the human firewall creating a security aware workforce applied information services andrew breakwell...
TRANSCRIPT
The Human FirewallCreating a security aware workforce
APPLIED INFORMATION SERVICES
Andrew BreakwellBusiness Development Director
Compliance Division
3Corporate overview
Governance, Risk and Compliance (GRC) specialists for more than 16 years
Focus on improving staff awareness, knowledge and understanding
Providers of: Information newsfeeds and alerts
Learning content and services
Risk management and auditing systems
Part of SAI Global, ASX quoted, c950 employees
Offices in Europe, North America and Australasia
Global client base – specialists in large scale, international deployments
4,000,000+ end users, resources in 20+ languages
4Establishing the Need
“Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.”
ISO 17799 News
5Establishing the Need
Deloitte 2007 Global Security Survey‘79 percent of participants cite the human factor as the root cause of information security failures’
CSI Computer Crime and Security Survey 2007‘The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year’
ENISA: IS Awareness Initiatives – Current practice and the measurements of success 2007‘… information security is seen as a high or very high priority in four fifths of respondents.’
‘War stories’
6Common pitfalls
Lack of senior management support
Adopting a ‘one size fits all’ approach – mismatch between content and target audience
Not connecting the program to a Needs Assessment
Objectives and outcomes poorly defined
Training ‘fatigue’
Poor communication and planning
Developing a limited program based on specific budget target (not the one you want)
Lack of in-house expertise – not involving other experts
Assuming it’s a one-time initiative – not an ongoing process
Lack of evaluation and measurement
BORING…! Lack of engaging and relevant content
8Planning
Needs Assessment
WHO gets the training
WHAT training they get
HOW the training is delivered
WHERE the training takes place
WHEN the training takes place
Over the short, medium and long term
Aligned with corporate goals and objectives
Clear business case for all elements
Clearly defined measurement criteria - benchmarking
10Planning
Identify audience
Full time/Part time?
New hires, trainees?
Senior management or management-role?
Specific departments or job ‘families’ (e.g. HR, IT, Security)?
Based on job or role (e.g. employees handling large amounts of data, remote workers)?
Specific technology users (e.g. employees with laptops)?
Specific location (e.g. country or region, manufacturing site, branch offices)?
PLUS customers, suppliers?
11Planning
Needs assessment
Identify audience – not a ‘one size fits all’ approach
Set objectives and timescales
Collaborate
Communicate and market
What’s available?
Establish the team – identify project owner
Identify resource and budget needs
Express funding needs
Assign a Program Manager
13Delivery
Core training – to include content for senior managers
E-learning for IT users Reduced delivery costs Reduced training time Flexibility and convenience Engaging and interactive Self-paced and non-threatening Consistent content and delivery Ease of updating Accurate measurement and control Tailored content – ‘off-the-shelf’ or bespoke
Workshops PowerPoints Handouts Trainers Notes ‘Train the Trainer’ sessions
15Delivery
Develop course content
Core training
Senior management training
New starter training
Refresher training
Specialist training
Assessment testing
17Delivery
Develop course content
Core training
Senior management training
New starter training
Refresher training
Specialist training
Assessment testing
Ongoing awareness activity
18Delivery
Ongoing awareness activity
Interactive e-mailsMarketing materials
Posters Newsletters
Cartoons
Giveaways
Video ‘Moments’
19Delivery
Develop course content
Confirm technology requirements and test
Establish tracking and reporting criteria
Plan and communicate implementation timetable
Schedule launch and pre-launch activity
Ensure clear ownership of project
Analyse effectiveness of training using metrics
20Evaluation and metrics
Benchmarking prior to training
Completion rates (against previous training?) Total target audience By sector By job role
Three further levels Reaction level – measuring ‘attitudes’ i.e. through evaluation
questionnaires, structured interviews etc Immediate level – measuring users’ ‘knowledge’ i.e. through
pre- and post-training assessment tests Functional level – measuring ‘behavioural’ change i.e. through
observation of business processes and indicators, i.e. helpdesk calls, security breaches and incidents
Return on investment