Security awareness is the knowledge and attitudes of members of a group that is tasked with the protection of the physical, and more important, informational assets of a specific organization. Many of these require formal security awareness training for all work when they join the organization, and periodically thereafter.
About history, we can say that it all starts in the Eighties. The use of the PC (personal computer) brgan to be common among companies. The need of a computer appeared to give a solution for the fear that many of the employers have with his storage data.
In the Nineties, more and more people got access to a computer and viruses became popular. Many kinds of these viruses like the worm virus set the start for awareness of the danger that can touch us and our information.
Nowadays enters the need to create awareness among employees for the constant improvement of those viruses.
Society is changing rapidly, and organizations increasingly interconnect to keep up with customer demands. The increased use of the Internet to conduct business, the transition from paper to digital media, the increased use of social networks, and the cloud are creating new security risks to organizations. The human element; the 8 layer of security, our employees; are in the middle of it and contribute to significant security risks. In fact, according to the most recent Information Security Breaches Survey by PricewaterhouseCoopers and Infosecurity Europe, 36% of the worst security breaches are caused by unintentional human errors. To combat these risks, which are further magnified with the increase in Advanced Persistent Threats, we need to create a security-conscious culture within our organizations; one where employees are subconsciously considering risks and threats in their daily routines. One security control to help mitigate this risk and to help build a security-conscious culture within our organizations is to implement a Security Awareness program.
Key Benefits of a Security Awareness Program
A Security Awareness program provides three key benefits to organizations. First and foremost, it helps us facilitate behavioral change to mitigate unnecessary risks to the organization. It helps us comply with laws and regulations. Lastly, it helps reduce unexpected and unnecessary costs. Employees are often not aware of an organization’s security policies and procedures, their own security roles and responsibilities and they are often not made aware of security risks, threats, or security best practices. This lack of knowledge causes unintentional risk to the organization.
This must be mitigated to ensure the long-term success and survival of the organization; and to ensure the confidentiality, integrity, and availability of the organization’s data and systems. This is the problem we are trying to solve by implementing a Security Awareness program; however, this is also where the second problem arises. Only slightly more than half of large organizations are implementing a continuous Security Awareness program and, more often than not, they are unsuccessful in their implementation. This result in a Security Awareness program that does not meet its goal and thus does not properly mitigates the risks.
Without a complete knowledge of the rules and sensitive topics about the organization may lead to troubles the nature of sensitive material and physical assets they may come in contact with such as trade secrets, privacy concerns, and government classified information. If we want to understand the importance of the awareness for an efficient enterprise we must talk about some important points:
Awareness: The purpose of this is to focus the attention on information security to make possible that the objective public recognize the threads of interest. Setting to start a variety of behaviors that we want improve, for example, keep your workspace clean, the correct way to set passwords, do some backup copies, using your email responsibly, etc.
Training: it focuses on producing skills and competitive manners about information security relevance and requirements with one goal to get more people interested and that they apply this advice.
Education: Integrates security skills and different specialties from different work areas, the need to the workers is very high, that will set the standard within the enterprise of excellence.
Factors that contribute to the problem:
There are many factors that contribute to the problem. First and foremost, organizations often fail to identify the need and therefore many Security Awareness programs are designed and implemented merely to comply with laws and regulations rather than to manage risks and reduce unexpected costs. Second, many Security Awareness programs do not have support from senior or executive leadership. Management often does not see the benefits and the Return on Investment (ROI) of a Security Awareness program. Much of this could be contributed to the lack of metrics. As many as 1/3 of organizations do not measure the effectiveness of their Security Awareness training. Would employees recognize an incident? Would they know what to do? Is it reducing unexpected costs? Is it reducing risks? Metrics is a critical component to a Security Awareness program and help to measure its success and to identify areas that need improvement. For the organization’s leadership metrics is used to justify the costs of the Security Awareness program and provides the basis for their support. Another contributor to the failure of Security Awareness programs is the failure to understand the audience. Organizations primarily fail to understand the audience in two ways.
First and foremost, the process of identifying internal groups and their unique Security Awareness needs is often not performed, so organizations are left with a program that caters to a generic audience with generic needs instead of uniquely tailoring the program to address the specifically identified risks and needs of the organization. Second, organizations often fail to understand how their identified audience learns. This relates to the fact that many Security Awareness programs are created and delivered by Information Security professionals who are not educators. We are relying on Information Security professionals to educate and change people’s high-risk behaviors and reinforce desired behaviors without having the necessary background as educators. This hardly seems fair. People have different cognitive skills where each person’s ability to learn and digest new information and knowledge differs from one another. People also prefer different learning styles. One person might prefer a spatial learning style where the use of images and other visual tools are used in the learning process while another might prefer an aural learning style where the information is delivered in spoken form or even a logical learning style where logic and reasoning is used in the learning process. Moreover, people have different mental models where we all have a different thought process and understanding of the relationship between our work, the tasks we do, the tools we use, risks, threats, and actions; and how all of these affect one another and how the audience prefers to learn; and, is often worsened by the use of oversaturated mediums to communicate the message.
At the beginning of a new job, there’s a cycle when the learning is continuous that leads to the spread of awareness and the creation of a culture of security awareness.
The organization must first and foremost develop its overall security strategy before we can start building its security culture.
This includes creating and implementing security policies, procedures, and guidelines that are aligned with industry best practices and that adhere to any pertinent laws and regulations. It is this overall strategy that in the end depicts our intended security culture and it will be the responsibility of the Security Awareness or Security Culture Program to help grow or foster that intended culture. A well-developed security strategy will have produced two documents that are key when it comes to security culture. These are the organization’s Information Security Plan and the Acceptable or Authorized Use Policy. The first outlines the organizations
The design, development, and implementation of a successful program requires the commitment and approbation of a supervisor who can see any flaw. The clear definition of a goal is very important if the company does not know what to achieve, the employees cannot believe in what they are doing.
By tackling the problem from all perspectives and by addressing the common causes that contribute to the problem we can ensure better success in creating, implementing, and maintaining a Security Awareness program that will contribute to building a security-conscious culture and ensure the continued long-term operations of the business or organization