What are they?
Throughout my time in both the government and commercial sectors, security awareness has meant different things to different security professionals. I have heard (and, yes, been involved in) tedious arguments about the ‘important’ differences between security “awareness” and security “training”. To me this is just semantics: by awareness, I mean the need to make security understood. Moreover, since security often changes, this means awareness must be continuously updated.
This can best be achieved through both formal and informal programs.
The need to instruct staff about the security value of the information and assets they handle was a ‘nice to have’ just a decade ago. However, a number of factors have ballooned since then to make it, in effect, mandatory, including:
- Laws and regulations. Some of these explicitly require security awareness programs, e.g. in law, the GLBA Safeguards Rule  that affects corporations and HIPPA  which affects a wide range of medical service providers: in regulations, it is a requirement in PCI DSS  (parts of which have been adopted into some state laws).
- Increasing dependencies. To maintain production or services it is essential that a provider’s security requirements are communicated to and acted upon by each link in a supply chain. All complex machines rely upon small cogs to drive them, and a critical impact on just one of these may halt a production line. Similarly, the many small parts that make up modern supply chains can create complex maps that are challenging for end providers to keep under proper surveillance. Add to this the likelihood that some links will likely be located outside of the supplier’s own national boundaries, which could make legal redress difficult.
- Personal Technology. Nearly every associate now has personal access to computing powers that were available only to their employers only a decade ago. This gives them a capacity to hold very large amounts of privileged data – which they may not understand how to handle correctly – on personal devices and in cloud service accounts. The bad cyber hygiene of an associate will increasingly have a direct impact upon the legal owners of privileged data. Lack of security awareness can result in penalties and sanctions, not only on the person responsible for mishandling data, but also upon the organization to whom that person reports.
- Increasing threats. Naturally, more joined up technology means more may collaborate, for good and ill. Computer security has become an ‘arms race’, where hackers continually challenge our reliance on those technologies developed to stop them.
What should it look like?
As a minimum, regular awareness programs should embed legal and procedural requirements (which can of course change), a brief summary of sanctions for non-compliance and lastly (but perhaps most importantly) a contact point (preferably offering confidentiality) for queries. This is a basic chassis that should ensure its provisions can be applied contractually to any part of an organization and its supply chain. Upon this basic framework, there is plenty of room to add presentations and links to relevant news stories, training materials and instructional guides.
The first step in planning security awareness program is to gauge an understanding of the organization’s risk appetite and ensuring its procedures can keep in step with awareness materials and tutorials. This will help it to alter security messages, techniques and materials quickly, cheaply and easily whenever threats or organizational processes change. For example, if a company decides to outsource a process, or even to draw it back in, there should be a way to ensure all security-relevant changes are adapted quickly and effectively by all its associates.
Legislation or regulation may dictate the occurrence (though seldom if ever the method) of security awareness, but more important is the need for the effective notification to associates of security changes. For example, the adoption of new software, new customer requirements and the impact of a legal case should all be triggers for an awareness push outside of the usual time cycle.
The presentation of security awareness messages will vary as widely as the characteristics of organizations and their in-house styles. Awareness programs can always be ‘bought in’ from specialist providers but this can be expensive and possibly less flexible than intelligently applied in-house approaches.
Maintaining associates’ interest in the subject is always a challenge. To tackle this there has been a rise in the use of game-based approaches (many of them good) to get security messages across. This can certainly be effective, if not a very flexible way of instilling understanding by doing.  A variation is to offer small prizes in simple competitions, a kind of gaming that most associates can relate to.
Larger organizations i.e. those with correspondingly large data assets, high-stake reputations and diverse, geographically spaced associates, will have correspondingly high stakes in demonstrating that security awareness programs are in place. It will be necessary to assure both customers and clients that all associates are up to date with laws and relevant news stories that teach lessons learnt from security incidents. Ideally programs to do all this should be an integral part of an organization’s IT services planning, thus ensuring all relevant changes are considered as part of a service management lifecycle. Integration with service management frameworks such as ITIL (which defines a lifecycle for IT service management ) would support this, as would adoption of other established business frameworks such as COBIT.
Effectiveness of learning programs should be tested in ways that enable managers to judge their efficiency and to make continuous improvements. An advantage of adapting security awareness programs inside of regular service management frameworks is that legal or regulatory challenges may be addressed with the metrics and key performance indicators these established frameworks support. In any case, their effectiveness should be monitored and managed in ways that would convince a judicial authority that a reasonable standard of care is followed. This might be particularly valuable in cases where the liability for a security breach is being adjudicated.
Smaller organizations should not be intimidated by the use of the word ‘program’ to describe security awareness implementation. Less effort might be needed to comply with minimum legal and regulatory requirements, though not necessarily if you are subject to government standards: Uncle Sam may require more effort to be made – and demonstrated! Remember however, that being small is not necessarily a ‘get out of jail free’ card – those small cog suppliers within a supply chain can have a very big impact on the organizations they service.
How do we know it works?
Last but very importantly, the effectiveness of any security awareness program must be tested. This is a natural part of the plan, do, check, act cycle applicable to any managed service. If the program has any shortcomings, these should be corrected, applying the lessons of failure to create success.
 i.e. 45 CFR § 164.530 – Administrative Requirements (b) (1)
 i.e. 16 CFR § 314.4 – Elements (b) (1)
 i.e. Requirement 12.6: Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
 From a Chinese proverb: “I hear and I forget. I see and I remember. I do and I understand.”
 ITIL – from the original ‘IT Infrastructure Library’, defines five stages of service management: i.e.: strategy, design, transition, operation and continual improvement