on 8/22/2007 a very interesting and useful report was released by the European Network and Information Security Agency (ENISA), “Information security awareness initiatives: Current practice and the measurement of success.”
The report was created based upon research done by PricewaterhouseCoopers from questionnaire responses from “67 organisations headquartered in nine different European countries.”
“The size of the organisations varied from less than 50 staff to more than 10,000 staff. There was a spread of responses across all industry sectors.”
“How do you know if end users really take actions to make their computers secure? ENISA presents the 1st European report on current practices on measuring successful awareness raising initiatives in information security across the EU, with responses from 67 European organisations headquartered in 9 different countries.
This report is providing an outline analysis of recommended security awareness practices, measurements of effectiveness and metrics, including case studies, of mainly governments and private companies within the European Union (EU). The main areas studied are:
* The importance of information security awareness,
* Techniques to raise information security awareness, and
* Mechanisms to measure the effectiveness of awareness programmes”
A few excerpts I want to point out…
“Ideally, respondents would like to be able to measure actual changes in staff behaviours resulting from the awareness activities. As a consequence, relatively few respondents find input metrics (e.g. number of visitors to intranet site, number of leaflets distributed) helpful;”
I agree the goal of awareness and training should ultimately be to change personnel work habits so that they work in a more secure manner and protect the privacy of personally identifiable information (PII). However, I do not agree that input metrics are not helpful; they can tell a lot about awareness efforts in addition to other metrics. For example, I always found it very useful to measure the number of visits to the intranet information security and/or privacy site following an awareness event, such as a guest speaker or new posters going up. Measuring visits to the intranet site indicates if people became concerned by the message you talked about, and actually paid attention, and then took the initiative to find out more information.
“Each organisation needs to find the right balance for them [mechanisms and techniques used to measure information security awareness]; there is no ‚Äúone size fits all‚Äù solution.”
I completely agree with this.
I see too many organizations trying to use a cookie cutter approach to establishing awareness metrics. I see too many vendors pushing their cookie cutter metrics.
Organizations must establish metrics based upon their own unique organizational characteristics. They can use ideas obtained from others, but their ultimate metrics must be customized to fit their organization.
“The Information Security Forum (ISF) is one of the world’s leading independent authorities on information security. Through surveys and research, the ISF have defined information security awareness as:
‚Äòan ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organisation from lasting behavioural change.‚Äô”
Yes, awareness is different than training.
Most organizations think of information security and privacy awareness as being a CBT, which is in fact a type of training.
As I explain on pages 195 – 196 in my book, “Managing an Information Security and Privacy Awareness and Training Program“:
“Awareness is not training. In contrast to training, awareness can occur at the same time everywhere and on a continuous basis. Information security and privacy awareness activities promote ongoing compliance and keep the issues in the minds of your personnel. Remember that as business models change, so do compliance needs and awareness activities.
Awareness activities are different from training activities. The objectives for delivering security and privacy awareness are similar to training options. However, there are some very important differences between training and awareness activities. The options and methods for awareness activities are typically much different than the more formal and structured training. Awareness activities should:
• Occur on an ongoing basis
• Use a wide range of delivery methods
• Catch the attention of the target audience
• Be less formal than training
• Take less time than training
• Be even more creative and fun than training sessions
• Reinforce the lessons learned during formal training, or provide the forerunner to receiving training
Awareness is typically the ‚Äúwhat‚Äù component of your education strategy for influencing behavior and practice; training is typically the ‚Äúhow‚Äù component to implement security and privacy.”
In another excerpt from the ENISA report:
“One company rating security as a low priority sums up the attitude of their senior management as taking the view that nothing bad has happened yet and so why spend
money. In contrast, those at the other end of the spectrum are principally motivated by customer perception and the damage to their reputation that a breach might cause.”
1. When you experience information security incidents and privacy breaches you lose customer trust.
2. When you lose customer trust you lose customers.
3. When you lose customers you lose revenues and could lose your business.
Employee awareness of information securityand privacy is an absolute necessity to ensure they perform their job responsibilities in the most secure way possible to prevent information security incidents and privacy breaches.
Awareness is much more than a regulatory requirement; it is a necessity for keeping customer trust and business.
The ENISA report goes into detail about the various topics that are important to provide awareness about. The topics apply to all organizations worldwide. And, again, the importance will vary from organization to organization based upon the business environment.
There are ten case studies provided within the report that are very interesting. They detail the awareness methods that have worked and not worked, and the various experiences of a wide range of organizations.
The report lists three critical elements of a successful information security awareness program:
“1. Requirements analysis: Management need to identify what topics staff need to understand. Users should be made aware of the sections of the security policy that are relevant (to their job function). Many standards suggest topics to consider, such as spyware, virus outbreaks and strong passwords.
2.Training tailored to role: Both contractors and employees should receive training, appropriately geared towards their role. They should also be regularly
updated with any relevant changes to the security policies or procedures. Training needs to address how staff can implement security in their day-to-day
procedures.
3. Ongoing review: The awareness programme’s content should be revisited and revised periodically. The effectiveness of the awareness programme on the
intended participants should be reviewed regularly. Any appropriate changes to the original security policy should be reflected in the corresponding information security awareness training programmes.”
Yes, these are all very critical, but too few organizations do them! Too many assign awareness and training to any employee that has some extra time to do it…typically with no training or understanding of how to do awareness and training. As a result awareness activities tend to be just putting a few messages out to employees to meet the minimum requirements, without any thought about how to truly modify employee work behavior to better protect data, systems and PII.
The three elements are definitely necessary to make your awareness and training program as effective as possible, and truly impact positive work habit changes.
I think a couple of very revealing findings are than only 12% of the organizations require mandatory classroom information security training, but yet classroom training was indicated to overwhelmingly be the most effective method for successfully communicating information security issues, changing work practices for the better, and measurably raising information security awareness.
There are many groups for which targeted information security training and awareness should occur, and often that training is most effective via classroom training. Such groups usually include:
* Call center staff
* Sales and marketing
* Physical security
* IT developers
* Information security staff
* etc.
There is also a large section on metrics. I’m writing an article about this now for the September CSI Alert, so I won’t go into detail about it here, but you can get some good ideas from the report.
So many issues are involved with making information security and privacy awareness and training effective. While this report focused on EU organizations, the concepts and issues are the same worldwide.
It’s worth saying again…
1. When you experience information security incidents and privacy breaches you lose customer trust.
2. When you lose customer truse you lose customers.
3. When you lose customers you lose revenues and could lose your business.
Employee awareness of information securityand privacy is an absolute necessity to ensure they perform their job responsibilities in the most secure way possible to prevent information security incidents and privacy breaches.
Information security and privacy awareness and training protects your business.
Tags: awareness and training, data protection law, ENISA, EU Data Protection Directive, European Union, Information Security, IT compliance, personally identifiable information, PII, policies and procedures, PricewaterhouseCoopers, privacy, privacy law, risk management