We spend hours discussing security with other security professionals, the old "preaching to the choir." The people who really need a good dose of security awareness, our business and IT users, are often left out of the conversation. Too many times, security policy is reinforced—or possibly made known for the first time—in a security incident report. Not a very proactive approach.
Getting the message to the internal user population, the individuals statistically responsible for over 70 percent of all security incidents, is the goal of a security awareness program. But getting management support, funding, and resources to plan and execute an education program to protect information assets is not always easy. Many of us have trouble understanding the process or knowing where to start. Well, there is hope.
While conducting research for an unrelated topic, I stumbled upon a page at the Microsoft Web site hosting an interesting download—Security Awareness Material. After a closer look, I was surprised by the completeness of the approach and materials provided to start a company security awareness program.
I'm an aggressive proponent of security awareness efforts. I wrote a paper about why they're important, which referenced the NIST process for planning. Yet, this is the first free, reasonably complete program I've found for getting started. It includes PowerPoint presentations, poster templates, and other material to help get the word out to the workforce. Microsoft's "getting started" kit is centered on a 26 page whitepaper.
In my next several posts, I'll dig into Microsoft's approach, augmenting materials in the kit with others available on the Web as well as lessons learned as I've worked to enhance awareness for my organization. At the end of this series, you should have everything you need to implement and manage an effective security awareness program in your organization.
This week, I concentrate on gaining management approval.
Getting management approval
Obtaining management approval for an Information Security Awareness Training Program (ISATP) is no different than getting it for any other project. It requires demonstrating why there is more value in using resources to teach people about security policy than directing that cash and people-effort toward familiar revenue-enhancing or cost-reducing projects. In other words, present a solid business value analysis.
Possible regulatory requirements are a good place to start. Microsoft provides a nice summary of where awareness training fits in various regulations, as shown in Figure 1.
Figure 1: Regulatory Requirements for Awareness Training
This will at least get management's attention. However, if you've been passing your audits, the appearance of compliance might be too strong, overcoming your argument that there is still more to do. Further, it's not a good idea to get management into the habit of believing that compliance equals security.
The next slide in your proposal presentation should address the potential business impact from users making honest mistakes. Figure 2, also from the Microsoft paper, does a good job of tracing user action through incidents to business impact. Every threat listed on the left is an attack against user awareness vulnerabilities. Vulnerabilities mitigated by an effective ISATP.
Figure 2: Threats/Vulnerabilities Related to Awareness
And let's not forget our technical users. In addition to the potential for security incidents listed in Figure 2, members of the IT team possess an additional set of possible vulnerabilities. Figure 3 shows a good starting point for ISATP vulnerability reduction in the IS department.
Figure 3: IT Threats/Vulnerabilities Related to Awareness
The commonality running through all these threats and vulnerabilities is the difficulty in reducing probability of occurrence with technology only. Yes, there are methods to reactively detect and deal with mistakes. However, it's much more effective—and causes fewer gray hairs on the security manager's head—if users are mindful of the havoc certain actions can cause. If they understand the consequences and avoid bad habits.
Of course, your proposal will have the most influence over budgeting decisions if you provide actual numbers for the business impact columns. Examples of security cost statistics include,
- Help desk ticket counts/cost.
- Annual rate of occurrence of each incident type. This is calculated by using the total number of incidents over, for example, the last three years and dividing by three.
- Annual loss expectation for each incident type. This requires having some idea of the impact each type of incident has your business. If you don't have actual financial numbers (quantitative) statistics, work with operations staff to collect and analyze qualitative impact. Annual loss expectancy is calculated by multiplying the cost per incident by the annual rate of occurrence. This is harder when using qualitative measures, but a little creativity—not to be mistaken for skewing the stats—should get you to the right place.
In the next installment in this series, we'll assume we obtained management approval and start walking through the ISATP planning process.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.