Security Awareness The Weakest Link Case Study
Excerpt from Case Study :
To offer an information security awareness training curriculum framework to promote consistency across government (15).
Security awareness is needed to ensure the overall security of the information infrastructure. Security awareness programs is the can help organizations communicate their security information policies, as well as tips for users, to help keep systems secure, and the practices the entire organization should be utilizing. However, as Kolb and Abdullah reiterate, "security awareness is not about training but rather designed to change employee behavior" (105).
A program concerning security awareness should work in conjunction with the information technology software and hardware JCS utilizes. In this way, it mitigates the risks and threats to the organization. Security awareness is a defensive layer to the information system's overall security structure. Although not a training program, per se, security awareness does provide education to the end users at JCS, regarding the information security threats the organization faces, and the role that these end users play.
Culnan, Foxman and Ray make note that all employees who are in any way involved with the company's IT systems, should be made aware of the possible security threats. In addition, security awareness includes an understanding of security basics, with a general security literacy. Training is underpinned by security basics and literacy, through providing a base of knowledge regarding key security concepts as well as security vocabulary.
The definition of security awareness does not simply apply to being aware of the challenges of information security at the JCS office, it also includes off-site challenges as well. Culnan, Foxman and Ray note that with the distributed computing environment used by JCS today, the threat of security breaches from outside JCS's boundaries has increased. The researchers' study found that employee security awareness and training programs can have a positive impact on off-site computer security. For this reason, the definition of security awareness has to include building knowledge regarding information security threats that also occur at home, coffee shops, hotels, airports, or other places. Security awareness will become part of JCS's comprehensive risk management strategies.
As the NIST notes, people are fallible, as such security awareness enhances security. Components of awareness include developing the employee's skills and knowledge so they can perform their jobs more securely, increase their awareness about the need to protect system resources, and build knowledge so they can implement or operate security programs for their organization. As the NIST succinctly puts it,
Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures
(and how to use them), users cannot be truly accountable for their actions ("An
Any organization can have cutting edge, network and hardware security protection, according to Kolb and Abdullah. However, it only takes one uneducated JCS employee to unintentionally publish confidential, organization data or to download a virus that can compromise all of the organization's systems. No matter how secure JCS's network may be, it's only as secure as its weakest link -- the end user (Emm). Whether errors are made intentionally or unintentionally, the security incidents caused by these errors justifies the need for a security awareness program. Wilson and Hash note that there are three major facets in the development of a security awareness program. These are designing the program, developing the awareness training material and implementing the program.
The development and design of a security awareness program for JCS begins with an inventory of the critical information that the organization holds. Also, a review of JCS's organizational policies regarding who has access to this sensitive information and how the information is access must be performed (Culnan, Foxman & Ray). Kolb and Abdullah note that the designed for JCS's security awareness program should be centered on publicizing the policies and procedures regarding the organization's information security. The design must also educate users the importance that these policies and procedures need to be followed uniformly, by all employees, and the expectations JCS has about their...
Who should be responsible for developing the programs?
Whether the programs should be outsourced or developed in-house.
Whether to deliver the programs in the classroom or online
How to measure the effectiveness of the programs (52).
As Wilson and Hash note, there are two very important questions that the design and development team need to ask themselves as well. What behaviors do they want to reinforce? What skills do they want the JCS employees to learn? These questions will help JCS determine some of the basic design aspects of the security awareness program they will be developing.
Another step that should happen towards the beginning of the design and development process of the security awareness program is a review of what the organization already has in place. The team JCS puts together to implement the security awareness program should perform a review of JCS's current policies and procedures. Kolb and Abdullah suggest the team assesses the strengths and weaknesses of each policy. From there, if the policies are found to be insufficient, the team can develop new policies for the organization, including a reasonable disciplinary action, should an employee violate a policy.
The next step in the implementation process is surveying the employees. Survey questions should center on JCS's current policies and procedures to determine the employees' level of knowledge. Kolb and Abdullah suggest the following questions:
Are you aware that viruses can cause damage to your computer?
Are you aware of the existence of viruses on the Internet?
Are you aware of how viruses/spyware/Trojans are disseminated on the Internet?
Are you aware of spam e-mails and why they are used?
Are you aware of the classification level for the data you use/process/store?
Are you aware of the current security policies? (104)
This survey will give the design and implementation team an idea of holes that may be in their employees' knowledge base. These holes can then be specifically addressed by designing the security awareness program around them.
A risk assessment must be part of the design and development step of the program. Asset valuation should be conducted, including the information, software, hardware, personnel and other physical assets the company has. Consequence assessment should be used to estimate the degree of short-term and long-term loss or harm that could occur if a threat became a reality. Threats should be identified that have potential to harm JCS's systems, including errors, disgruntled employees, fraud, water damage, fire, hackers, and viruses. These should not only be identified, but also analyzed for their likelihood of occurrence. A safeguard analysis should be conducted to determine what devices, procedures, techniques, etc. are in place to reduce JCS's vulnerability to a threat. Lastly, a vulnerability analysis should be conducted that will determine which security procedures, physical controls, technical controls, etc. could be exploited by a threat ("An Introduction").
Whether JCS employees are taking part in group led training sessions or using individual web-training programs, to be effective, the training must explain the organization's rules of behavior for use of JCS's networks and information. For this reason, the security awareness sessions will be JCS's primary tool for communicating their information security procedures, policies and requirements. There have been two publications issued by the NIST that were related to developing and implementing security awareness programs, according to Culnan, Foxman and Ray. The NIST 2003 publication details a high-level strategic view, that the team can use to develop JCS's security awareness program. The 1998 NIST document outlines tactical guidelines JCS can utlizes, as well as details how to implement role-based learning for their security awareness program.
According to Yeo, Mahbubur and Ren, the behaviors of end users can be separated into three categories: malicious users, neutral users and beneficial users. The authors further note that information security researchers and professionals have surmised that the security behaviors of users, especially neutral and beneficial users, can be altered by increasing their security awareness.
Attitudes and behaviors, in people, have been successfully changed utilizing social psychology, and these theories can be used to make programs concerning security awareness programs more effective. Theories, such as motivation/behavioral theories, can be used in information security, in the form of a persuasion strategy that can increase a user's commitment to information security guidelines. As such, this psychological aspect must be taken into consideration when designing a security awareness implementation strategy at JCS.
Technology too should be part of JCS's implementation strategy. Yeo, Mahbubur and Ren note that technology has been used, in recent years, to facilitate a change in behaviors and attitudes in users. This field of research is known as "Captology," and is defined as the research, analysis and design of…
Sources Used in Documents:
"An Introduction to Computer Security: The NIST Handbook." National Institute of Standards and Technology, SP 800-12, (Oct 1995). Web. 24 Oct 2010.
Anti-virus Guidelines. The SANS Institute, 2006. Web. 24 Oct, 2010.
Culnan, M., Foxman, E., & Ray, A. "Why IT Executives Should Help Employees Secure their Home Computers." MIS Quarterly Executive 7.1 (2008): 49-56. Print.
Desktop Security Policies. The SANS Institute, 2006. Web. 24 Oct, 2010.
Cite This Case Study: