Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc.

“Common sense is not so common.” - Voltaire ( )

The Human Element of Information Security Training “The best security awareness will provide the right messages to the right people at the right time, provide the tools to all to practice what has been learned and provide a mechanism to measure progress.” -- Gary Sheehan, Information Security Project Leader A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. -- Infosecurity Europe 2004 "This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. -- Claire Sellick, Event Director for Infosecurity Europe 2004

This Session  The Key Challenges to getting employee buy-in  Getting Started: Some Common Misconceptions  Issues to Consider  Key Principles for Making IS training truly effective

The Key Challenges  Systems alone are not enough  Overcoming complacency  Different target audiences  Delivering the program  Ongoing program  Cost-effective  Measuring the results  Demonstrating compliance

Developing training solutions - A double challenge Meeting the needs of:  The General Audience  Management

Bringing about meaningful behavioral change from information to understanding Awareness (I know it exists) Awareness (I know it exists) Understanding (I know what it is) Understanding (I know what it is) Value (I know why it is worthwhile) Value (I know why it is worthwhile) Ownership (I like it) Ownership (I like it) Commitment (I’ll do it) Commitment (I’ll do it) Communication (I’ll promote it) Communication (I’ll promote it) Development (I’ll help enhance it) Development (I’ll help enhance it) Enterprise Security Cycle  what is it?  why is it important?  how does it apply to me?

How do you get started?

These are the “no-no’s”!  Just publishing IS policies and procedures is NOT the solution  The IS Officer should NOT be responsible for ALL of the planning, development and implementation of an awareness program  Annual or one-off training will NOT work Common misconceptions about IS training Common misconceptions about IS training

Strategic planning  Who gets the training and how many?  What training they get  Where the training takes place  When the training takes place  How the training is delivered  Over the short, medium and long term  Aligned with corporate goals and objectives  Clear business case for all elements

Training Needs Analysis (TNA) and Scoping A written report on needs and scope of the project Your project team Other agreed key personnel In-house SMEs In consultation with: Security Officers Marketing/PR IT Support Compliance officer Business unit shareholders Understand the context for training Assess current levels of awareness Analyze the needs of the target audience – key groups Define objectives for training Define measures of success Define requirements: Content Delivery (Technical & Operational for each group) Management reporting What is the deliverable? Who does it?What should be done?

TNA - Key factors to be considered  Needs of technical vs. non-technical audience groups  Generic, customized or “created from scratch” content  Appropriate media and delivery channels  Cultural factors  Languages  Time scales  Support requirements Critical factors for success

TNA - Learning Technologies Audit  Current infrastructures  Desktop / bandwidth issues  Existing Learning Management System (LMS)?  Learning standards? (AICC/SCORM*)  Section 508 compliance? *SCORM: Shareable Content Object Reference Model * AICC: Aviation Industry CBT Committee

Creating the Team Involved in defining content requirements and reviewing customized content in early stages of project. Can also be involved in QA. Review and approve content Subject Matter Experts & Business Representatives Supplies details of your technical requirements at the outset of the project and will be available to provide support and assistance during installation. No ongoing requirement for this role unless significant changes are made to the configuration of your IT systems. Input with technical experts re systems requirements and installation Technical / Systems expert Involved in defining requirements and establishing working procedures in early stages of project. Involved in monitoring progress and co-coordinating your input on an ongoing basis. Develops the overall approach to the program Manages the relationship with various groups Key contact for ongoing program management Project Manager CommitmentTasksYour Roles

Needs Analysis Planning Design Development Implementation Evaluation Planning and Implementation Process

Critical factors for success Project planning  Develop an overall communications plan  e-learning is just one component  Communicate with and gain buy-in from senior management  Plan beyond initial training  Include technology and integration requirements  Clearly defined roles and responsibilities  Agreed realistic timescales and clear milestones  Regular reporting and reviews

Developing the “right” solution

What is best? What objectives have you set? What is the size of your organization? What resources do you have? What budget do you have? Can you get management buy-in? “a marketing campaign” This depends on you!

 Core training  Refresher training/awareness  Ongoing awareness/Internal Marketing An Awareness Campaign

Brand and value led Interactive and context led Engaging and innovative Tailored to customer needs

Refresher Training Posters

Interactive s Awareness materials Newsletters Refresher Training

Newsletters – vary the format of the message

A system for gathering, organizing and communicating information and knowledge that is: User-friendly Intuitive Flexible Ongoing Awareness Information Security Portal What should this mean in practice? Web Portals

Feedback and Measurement is Crucial

Feedback and Measurement Feedback and measurement are ESSENTIAL! Delivering awareness solutions via the intranet presents many options. These generally fit into two key categories: 1. Audit/tracking system 2. Learning Management System

Feedback and Measurement 1. Audit/tracking system  built into the main training program  provides information on the progress and performance of each user  may allow you to export information into other applications  generally provided free with the program purchased

Feedback and Measurement 2. Learning Management System  provides the infrastructure needed to track, record, schedule and deliver corporate wide learning  many different kinds of LMS – offering different types of functionality  allows you to manage the variety of training programs/resources available from one central point including, online learning, classroom training, registration, instructor availability etc…  can be very expensive! (may be included with courseware if it’s from same provider)

Feedback and Measurement How do you choose what’s right for your campaign?  Assess how feedback and measurement is currently undertaken for training in other business units – perhaps an LMS is already in place?  What requirements do you and your organization have – now and in the future?  Size of organization  Budget  AICC/SCORM Compliant

The medieval rule of parsimony, or principle of economy, frequently used by Occam came to be known as Occam's Razor. The rule states that plurality should not be assumed without necessity or, in modern English, keep it simple, stupid. Learning Management System

Nine Key Principles for effective IS training

Principle #1 Clarity of Ownership with Executive Buy-In  Clear and unequivocal ownership  Accommodates goals of all business lines  Avoids gaps between words and actions

Principle #2 Integrated Compliance  It’s hard to do compliance of any kind department by department  An integrated approach yields consistent, cost effective and comprehensive results

Principle #3 Less is always more  It’s about understanding, not just information  We can’t all be experts  Reference materials can be made available, as needed  Retention AND commitment plummet after 60 minutes

Principle #4 Value vs. Cost  Costs relate to scale  The real measure is the effectiveness of the outcome, not the cost per head  Security breaches are much more expensive!

Principle #5 The Right Combination of Spirit and Structure  Keep it light, humorous  But also reinforce personal responsibility and the corporate commitment to getting it right

Principle #6 Relevant Context Setting  Relevant, appropriate, realistic  Actual examples from archives or recent situations are best  The goal is understanding how it fits into their daily routines

Principle #7 Consistency  Messages should be consistent  Training and awareness should be delivered so that it fits within the organization’s culture

Principle #8 Technology Should Enable  And no more!  Be careful of adding too many bells and whistles  It’s better to avoid the possibility of technical glitches  The content is the key

Principle #9 Project Management  It’s the key ingredient  Get everyone on board with the plan  Allow time for testing, feedback and fine-tuning

Information Security Assurance Getting the message through

Questions? Pamela Halpern Easy i