their jobs more securely, increase their awareness about the need to protect system resources, and build knowledge so they can implement or operate security programs for their organization. As the NIST succinctly puts it,

Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures

(and how to use them), users cannot be truly accountable for their actions ("An

Introduction" 145).

Development/Designing Awareness:

Any organization can have cutting edge, network and hardware security protection, according to Kolb and Abdullah. However, it only takes one uneducated JCS employee to unintentionally publish confidential, organization data or to download a virus that can compromise all of the organization's systems. No matter how secure JCS's network may be, it's only as secure as its weakest link -- the end user (Emm). Whether errors are made intentionally or unintentionally, the security incidents caused by these errors justifies the need for a security awareness program. Wilson and Hash note that there are three major facets in the development of a security awareness program. These are designing the program, developing the awareness training material and implementing the program.

The development and design of a security awareness program for JCS begins with an inventory of the critical information that the organization holds. Also, a review of JCS's organizational policies regarding who has access to this sensitive information and how the information is access must be performed (Culnan, Foxman & Ray). Kolb and Abdullah note that the designed for JCS's security awareness program should be centered on publicizing the policies and procedures regarding the organization's information security. The design must also educate users the importance that these policies and procedures need to...


These include:

Who should be responsible for developing the programs?

Whether the programs should be outsourced or developed in-house.

Whether to deliver the programs in the classroom or online

How to measure the effectiveness of the programs (52).

As Wilson and Hash note, there are two very important questions that the design and development team need to ask themselves as well. What behaviors do they want to reinforce? What skills do they want the JCS employees to learn? These questions will help JCS determine some of the basic design aspects of the security awareness program they will be developing.

Another step that should happen towards the beginning of the design and development process of the security awareness program is a review of what the organization already has in place. The team JCS puts together to implement the security awareness program should perform a review of JCS's current policies and procedures. Kolb and Abdullah suggest the team assesses the strengths and weaknesses of each policy. From there, if the policies are found to be insufficient, the team can develop new policies for the organization, including a reasonable disciplinary action, should an employee violate a policy.

The next step in the implementation process is surveying the employees. Survey questions should center on JCS's current policies and procedures to determine the employees' level of knowledge. Kolb and Abdullah suggest the following questions:

Are you aware that viruses can cause damage to your computer?

Are you aware of the existence of viruses on the Internet?

Are you aware of how viruses/spyware/Trojans are disseminated on the Internet?

Are you aware of spam e-mails and why they are used?

Are you aware of the classification level for the data you use/process/store?

Are you aware of the current security policies? (104)

This survey will give the design and implementation team an idea of holes that may be in their employees' knowledge base. These holes can then be specifically addressed by designing the security awareness program around them.

A risk assessment must be part of the design and development step of the program. Asset valuation should be conducted, including the information, software, hardware, personnel and other physical assets the company has. Consequence assessment should be used to estimate the degree of short-term and long-term loss or harm that could occur if a threat became a reality. Threats should be identified that have potential to harm JCS's systems, including errors, disgruntled employees, fraud, water damage, fire, hackers, and viruses. These should not only be identified, but also analyzed for their likelihood of occurrence. A safeguard analysis should be conducted to determine what devices, procedures, techniques, etc. are in place to reduce JCS's vulnerability to a threat. Lastly, a vulnerability analysis should be conducted that will determine which security procedures, physical controls, technical controls, etc. could be exploited by a threat ("An Introduction").

Whether JCS employees are taking part in group led training sessions or using individual web-training programs, to be effective, the training must explain the organization's rules of behavior for use of JCS's networks and information. For this reason, the security awareness sessions will be JCS's primary tool for communicating their information security procedures, policies and requirements. There have been two publications issued by the NIST that were related to developing and implementing security awareness programs, according to Culnan, Foxman and Ray. The NIST 2003 publication details a high-level strategic view, that the team can use to develop JCS's security awareness program. The 1998 NIST document outlines tactical guidelines JCS can utlizes, as well as details how to implement role-based learning for their security awareness program.

Implementation Strategy:

According to Yeo, Mahbubur and Ren, the behaviors of end users can be separated into three categories: malicious users, neutral users and beneficial users. The authors further note that information security researchers and professionals have surmised that the security behaviors of users, especially neutral and beneficial users, can be altered by increasing their security awareness.

Attitudes and behaviors, in people, have been successfully changed utilizing social psychology, and these theories can be used to make programs concerning security awareness programs more effective. Theories, such as motivation/behavioral theories, can be used in information security, in the form of a persuasion strategy that can increase a user's commitment to information security guidelines. As such, this psychological aspect must be taken into consideration when designing a security awareness implementation strategy at JCS.

Technology too should be part of JCS's implementation strategy. Yeo, Mahbubur and Ren note that technology has been used, in recent years, to facilitate a change in behaviors and attitudes in users. This field of research is known as "Captology," and is defined as the research, analysis and design of…

Sources Used in Documents:


"An Introduction to Computer Security: The NIST Handbook." National Institute of Standards and Technology, SP 800-12, (Oct 1995). Web. 24 Oct 2010.

Anti-virus Guidelines. The SANS Institute, 2006. Web. 24 Oct, 2010.

Culnan, M., Foxman, E., & Ray, A. "Why IT Executives Should Help Employees Secure their Home Computers." MIS Quarterly Executive 7.1 (2008): 49-56. Print.

Desktop Security Policies. The SANS Institute, 2006. Web. 24 Oct, 2010.

Cite this Document:

"Security Awareness The Weakest Link" (2010, October 29) Retrieved May 22, 2022, from

"Security Awareness The Weakest Link" 29 October 2010. Web.22 May. 2022. <>

"Security Awareness The Weakest Link", 29 October 2010, Accessed.22 May. 2022,

Related Documents
Security Management the Role of a Security
Words: 4672 Length: 15 Pages Topic: Business - Management Paper #: 61937531

Security Management The role of a security manager varies widely according to the particular organization and its needs, but despite this variety, there remain certain best practices and policies that can help maintain security and stability. This is nowhere more true than in the case of organizational loss, because while loss can mean widely different things depending on the field, the underlying theoretical concepts which inform attempts to minimize loss are

Security Policy of a Dental
Words: 1254 Length: 3 Pages Topic: Education - Computers Paper #: 18121461

SECURITY and PRIVACY - the following security and privacy requirements apply: The Office does not accept responsibility for the privacy, confidentiality or security of data or information not generated by this office or transmitted from external sources into the system. The Office does not accept responsibility for loss, corruption, misdirection or delays in transmission of personal data through the system. Users are responsible for the integrity of all data and

Risk Identification in Information Security
Words: 5004 Length: 15 Pages Topic: Business Paper #: 53239879

Phishing Spear Phishing and Pharming The following is intended to provide a very brief overview of examples of some the most dangerous and pervasive security risks in the online and networked world. One of the most insidious of identity theft is known as phishing. The term 'phishing' refers to the practice of "fishing for information." This term was originally used to describe "phishing" for credit card numbers and other sensitive information

Social Security Company Network Security Policy This
Words: 1451 Length: 5 Pages Topic: Education - Computers Paper #: 80777923

Social Security Company Network Security Policy This paper is intended to address the importance of having a written and enforceable Computer Network Security Policy for The Financial Group, an accounting corporation. The company's accounting systems comprise three major elements: a Web-based front-end server, a back-end database, and business-logic applications. OS-level console access is used for system administration. Accountants access the system with Web browsers using HTTP only and are authenticated via the

UN Security Council
Words: 5883 Length: 15 Pages Topic: Military Paper #: 61388417

UN Security Council Proliferation of chemical, biological and nuclear weapons to terrorist organizations is inarguably one of the greatest menaces threatening international peace and security today.[footnoteRef:1] Since the turn of the century, this sentiment has grown in strength across the world, and as a countermeasure to this threat, in 2004, the United Nations Security Council passed Resolution 1540 to combat the dangerous nexus between the spread of weapons of mass destruction

Social Engineering Information Security
Words: 3036 Length: 9 Pages Topic: Education - Computers Paper #: 47978737

Social Engineering and Information Security We are in an age of information explosion and one of the most critical problems facing us is the security and proper management of information. Advanced hardware and software solutions are being constantly developed and refined to patch up any technical loopholes that might allow a hacker attack and prevent consequent breach of information security. While this technical warfare continues, hackers are now pursuing other vectors