The Human Firewall Creating a security aware workforce APPLIED INFORMATION SERVICES Andrew Breakwell Business Development Director Compliance Division

2 Agenda  Establishing the Need  Common pitfalls  Planning  Delivery  Evaluation and Metrics

3 Corporate overview  Governance, Risk and Compliance (GRC) specialists for more than 16 years  Focus on improving staff awareness, knowledge and understanding  Providers of:  Information newsfeeds and alerts  Learning content and services  Risk management and auditing systems  Part of SAI Global, ASX quoted, c950 employees  Offices in Europe, North America and Australasia  Global client base – specialists in large scale, international deployments  4,000,000+ end users, resources in 20+ languages

4 Establishing the Need “Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.” ISO News

5 Establishing the Need Deloitte 2007 Global Security Survey ‘79 percent of participants cite the human factor as the root cause of information security failures’ CSI Computer Crime and Security Survey 2007 ‘The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year’ ENISA: IS Awareness Initiatives – Current practice and the measurements of success 2007 ‘… information security is seen as a high or very high priority in four fifths of respondents.’ ‘War stories’

6 Common pitfalls  Lack of senior management support  Adopting a ‘one size fits all’ approach – mismatch between content and target audience  Not connecting the program to a Needs Assessment  Objectives and outcomes poorly defined  Training ‘fatigue’  Poor communication and planning  Developing a limited program based on specific budget target (not the one you want)  Lack of in-house expertise – not involving other experts  Assuming it’s a one-time initiative – not an ongoing process  Lack of evaluation and measurement  BORING…! Lack of engaging and relevant content

7 Planning  Needs assessment

8 Planning Needs Assessment  WHO gets the training  WHAT training they get  HOW the training is delivered  WHERE the training takes place  WHEN the training takes place  Over the short, medium and long term  Aligned with corporate goals and objectives  Clear business case for all elements  Clearly defined measurement criteria - benchmarking

9 Planning  Needs assessment  Identify audience – not a ‘one size fits all’ approach

10 Planning Identify audience  Full time/Part time?  New hires, trainees?  Senior management or management-role?  Specific departments or job ‘families’ (e.g. HR, IT, Security)?  Based on job or role (e.g. employees handling large amounts of data, remote workers)?  Specific technology users (e.g. employees with laptops)?  Specific location (e.g. country or region, manufacturing site, branch offices)?  PLUS customers, suppliers?

11 Planning  Needs assessment  Identify audience – not a ‘one size fits all’ approach  Set objectives and timescales  Collaborate  Communicate and market  What’s available?  Establish the team – identify project owner  Identify resource and budget needs  Express funding needs  Assign a Program Manager

12 Delivery Develop course content  Core training  Senior management training

13 Delivery Core training – to include content for senior managers  E-learning for IT users  Reduced delivery costs  Reduced training time  Flexibility and convenience  Engaging and interactive  Self-paced and non-threatening  Consistent content and delivery  Ease of updating  Accurate measurement and control  Tailored content – ‘off-the-shelf’ or bespoke  Workshops  PowerPoints  Handouts  Trainers Notes  ‘Train the Trainer’ sessions

14 Delivery E-learning – engaging content

15 Delivery Develop course content  Core training  Senior management training  New starter training  Refresher training  Specialist training  Assessment testing

16 Delivery Assessment testing

17 Delivery Develop course content  Core training  Senior management training  New starter training  Refresher training  Specialist training  Assessment testing  Ongoing awareness activity

18 Delivery Ongoing awareness activity Interactive s Marketing materials Posters Newsletters Cartoons Giveaways Video ‘Moments’

19 Delivery  Develop course content  Confirm technology requirements and test  Establish tracking and reporting criteria  Plan and communicate implementation timetable  Schedule launch and pre-launch activity  Ensure clear ownership of project  Analyse effectiveness of training using metrics

20 Evaluation and metrics  Benchmarking prior to training  Completion rates (against previous training?)  Total target audience  By sector  By job role  Three further levels  Reaction level – measuring ‘attitudes’ i.e. through evaluation questionnaires, structured interviews etc  Immediate level – measuring users’ ‘knowledge’ i.e. through pre- and post-training assessment tests  Functional level – measuring ‘behavioural’ change i.e. through observation of business processes and indicators, i.e. helpdesk calls, security breaches and incidents  Return on investment

The Human Firewall Creating a security aware workforce APPLIED INFORMATION SERVICES Andrew Breakwell Business Development Director Compliance Division