In my last post, we examined why Information Security Awareness Training Programs (ISATPs) are important. We also looked at how to obtain management approval for program development and implementation resources. In this post, we take the first step in developing an ISATP—planning, as depicted in Figure 1.
Figure 1: Microsoft ISATP Lifecycle (ISATP white paper)
Make it a project
Before diving into the planning process, it's important to create a project, assign a project manager, and recognize a project champion. Creating a project includes defining business objectives and scope (what's included and what's not) in a signed document, which acts as a guide from planning to implementation to the effectiveness of ISATP outcomes.
Ideally, the project objectives track closely to those described in the business case presented to management to obtain approval and resource allocation. To ensure you are working toward the right goals, you might start by answering the following questions:
- What does information security mean within the context of the information processing environment I need to protect? How sensitive is the information stored, processed, and exchanged with outside entities? What regulatory constraints apply (e.g., HIPAA and SOX)?
- What is the company's security strategy?
- What are the company's security policies? How do they translate to practical, day-to-day activities?
- What are the company's critical business processes?
- How does security affect employees' day-to-day activities?
- How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored.
Although the project manager is responsible for coordinating project activities, it's the project champion who provides vision and management support for security awareness. According to Microsoft, the ISATP champion is "…typically the individual known to have ultimate authority and responsibility in regards to information security throughout the organization."
The project team must consist of all appropriate stakeholders. Representatives from teams which provide input into ISATP design must be included. Figure 2, from NIST SP 800-50 (Building an Information Technology Security and Training Program), provides insight into the potential sources of input into training content.
Figure 2: Inputs into ISATP Planning and Design
Drilling down into each category represented in Figure 2, use the following NIST based guidelines to obtain the level of detail required to document and prioritize proposed awareness topics:
- Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.
- Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.
- Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.
- Management concerns - Management's perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management's input helps to complete the picture illustrating internal concerns about security.
- Customer concerns - With today's rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn't just good business, it's the right thing to do.
- Investor concerns – The level of investor confidence in your organization's ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company's level of protection from the investor perspective.
Specific internal sources for this information include:
- Executive management
- Information services
- All business units affected by or responsible for compliance
- Human resources
- HIPAA security officer
- Compliance officer
- Customer support/IT help desk
The free Microsoft ISATP kit training presentations, like the one for business users, are good baselines for identifying key messages.
Plan to measure
In addition to identifying training content, you should define measurable training goals and identify target audiences. Measurable training goals include:
- Changes in annual rates of occurrence for common security incidents
- Use of online quizzes or other tools to measure how much awareness-speak employees actually absorbed
- Use of tools like Phishme to test employee vulnerability to phishing and other common types of attack
Whether you track these or other metrics depends on your business goals. Just be sure to provide evidence that what you're doing is actually changing employee behavior. If it isn't, you need to take another look at your ISATP.
Know your audience
As to audience considerations, what you say and how you say it changes when you move from a classroom of business users to one full of IT staff. And there is another change when walking into a room full of managers. For example, business user training should focus on how to safely perform daily tasks, including awareness of general acceptable use policies. Managers should not only understand acceptable use standards and guidelines. They must also understand all policies related to operational security and how they impact their decisions. You should also impress upon managers the importance of integrating security into all business processes. Finally, IT staff and management must understand all of the above along with a firm grasp of how technology build and production processes are impacted.
The final word
Awareness training must be designed to meet your company's specific needs. This can only be accomplished with input from all areas of the organization with some stake in the process. Just as important as training the right topics is measuring the actual effectiveness of your training program. Changing human behavior isn't easy. It might take one or more adjustements to your approach before employees "see the light."
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.