Two survey reports into information security awareness and training practices offer insights into the state of the art.
The first report from the European Network and Information Security Agency ENISA is Information security awareness initiatives: current practice and the measurement of success.
Although the survey and case studies are European in origin, I'm sure the general discussion and ideas on the thorny issue of measuring information security awareness programs, and in fact measuring information security as a whole, are broadly applicable. Three-quarters of the Europeans surveyed said they have to do security awareness as a compliance requirement. I didn’t realize it was such a high proportion.
References in the report to the lack of consensus and evolving good practices indicate the variety of awareness and metrics techniques in use. I was interested to see markedly different opinions on the value of CBT (Computer Based Training) or posters, for examples, and ambiguity throughout the report about "training" vs "awareness" (NIST SP800-50 speaks to the difference, as does the NASCIO report noted below). I heartily agree with the implication that security awareness should be a rolling year-long event, continually updated to reflect current issues, rather than a sporadic/once-a-year training course (the dreaded 'sheep dip'!) or, even worse, the once-a-career induction course, no matter how effective is classroom-based training.
The awareness topic list on page 5 of the report seems 'about right' to me although there are many other topics perhaps worth covering (e.g. software development, database security, privacy ...) if you are creative about it, which also helps keep the program fresh and interesting. All in all, it's 20 pages well worth reading.
The second report from NASCIO (an organization representing chief information officers, information technology executives and managers from US state governments) is IT Security Awareness and Training: Changing the Culture of State Government. The authors promote security awareness as a preventive control that can help to avert major crises caused by serious information security incidents.
"Since a holistic approach to security revolves around people, cultural change is needed to truly ensure that employees and contractors understand their IT security responsibilities and take them seriously."The report promotes the value of continuous, long-term, broad-based security awareness activities in addition to more narrowly focused and spasmodic training activities.
"Continuous and ongoing awareness and training activities for state employees (and contractors) could help prevent a major state crisis ... Cultural change to the fabric of the state government workforce is needed to make IT security and the ethical use of state IT resources as ubiquitous as technology. Since that cultural change involves changing the way that state employees perceive IT security, consistency and patience are necessary ingredients. Isolated presentations or training sessions, while a good start, will not lead to the creation of a long-term culture of IT security. After all, state employees, like everyone else, have many plates to juggle and may not retain the entirety of the aweareness and training content to which they hjave been exposed, expecially upon the passage of months or years. Hence, regularized and constant reminders in mand forms are needed the enact this cultural shift ... Consistency is a key factor. One isolated presentation does not make for adequate awareness. Presentations on a more frequent basis can help to keep IT security at the forefront of government officials' agendas so that executive and legislative support does not wane over the long term."Absolutely! This is probably the key reason that old-fashioned "security awareness" programs (usually consisting of sporadic and uncoordinated security training sessions in fact) do not achieve the instant results that are anticipated. People who naively expect security awareness to turn things around within a few weeks or months are missing the point: genuine cultural change takes continuous gentle pressure in the right direction over years not weeks.
"Innovative approaches may serve to spark IT security awareness in the minds of many state employees. By starting with a marketing campaign of sorts for IT security, a state can start to build a culture of IT security vigilance."Again, I agree wholehartedly. With the marketer's hat on, NoticeBored's security awareness posters (for example) are efffectively 'advertizing' information security as a whole, with a touch of humor and a little information on the monthly awareness topics for good measure. A distinctive logo on all the materials helps bind them into a whole, while the underlying messages in all the materials reinforce the fundamental core values in information security such as: confidentiality, integrity and availability; risk and control; and prevention, detection and correction. This is quite clearly a branding technique. [By the way, that idea suggests to me a novel way of measuring the effectiveness of security awareness programs, namely using the same techniques that marketers use to assess the effectiveness of advertising programs. Surveys might for example assess the recall of key program images, sayings and messages by representatives of the target audiences, and measure the retention of information security concepts compared to 'competing' awareness initiatives such as health-and-safety or legal compliance.]
As you read the report, do check out the sidebars with numerous examples of security awareness activities from several states. Many of them have a public outreach element with security awareness activities targeted beyond satte employees.
The NASCIO report quotes Insider Security Threats: State CIOs Take Action Now! published earlier this year from which the graph above is taken. The obvious increase in incidents on the graph presumably reflects better incident reporting processes (otherwise there seems to have been a severe lapse of security since 2005) but the proportion of insider vs external hacker attacks is interesting. Insiders, of course, have ready access to the information required to do their jobs and often much wider access to information due to the practical problems of trying to enforce 'need to know' outside of a military context. When insiders go bad, therefore, they can cause a lot of damage without triggering the intruder alerts that (some) hackers trip. Other insiders are often best placed to identify and report internal security incidents, provided they are aware of their responsibilities and know what to look out for - in other words, security awareness is a very important element of control against the insider threat.
The report also touches on the difficulties of getting executive support for security awareness and offers some practical tips, essentially starting with specific high-level security awareness activities targeting the very executives who should understand and fund awareness.
Go ahead: print out both reports, sit yourself down somewhere quiet with a cup of coffee, red-pen them and cogitate. There are good ideas and complementary approaches in both of them. I certainly came away with a number of interesting thoughts and quotations that will appear on the NoticeBored site and our awareness materials in due course.