Budgeting for Security Awareness: Who - What - When - Where - Why - How much

December 10, 2015 by

Daniel Dimov

1. Introduction

The actions and/or inactions by members of an organization who lack security awareness can lead to various security incidents, such as providing sensitive information to phishers, installing malware, and so on. The reason is that humans are the weakest element of the information security environment. In their desire to help their coworkers, clients, vendors, they can often be misled by hackers to install malware or to submit sensitive information to criminals. For example, even the best anti-virus may not be helpful if an employee becomes a victim of a social engineering attack, i.e. an attack conducted by deceiving people into giving the access to their confidential information. A survey of the recent breaches reveals that a large majority of data breaches are caused by exploiting humans.

The purpose of this article is to examine six aspects of budgeting a security awareness program, namely: the person(s) who will be responsible for the implementation of the program (Section 2); the activities included in the program (Section 3); the timeframe of the program (Section 4); the place of implementation of the program (Section 5); the goals of the program (Section 6); and the budget of the program (Section 7). Finally, a conclusion is drawn (Section 8).

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

2. Person(s) responsible for the implementation of the program

When budgeting a security awareness program, an organization needs to decide on whether to assembly its security awareness team from its human resources or from external experts. Although the use of own human resources can be a cost-effective solution, the use of highly qualified external experts who specialize in development of security awareness programs may enable the organization to tailor its program specifically to the needs of the organization. This is because the identification of security vulnerabilities and other security weaknesses that need to be taken into account when developing a security awareness program requires a specific expertise. Such expertise may not always be available within organization's own information security experts.

However, the fact that one calls himself/herself a security awareness expert does not necessarily mean that he/she has the knowledge required for the development of a security awareness program. In order to mitigate the risk related to using an unqualified person, the management of the organization can require the potential providers of security awareness services to complete a thorough pre-selection test. The test can include practical questions about how to raise security awareness within the organization. It may be beneficial to include in the test questions requesting the candidate to specify whether he/she will use any innovative security awareness techniques, e.g., raising security awareness through data mining and predictive analytic techniques.

3. The activities included in the program

The activities included in a security awareness program can be grouped in three categories, namely, (1) general security awareness activities, (2) intermediate security awareness activities, and (3) in-depth security awareness activities. The general security awareness activities cover the entire organization. For instance, general security awareness activities involve training all personnel of the organization on how to avoid the installation of malware on organization's computers. The general security awareness activities need to be entertaining in order to allow people who do not work within the field of information security to pay attention to highly technical discussions. As Susan Hansche, a training expert, points out, good security awareness programs should be "entertaining, holding the users' interest and humorous where appropriate in order to make slogans easy to remember."

The intermediate security awareness activities cover the management staff of the organization. Such activities may include, for example, management of information security incident response procedures. The lack of security awareness by the management of an organization can have a strong adverse effect on an organization because the employees will probably mirror the insecure actions and inactions of the management. For example, if an organization adopts an information security policy stating that all employees must use strong passwords, but the management of that organization uses a password "123456" or "qwerty", the employees may underestimate the importance of the strong passwords and use weak passwords as well.

The in-depth security awareness activities cover information security experts and other persons who are directly responsible for the information security of the organization. The in-depth security awareness activities may include training on how to identify and eliminate information security vulnerabilities.

The budget devoted to a security awareness program should reflect the fact that the general security awareness activities aim to prevent low-risk incidents, the intermediate security awareness activities aim at preventing incidents posing an intermediate risk, and the in-depth security awareness activities aim to prevent high-risk incidents.

4. The timeframe of the program

The budget devoted to a security awareness program will depend on the timeframe of the program. Depending on their timeframe, security awareness programs can be divided into two categories, namely, (1) short-term security awareness programs and (2) long-term security awareness programs. The short-term security awareness programs can be used to raise security awareness regarding particular issues, e.g., the appearance of a new malware or a recent phishing attack against the organization. The long-term security awareness programs aim to raise security awareness regarding principal information security threats. The balanced distribution of organization's budget amongst short-term security awareness programs and long-term security awareness programs will ensure that the organization is aware of principal and specific information security threats.

5. The place of implementation of the program

There is much discussion on whether a security awareness program should require physical attendance of specific courses and meetings. In general, online security awareness programs are less expensive than security awareness programs requiring physical attendance. However, the importance of meetings in person should not be underestimated. Such meetings may enhance the social relations between the members of the organization and, therefore, increase their capacity to collaborate in case of an information security incident.

However, face-to-face communication has a drawback that needs to be considered before using it for raising security awareness. More particularly, face-to-face communication is not ideal for long or complicated messages. This is because the recipient can be distracted by the other people attending the meeting.

6. The goals of the program

When budgeting a security awareness programs, an organization needs to take into account the goals of the program. The budget of a security awareness program having a large number of goals should normally exceed the budget of a security awareness program having one or two goals.

Hence, before deciding on the exact budget of a security awareness program, the organization should create a list of the goals of the program. A sample list of goals of a security awareness program is provided below.

7. The budget of the program

The low budgets devoted to security awareness programs are the main reason for the implementation of weak security awareness programs. As Jody Westby, the chief executive officer of a cyber security consulting firm, states: "When you start looking at why [a] company had a weak security program, it usually comes down to allocation of resources".

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

Often, one of the reasons for devoting small budgets to security awareness programs is the underestimation of the consequences of a security breach. Companies wrongly think that a security breach can lead merely to a temporary disturbance of their informational infrastructure. However, a security breach can lead to a class-action lawsuit that can result in compensation for damages amounting to millions of U.S. dollars. For example, LifeLock Inc., an American identity theft protection company, set aside $116 million USD to cover costs of settling disputes regarding a number of issues raised by the Federal Trade Commission and a national class of consumers. The aforementioned issues include information security shortcomings.

Westby noted that, as a result of a judgment issued by the Seventh Circuit Court of Appeals related to a breach against Neiman Marcus, the approach of the U.S. courts regarding the award of damages for data breaches changed drastically. According to her, the previous approach of the courts towards the award of such damages was "you haven't suffered any damages, [so] we're not allowing it to go forward", whereas the current approach is "every time you have a breach, you could now have a class-action lawsuit".

Therefore, the budget devoted to a security awareness program should reflect the potential risks (including class action lawsuits) associated with a data breach caused by lack of security awareness. As Edmund Burke pointed out, "Better be despised for too anxious apprehensions, than ruined by too confident security".

8. Conclusion

This article investigated six important aspects of budgeting security awareness programs. In order to implement a successful security awareness program, the organization needs to prepare a budget plan that takes into account each of these aspects. As a result of a too low budget for security awareness programs, the organization may incur significant losses. However, a high budget for security awareness program is not a guarantee that the program will be successful. For example, an organization that invests millions in security awareness activities covering its information security officers, but not other employees, may not be better off than an organization that has a lower security awareness budget, but raises security awareness activities amongst all its employees.

The best way to find out whether a security awareness program has an adequate budget is to measure the effectiveness of the program. An ineffective program may require the allocation of additional financial resources or another distribution of the currently allocated financial resources. The metrics used to measure the success of a security awareness program may differ depending on the size and the type of the organization. For example, an organization may use the following metrics to assess the success of its security awareness program: (1) reduction of the successful phishing attacks; (2) reduction of the malware infections; (3) increase in the use of strong passwords.

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Download Now

References

1. 'Best Practices for Implementing a Security Awareness Program', PCI Data Security Standard (PCI DSS), October 2014. Available at https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf .
2. Bidgoli, H., 'Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management', John Wiley & Sons, 2006.
3. Canwell, D., Sutherland, J., 'BTEC First Business', Nelson Thornes, 2005.
   
4. Cohen, F., 'IT Security Governance Guidebook with Security Program Metrics on CD-ROM', CRC Press, 2006.
5. Gardner, B., Thomas, V., 'Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats', Elsevier, 2014.
6. Hash, J., Wilson, M., 'Building an Information Technology Security Awareness and Training Program', NIST Special Publication 800-50. Available at http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf .
7. Herold, R., 'Managing an Information Security and Privacy Awareness and Training Program, Second Edition', CRC Press, 2010.
8. IFPO, 'Security Supervision and Management: The Theory and Practice of Asset Protection', Butterworth-Heinemann, 2007.
9. Katz, D., 'Beware 'Starving' Cyber Risk Budgets, CFOs Warned', CFO.com, 16 October 2015. Available at http://ww2.cfo.com/data-security/2015/10/beware-starving-cyber-risk-budgets-cfos-warned/ .
10. Layton, T., 'Information Security Awareness', AuthorHouse, 2005.
11. Manish, G., 'Handbook of Research on Social and Organizational Liabilities in Information Security', IGI Global, 2008.
12. McGee, M., 'LifeLock Tentatively Settles with FTC', Data Breach Today, 29 October, 2015. Available at http://www.databreachtoday.com/lifelock-tentatively-settles-ftc-a-8641 .
13. Pournouri, S., Akhgar, B., 'Improving Cyber Situational Awareness Through Data Mining and Predictive Analytic Techniques', In: Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security: 10th International Conference, ICGS3 2015, London, UK, September 15-17, 2015. Proceedings.
14. Speed, T., 'Asset Protection through Security Awareness', CRC Press, 2012.
15. Whitman, M., 'Roadmap to Information Security: For IT and Infosec Managers', Cengage Learning, 13 May 2011.

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.