Security Awareness
Security awareness is the knowledge and attitudes of members of a group that is tasked with the protection of the physical, and more important, informational assets of a specific organization. Many of these require formal security awareness training for all work when they join the organization, and periodically thereafter.
About history, we can say that it all starts in the Eighties. The use of the PC (personal computer) brgan to be common among companies. The need of a computer appeared to give a solution for the fear that many of the employers have with his storage data.
See Infosec IQ in action
In the Nineties, more and more people got access to a computer and viruses became popular. Many kinds of these viruses like the worm virus set the start for awareness of the danger that can touch us and our information.
Nowadays enters the need to create awareness among employees for the constant improvement of those viruses.
Society is changing rapidly, and organizations increasingly interconnect to keep up with customer demands. The increased use of the Internet to conduct business, the transition from paper to digital media, the increased use of social networks, and the cloud are creating new security risks to organizations. The human element; the 8 layer of security, our employees; are in the middle of it and contribute to significant security risks. In fact, according to the most recent Information Security Breaches Survey by PricewaterhouseCoopers and Infosecurity Europe, 36% of the worst security breaches are caused by unintentional human errors. To combat these risks, which are further magnified with the increase in Advanced Persistent Threats, we need to create a security-conscious culture within our organizations; one where employees are subconsciously considering risks and threats in their daily routines. One security control to help mitigate this risk and to help build a security-conscious culture within our organizations is to implement a Security Awareness program.
Key Benefits of a Security Awareness Program
A Security Awareness program provides three key benefits to organizations. First and foremost, it helps us facilitate behavioral change to mitigate unnecessary risks to the organization. It helps us comply with laws and regulations. Lastly, it helps reduce unexpected and unnecessary costs. Employees are often not aware of an organization's security policies and procedures, their own security roles and responsibilities and they are often not made aware of security risks, threats, or security best practices. This lack of knowledge causes unintentional risk to the organization.
This must be mitigated to ensure the long-term success and survival of the organization; and to ensure the confidentiality, integrity, and availability of the organization's data and systems. This is the problem we are trying to solve by implementing a Security Awareness program; however, this is also where the second problem arises. Only slightly more than half of large organizations are implementing a continuous Security Awareness program and, more often than not, they are unsuccessful in their implementation. This result in a Security Awareness program that does not meet its goal and thus does not properly mitigates the risks.
Without a complete knowledge of the rules and sensitive topics about the organization may lead to troubles the nature of sensitive material and physical assets they may come in contact with such as trade secrets, privacy concerns, and government classified information. If we want to understand the importance of the awareness for an efficient enterprise we must talk about some important points:
Awareness: The purpose of this is to focus the attention on information security to make possible that the objective public recognize the threads of interest. Setting to start a variety of behaviors that we want improve, for example, keep your workspace clean, the correct way to set passwords, do some backup copies, using your email responsibly, etc.
Training: it focuses on producing skills and competitive manners about information security relevance and requirements with one goal to get more people interested and that they apply this advice.
Education: Integrates security skills and different specialties from different work areas, the need to the workers is very high, that will set the standard within the enterprise of excellence.
Factors that contribute to the problem:
There are many factors that contribute to the problem. First and foremost, organizations often fail to identify the need and therefore many Security Awareness programs are designed and implemented merely to comply with laws and regulations rather than to manage risks and reduce unexpected costs. Second, many Security Awareness programs do not have support from senior or executive leadership. Management often does not see the benefits and the Return on Investment (ROI) of a Security Awareness program. Much of this could be contributed to the lack of metrics. As many as 1/3 of organizations do not measure the effectiveness of their Security Awareness training. Would employees recognize an incident? Would they know what to do? Is it reducing unexpected costs? Is it reducing risks? Metrics is a critical component to a Security Awareness program and help to measure its success and to identify areas that need improvement. For the organization's leadership metrics is used to justify the costs of the Security Awareness program and provides the basis for their support. Another contributor to the failure of Security Awareness programs is the failure to understand the audience. Organizations primarily fail to understand the audience in two ways.
First and foremost, the process of identifying internal groups and their unique Security Awareness needs is often not performed, so organizations are left with a program that caters to a generic audience with generic needs instead of uniquely tailoring the program to address the specifically identified risks and needs of the organization. Second, organizations often fail to understand how their identified audience learns. This relates to the fact that many Security Awareness programs are created and delivered by Information Security professionals who are not educators. We are relying on Information Security professionals to educate and change people's high-risk behaviors and reinforce desired behaviors without having the necessary background as educators. This hardly seems fair. People have different cognitive skills where each person's ability to learn and digest new information and knowledge differs from one another. People also prefer different learning styles. One person might prefer a spatial learning style where the use of images and other visual tools are used in the learning process while another might prefer an aural learning style where the information is delivered in spoken form or even a logical learning style where logic and reasoning is used in the learning process. Moreover, people have different mental models where we all have a different thought process and understanding of the relationship between our work, the tasks we do, the tools we use, risks, threats, and actions; and how all of these affect one another and how the audience prefers to learn; and, is often worsened by the use of oversaturated mediums to communicate the message.
At the beginning of a new job, there's a cycle when the learning is continuous that leads to the spread of awareness and the creation of a culture of security awareness.
The organization must first and foremost develop its overall security strategy before we can start building its security culture.
This includes creating and implementing security policies, procedures, and guidelines that are aligned with industry best practices and that adhere to any pertinent laws and regulations. It is this overall strategy that in the end depicts our intended security culture and it will be the responsibility of the Security Awareness or Security Culture Program to help grow or foster that intended culture. A well-developed security strategy will have produced two documents that are key when it comes to security culture. These are the organization's Information Security Plan and the Acceptable or Authorized Use Policy. The first outlines the organizations
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
The design, development, and implementation of a successful program requires the commitment and approbation of a supervisor who can see any flaw. The clear definition of a goal is very important if the company does not know what to achieve, the employees cannot believe in what they are doing.
By tackling the problem from all perspectives and by addressing the common causes that contribute to the problem we can ensure better success in creating, implementing, and maintaining a Security Awareness program that will contribute to building a security-conscious culture and ensure the continued long-term operations of the business or organization
References
http://www.mannerud.org/security-awareness/the-security-awareness-cycle/
http://www.mannerud.org/2014/09/27/creating-a-security-culture/
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
https://www.timetoast.com/timelines/historia-de-la-seguridad-informatica--2
In this Series
- Security Awareness
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness