Download presentation
Presentation is loading. Please wait.
Published byPaul Smith Modified over 9 years ago
1
Security and your Staff “ Information Assurance Training: An Essential Part of an Effective Security Strategy” March 22, 2005 Pamela Halpern Easy i, Inc.
2
“Common sense is not so common.” - Voltaire (1694-1778)
3
The Human Element of Information Security Training “The best security awareness will provide the right messages to the right people at the right time, provide the tools to all to practice what has been learned and provide a mechanism to measure progress.” -- Gary Sheehan, Information Security Project Leader A survey of office workers at Liverpool Street Station found that 71% were willing to part with their password for a chocolate bar. -- Infosecurity Europe 2004 "This survey proves people are still not as aware as they could be about information security, this often comes down to poor training and procedures. Employers should make sure that their employees are aware of information security policies and that they are kept up-to-date. -- Claire Sellick, Event Director for Infosecurity Europe 2004
4
This Session The Key Challenges to getting employee buy-in Getting Started: Some Common Misconceptions Issues to Consider Key Principles for Making IS training truly effective
5
The Key Challenges Systems alone are not enough Overcoming complacency Different target audiences Delivering the program Ongoing program Cost-effective Measuring the results Demonstrating compliance
6
Developing training solutions - A double challenge Meeting the needs of: The General Audience Management
7
Bringing about meaningful behavioral change from information to understanding Awareness (I know it exists) Awareness (I know it exists) Understanding (I know what it is) Understanding (I know what it is) Value (I know why it is worthwhile) Value (I know why it is worthwhile) Ownership (I like it) Ownership (I like it) Commitment (I’ll do it) Commitment (I’ll do it) Communication (I’ll promote it) Communication (I’ll promote it) Development (I’ll help enhance it) Development (I’ll help enhance it) Enterprise Security Cycle what is it? why is it important? how does it apply to me?
8
How do you get started?
9
These are the “no-no’s”! Just publishing IS policies and procedures is NOT the solution The IS Officer should NOT be responsible for ALL of the planning, development and implementation of an awareness program Annual or one-off training will NOT work Common misconceptions about IS training Common misconceptions about IS training
10
Strategic planning Who gets the training and how many? What training they get Where the training takes place When the training takes place How the training is delivered Over the short, medium and long term Aligned with corporate goals and objectives Clear business case for all elements
11
Training Needs Analysis (TNA) and Scoping A written report on needs and scope of the project Your project team Other agreed key personnel In-house SMEs In consultation with: Security Officers Marketing/PR IT Support Compliance officer Business unit shareholders Understand the context for training Assess current levels of awareness Analyze the needs of the target audience – key groups Define objectives for training Define measures of success Define requirements: Content Delivery (Technical & Operational for each group) Management reporting What is the deliverable? Who does it?What should be done?
12
TNA - Key factors to be considered Needs of technical vs. non-technical audience groups Generic, customized or “created from scratch” content Appropriate media and delivery channels Cultural factors Languages Time scales Support requirements Critical factors for success
13
TNA - Learning Technologies Audit Current infrastructures Desktop / bandwidth issues Existing Learning Management System (LMS)? Learning standards? (AICC/SCORM*) Section 508 compliance? *SCORM: Shareable Content Object Reference Model * AICC: Aviation Industry CBT Committee
14
Creating the Team Involved in defining content requirements and reviewing customized content in early stages of project. Can also be involved in QA. Review and approve content Subject Matter Experts & Business Representatives Supplies details of your technical requirements at the outset of the project and will be available to provide support and assistance during installation. No ongoing requirement for this role unless significant changes are made to the configuration of your IT systems. Input with technical experts re systems requirements and installation Technical / Systems expert Involved in defining requirements and establishing working procedures in early stages of project. Involved in monitoring progress and co-coordinating your input on an ongoing basis. Develops the overall approach to the program Manages the relationship with various groups Key contact for ongoing program management Project Manager CommitmentTasksYour Roles
15
Needs Analysis Planning Design Development Implementation Evaluation Planning and Implementation Process
16
Critical factors for success Project planning Develop an overall communications plan e-learning is just one component Communicate with and gain buy-in from senior management Plan beyond initial training Include technology and integration requirements Clearly defined roles and responsibilities Agreed realistic timescales and clear milestones Regular reporting and reviews
17
Developing the “right” solution
18
What is best? What objectives have you set? What is the size of your organization? What resources do you have? What budget do you have? Can you get management buy-in? “a marketing campaign” This depends on you!
19
Core training Refresher training/awareness Ongoing awareness/Internal Marketing An Awareness Campaign
20
Brand and value led Interactive and context led Engaging and innovative Tailored to customer needs
21
Refresher Training Posters
22
Interactive emails Awareness materials Newsletters Refresher Training
23
Newsletters – vary the format of the message
24
A system for gathering, organizing and communicating information and knowledge that is: User-friendly Intuitive Flexible Ongoing Awareness Information Security Portal What should this mean in practice? Web Portals
25
Feedback and Measurement is Crucial
26
Feedback and Measurement Feedback and measurement are ESSENTIAL! Delivering awareness solutions via the intranet presents many options. These generally fit into two key categories: 1. Audit/tracking system 2. Learning Management System
27
Feedback and Measurement 1. Audit/tracking system built into the main training program provides information on the progress and performance of each user may allow you to export information into other applications generally provided free with the program purchased
28
Feedback and Measurement 2. Learning Management System provides the infrastructure needed to track, record, schedule and deliver corporate wide learning many different kinds of LMS – offering different types of functionality allows you to manage the variety of training programs/resources available from one central point including, online learning, classroom training, registration, instructor availability etc… can be very expensive! (may be included with courseware if it’s from same provider)
29
Feedback and Measurement How do you choose what’s right for your campaign? Assess how feedback and measurement is currently undertaken for training in other business units – perhaps an LMS is already in place? What requirements do you and your organization have – now and in the future? Size of organization Budget AICC/SCORM Compliant
30
The medieval rule of parsimony, or principle of economy, frequently used by Occam came to be known as Occam's Razor. The rule states that plurality should not be assumed without necessity or, in modern English, keep it simple, stupid. Learning Management System
31
Nine Key Principles for effective IS training
32
Principle #1 Clarity of Ownership with Executive Buy-In Clear and unequivocal ownership Accommodates goals of all business lines Avoids gaps between words and actions
33
Principle #2 Integrated Compliance It’s hard to do compliance of any kind department by department An integrated approach yields consistent, cost effective and comprehensive results
34
Principle #3 Less is always more It’s about understanding, not just information We can’t all be experts Reference materials can be made available, as needed Retention AND commitment plummet after 60 minutes
35
Principle #4 Value vs. Cost Costs relate to scale The real measure is the effectiveness of the outcome, not the cost per head Security breaches are much more expensive!
36
Principle #5 The Right Combination of Spirit and Structure Keep it light, humorous But also reinforce personal responsibility and the corporate commitment to getting it right
37
Principle #6 Relevant Context Setting Relevant, appropriate, realistic Actual examples from archives or recent situations are best The goal is understanding how it fits into their daily routines
38
Principle #7 Consistency Messages should be consistent Training and awareness should be delivered so that it fits within the organization’s culture
39
Principle #8 Technology Should Enable And no more! Be careful of adding too many bells and whistles It’s better to avoid the possibility of technical glitches The content is the key
40
Principle #9 Project Management It’s the key ingredient Get everyone on board with the plan Allow time for testing, feedback and fine-tuning
41
Information Security Assurance Getting the message through
42
Questions? Pamela Halpern Easy i pamela.halpern@easyi.com 310 414-0731 www.easyi.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.