Information Systems Security - · PDF file · 2008-08-05SECURITY MANAGEMENT PRACTICES MAY/JUNE 2005 37 Implementing an Information Security Awareness Program Thomas R. Peltier, CISSP,

Implementing an Information Security Awareness Program

Thomas R. Peltier, CISSP, CISM

n effective information securityprogram cannot be implementedwithout implementing an employee

awareness and training program to addresspolicy, procedures, and tools. Learning con-sists of three key elements:

1. Awareness, which is used to stimulate, motivate, and remind the audience what is expected of them.

2. Training, the process that teaches a skill or the use of a required tool.

3. Education, the specialized, in-depth schooling required to support the tools or as a career development process.

The article addresses the elements thatmake up a successful information securityawareness program. It addresses the rolethat organization personnel play in theinformation security program and how touse this information to one’s benefit. It alsodiscusses how to establish awareness pro-gram scope, how to segment the audience,and how to ensure that the content is effec-tive in getting the message to the user com-munity.

INTRODUCTIONThe development of information securitypolicies, standards, procedures, and guide-lines is only the beginning of an effectiveinformation security program. A strongsecurity architecture will be rendered lesseffective if there is no process in place tomake certain that the employees are madeaware of their rights and responsibilitieswith regard to organization informationassets.

All too often, security professionalsimplement the “perfect” security program,and then are surprised that it fails becausethey forgot to sell their product to their con-stituents. To be successful, the informationsecurity professional must find a way to sellthis product to the customers.

For years I have heard information secu-rity professionals discuss their jobs in termsof overhead, as if this is some evil thing.Nearly every employee within an enterpriseis overhead. Even the CEO, CFO, CTO, andCIO are all overhead. However, they havelearned what we need to learn, and that isthat we all add value to the bottom line of

A

S E C U R I T Y M A N A G E M E N T P R A C T I C E S


M A Y / J U N E 2 0 0 5

37

THOMAS R. PELTIER, CISSP, CISM, is principal of Peltier and Associates (www.peltierassociates.com), an information security consulting and service firm. He can be reached at [email protected].

www.peltierassociates.com

www.peltierassociates.com

38

An effective information security program endeavors to ensure that the organization’s information and its processing resources are available when authorized users need them.

the enterprise. Our task, just like the big“C”s is to ensure that the business objec-tives and mission of the enterprise are met.What the information security professionalhas failed to do is to sell the services ofinformation security.

We must examine our services such asrisk analysis, policies, procedures, stan-dards, vulnerability assessments, and busi-ness continuity planning and determine howeach of these services supports the businessobjectives. Before you can be effective, youwill need to take stock of the services yourteam offers and prepare your own uniquesales pitch for management.

KEY ELEMENTS OF A SECURITY PROGRAMThe information security triad of confidenti-ality, integrity, and availability drive thesecurity program. Management, however, isconcerned that information reflects the realstatus of the organization and that they canhave confidence that the information avail-able to them can be used to make informedbusiness decisions. An effective informa-tion security program endeavors to ensurethat the organization’s information and itsprocessing resources are available whenauthorized users need them.

The goal of confidentiality extendsbeyond just keeping the bad guys out; it alsoensures that those with a business need haveaccess to the resources necessary to performtheir jobs. Confidentiality ensures that con-trols and reporting mechanisms are in placeto detect problems or possible intrusionswith speed and accuracy.

An effective security program must takeinto account the business objectives andmission of the organization and ensure thatthese goals are met as safely and securely aspossible. Understanding the customer’sneeds must be the first step in establishingan effective information security program.The awareness program must reinforcethese objectives and will make the programmore acceptable to the employee base.

As important as a set of written policies,standards, and procedures is in defining the

architecture of the security program and theinfrastructure that supports it, the true factof the matter is that most employees will nothave the time or desire to read these docu-ments. The objective of the awareness pro-gram is to take the message to the people.

The information security program hasfive key elements that must be presented tothe audience. These include:

1. A process to take the message to the user community to reinforce the concept that information security is an important part of the business process

2. Identification of the individuals who are responsible for the implementation of the security program

3. The ability to determine the sensitivity of information and the criticality of applications, systems and business pro-cesses

4. The business reasons why basic security concepts such as separation of duties, need-to-know, and least privilege must be implemented

5. That senior management supports the goals and objectives of the information security program

BELIEVE IN WHAT YOU ARE DOINGBefore you can begin to put together a pro-gram to sell information security to your fel-low employees, you must first sell theproduct to yourself. Many informationsecurity professionals hear either directly orindirectly that the role they are performingis overhead and that it inhibits the otheremployees from meeting their assignedobjectives. The part about overhead is true,but so are the vast majority of employees.The “C” level employees (CEO, CFO,CTO, CISO, etc.) are all overhead. How-ever, they have a charter that establishestheir legitimacy and describes how theysupport the business objectives and missionof the organization.

You will need to publish a charter; butmore importantly, you will need to persuadeyourself that what you do adds value to theorganization. When teaching a class on

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

W W W . I N F O S E C T O D A Y . C O M

Procedures improve efficiencies in employee workflow and assist in the prevention of misuse and fraud.

information security issues, I always givethe attendees a homework problem. Theexercise is to come up with four things thatyou, as a security professional, do to helpyour enterprise meet its business objectivesor mission. These four items should beexpressed in non-security, non-technical,non-audit terms. Use the language of thebusiness unit managers to express your fourvalue-added statements.

When creating your value-added state-ments, do not state that you “add users to thesystem using ACF2.” Instead, sell your ser-vices by stating that you ensure that autho-rized users are given access to informationresources in a timely and efficient manner.Tell your audience what it is that you do thatenables them to do their job.

Just as you have to prepare to sell yourjob and its duties to management and fellowemployees, so must you be prepared to sellthe services that you provide. Again, theseservices must be presented to the user com-munity in the language they understand.Security requirements or audit require-ments are not part of the business processand they do not exist. There are only busi-ness objectives or mission requirements. Sowhen we present our services, we must usethe terms that management uses.

Risk AnalysisRisk analysis is a technique used to identifyand assess factors that might jeopardize thesuccess of a project or achieving a goal.This process is also known as project impactanalysis. This process will include a cost-benefit analysis and typically incorporatesthe features and benefits of the asset or pro-cess under review.

Risk AssessmentOrganizations use risk assessment to deter-mine what threats exist to a specific assetand the associated risk level of that threat.The threat prioritization (establishing therisk level) provides the organization with theinformation needed to prioritize where toimplement appropriate control measures,

safeguards, or counter measures to lowerthe risk to an acceptable level.

PoliciesManagement establishes its goals andobjectives for protecting the assets of theenterprise by implementing policies. Poli-cies are used to introduce the concepts ofwhat is expected of all employees whenusing enterprise assets and what noncompli-ance can lead to. The message of the poli-cies is also included in the contract languageso that third parties are aware of theirresponsibilities.

With policies implemented along with anawareness program, the enterprise then canseek relief in the courts, if necessary, to pro-tect their assets. Policies establish thebehavior expected of all personnel grantedaccess to that asset.

ProceduresThese are probably the easiest security mea-sures to explain return on investment. Pro-cedures are the step-by-step process used tocomplete a task. They provide users withthe information needed to complete a taskand ensure management that the tasks arebeing completed in a uniform and approvedmanner. Procedures improve efficiencies inemployee workflow and assist in the pre-vention of misuse and fraud.

StandardsRemember Y2K, that historical event thatcaused many of us a lot of extra work? Itwas the lack of standards or the ignoring ofstandards that made management spend somuch money to retrofit the fixes. Standardsare a way of ensuring that programs andsystems will work together and that whenthere is a need to do error searching, thepeople looking through old code will be bet-ter able to understand what is out there.

By establishing standards, the enterpriselimits rouge applications, systems, plat-forms, hardware or software. There is lesstime spent in supporting non-standard activ-ities or products. When a new application or


M A Y / J U N E 2 0 0 5

39

40

Expend the least amount of energy possible and there is a good chance that it will go away or die due to inaction.

system is moved into production, the exist-ing systems and applications will not haveto make modifications to handle non-stan-dard information or data. Standards are acost-savings process that support the effi-cient running of the enterprise.

Business Continuity PlanningSince the events of September 11, 2001,most organizations have seen the need toimplement an enterprisewide continuityplan. Management has always been chargedwith a fiduciary responsibility to protect theassets of the enterprise. Business continuityplanning (BCP) is a process that allowsmanagement to show it has have exerciseddue diligence with respect to the informa-tion processing resources and assets. Byhaving a plan and testing the plan, the enter-prise is showing to employees, stakehold-ers, and interested third parties that thecontinued operation of the enterprise hasbeen addressed and is taken seriously.

While these are only examples of how tosell your information security services, theydo provide you with the idea of how this canand should be done. To be successful, theinformation security professional must stepinto the role of the businessperson. Securityis a portion of the entire business processand must use the words and objectives ofthe business units to be successful. Our goalis not just to have security endure, but wewant it to prevail. To do this, we mustbecome an active voice in the business ormission of our organizations.

PROGRAM GOALSEmployees want to know what is expectedof them and who to turn to for assistance.The ongoing information security aware-ness program will provide those answers tothe user community. The employees need tounderstand that the security program is sup-ported, approved, and directed by seniormanagement.

Another key goal of an awareness pro-gram is to ensure that all personnel get themessage. The process should begin withnew employee orientation and continue

through the final exit interview. In between,there should be at least annual mandatoryrefresher classes and sessions.

Contract personnel should be madeaware of the information security programgoals and objectives, but one should be cau-tious when considering whether or not toinclude third parties in regular employeetraining and awareness sessions. Normally,your organization would want the contracthouse to conduct the awareness training forits personnel. At least, hold separate aware-ness sessions for contract personnel. Be sureto work with the Purchasing and Legaldepartments to ensure that the language ofthe contracts specifies adherence to thesecurity program.

All too often, the programs fail becausethere is little or no follow-up. There is usu-ally the “big splash” kickoff and then notmuch else. Over the years, management andemployees have been trained on how torespond to the big event, and that is to donothing.

In the 1970s, management and employ-ees were introduced to a concept termed“Quality of Work Life (QWL).” This boldnew concept was to address how employeesfelt about the job, their bosses, and fellowemployees. Management would then takesteps to improve the work atmosphere. Inthe 1980s, we were introduced to “TotalQuality Management (TQM),” where wediscovered that employees were our mostimportant asset and that they needed to beempowered. Then in the 1990s, we weretrained in the “Learning Organization” andwere introduced to the concept of the “lad-der of inference.” What management andemployees learned from these concepts wasthat the best way to deal with any new pro-gram is to wait. Expend the least amount ofenergy possible and there is a good chancethat it will go away or die due to inaction.

The employees know that inaction orindifference is the best tool to use whenconfronted with a new initiative. To be suc-cessful, it will be necessary to map out astrategy to keep the message in front of theuser community on a regular basis. When



In the awareness field, one size or presentation does not fit all.

mapping out your program, you might wantto consider incorporating special dates intothe calendar of events. For an informationsecurity program, consider doing somethingon the following dates:

■ May 10: International Emergency Response Day

■ September 8: Computer Virus Aware-ness Day

■ November 30: International Computer Security Day

However, keeping the message in frontof the user community is not enough. Themessage must make the issues of informa-tion security come alive and become impor-tant to all who see the message. This can beaccomplished in part by finding ways to tiein the message with the goals and objectivesof each department. Every department hasdifferent needs and objectives. The messageyou bring must address those needs.

Find ways to make the message impor-tant to the employees. When discussingcontrols, identify how they help protect theemployee. For example, when requiringemployees to wear identification badges,many security programs tell employees thatthis requirement has been implemented tomeet security objectives. What employeesshould be told is that the badges ensure thatonly authorized persons have access to theworkplace. The goal of this security mea-sure is to protect the employee in the work-place by ensuring that only authorizedpersonnel have access. When presentingcontrols, present the message to the employ-ees in a manner that shows them the benefit.

Finally, the security program is meant toreduce losses associated with the intentionalor accidental disclosure, modification, ordestruction of information or the denial ofservices from the systems or applications.This can be accomplished by raising theconsciousness of the user community of theways to protect information and the pro-cessing resources. By ensuring that thesegoals are met, the organization will be ableto improve employee efficiency and pro-ductivity.

SEGMENTING THE AUDIENCETo be successful, the awareness programshould take into account the needs and cur-rent levels of training and understanding ofthe employees and audience. Typically,there are five key ways to establish an effec-tive segmentation of the user audience:

1. Current level of computer usage2. What the audience really wants to learn3. How receptive the audience is to the

security program4. How to gain acceptance5. Who might be a possible ally

Current Level of Computer UsageTo assess the current level of sophisticationin computer usage, it will be necessary toask questions of the audience. While sophis-ticated workstations may be found inemployee work areas, their understandingof what these devices can do may be verylimited. Ask questions as to what the tasksare and how the tools available are used tosupport these tasks. It may come as a sur-prise to find out that the newest and mostpowerful system on the floor is being usedas a glorified 3270 terminal.

Be an effective listener. Listen to whatthe users are saying, and scale the aware-ness sessions to meet their needs. In theawareness field, one size or presentationdoes not fit all.

What Does the Audience Really Want to Learn?One way to get the audience open to listen-ing to the security message is to providethem with awareness training on topics thatare in the news. My team and I would watchfor news shows such at “Dateline,” “48Hours,” or the evening news to run a seg-ment on some current issue. We would pur-chase a copy of that segment and make itavailable to the departments for their staffmeetings. We did this initially with phonecard theft and cell phone cloning. Whilethese issues were not actually part of theinformation security program, we were able


M A Y / J U N E 2 0 0 5

41

42

Seek out the business managers who have a vested interest in seeing the program succeed, and then use their support to springboard the program to acceptance.

to tie a brief information security messageinto the presentation.

In today’s environment the concern overidentity theft is a perfect lead in to the issuessurrounding information security. So takethe time to find out what the concerns are ofthe user community and then tap into thoseneeds to present your message.

Determine How Receptive the Audience IsIdentify the level of receptiveness to thesecurity program. Find out which elementsare being accepted and which ones aremeeting resistance. Examine the areas ofnoncompliance and try to find ways toeither alter the requirement or find a betterway to present its objectives. Do not changefundamental information security preceptsjust to gain unanimous acceptance; this is anunattainable goal. Make the program meetthe greater good of the organization andthen attack the pockets of resistance tolessen the impact.

One method of determining levels ofreceptiveness is to conduct a “walkabout.”A walkabout is conducted after normalworking hours and looks for certain keyindicators, including:

■ Offices locked■ Desks and cabinets locked■ Workstations secured■ Information secured■ Recording media (diskettes, tapes, CDs,

USB drives, etc.) secured

Seek Ways to Gain AcceptanceWork with the supervisors and managers tounderstand what their organization’s needsare and how the program can help them.Remember that it is their program. It will benecessary for you to learn to speak their lan-guage and understand their specific needs.No single awareness program will work forevery single business unit or department.You must be willing to make alterations tothe program and show a willingness toaccept suggestions.

The best way to gain acceptance is toensure that the employees and managers are

partners in the security process. Never sub-mit a new control or policy to managementwithout sitting down with them individuallyto discuss and review the change. By know-ing what each department or business unitdoes, you will be able to present the changeto the manager and discuss how it will helpthem meet the goals and objectives.

It will also be important to know the peakactivity periods of the various departmentsand what the manager’s chief concerns arewith regard to meeting objectives. Whenmeeting with the managers, be sure to listento their concerns and be prepared to ask fortheir suggestions on how to improve theprogram. When I was starting out in thesecurity business, I ran into managers thathad “an issue” that they wanted resolved.When I came back with the resolution, Ioften found that they had “another issue.”After working this process a couple of iter-ations, I found that the best way to prevent“additional issues” was to be prepared forthe “issues” list. I would answer item num-ber one and, if presented, item number two.If the manager went to a third item, I wouldask if there were any additional “issues.”This would allow me to get all of the itemsout and then move forward.

Possible AlliesFind out which managers support the objec-tives of the security program and whichmanagers have the respect of their peers.Look beyond the physical security and auditdepartments. Seek out the business manag-ers who have a vested interest in seeing theprogram succeed, and then use their supportto springboard the program to acceptance.

When discussing the security program,avoid referring to it as “my program.”Senior management has identified the needfor a security program and has tapped youas their messenger and catalyst to move theprogram forward. So when presenting theprogram to user groups, employees, andmanagers, refer to the program as “theirprogram” or as “our program.” Make themfeel that they are the key stakeholders in thisprocess.



Do not try to present all the information security goals and objectives in one session.

In a presentation used to introduce thesecurity program to the organization, it maybe beneficial to have the CEO or Presidentintroduce the subject through a video andsaying something like the following:

“Just as steps have been taken to ensure the safety of the employees in the workplace, the organization is now asking that the employees work with us to protect our second most impor-tant asset — information. If the organization fails to protect its information from unautho-rized access, modification, disclosure, or destruction, then the organization faces the prospect of loss of customer confidence, com-petitive advantage, and possibly jobs. All employees must accept the need and responsi-bility to protect our intellectual property and processing resources.”

Involve the user community and accepttheir comments whenever possible. Makethe information security program their pro-gram. Use what they identify as importantas a key to the awareness program. By hav-ing the users involved, the program trulybecomes theirs and they will be more will-ing to accept and internalize the process.

PROGRAM DEVELOPMENTAs discussed above, the awareness presen-tation will vary based on the needs of theaudience. Not everyone needs the samedegree or type of information to do theirjobs. An awareness program that distin-guishes between groups of people and pre-sents only information that is relevant tothat particular audience will have the bestresults.

The job category is one way to segmentthe awareness audience and will provide thepresenter with guidelines as to type andduration of the presentation. A standard pre-sentation should typically last no longerthan 45 minutes and should consist of acombination of live discussion and video-tape or movie information. This form andlength of presentation is fine for employeesand line supervision.

Business unit managers have two or moredepartments or groups reporting to them andhave less time. Schedule an individual

20-minute meeting with these managers andhave two or three pages of materials to useto support your discussion. Stress the objec-tives of the program and how the programcan be used by the business unit to meet itsobjectives.

Senior management (including officersand directors) will have about 15 minutesavailable for the presentation. Have a one-page summary for them, and discuss howthe program supports them in their fiduciaryduty and how it helps them meet their duediligence obligation.

Contractors and other third parties willneed their own awareness sessions and theytypically follow the format of employeesand line supervision presentations. When-ever possible, segregate third parties fromthe awareness training of regular, full-timeemployees. This will help ensure that themessage for third parties is consistent and thatthere is no confusion as to their job status.

Once the audience has been segmented, itwill be necessary to establish the roles that theusers will be expected to assume. These rolesmay include managers acting as the informa-tion owner, service providers (either internalor external) acting as custodians of the intel-lectual property, and general users.

For any message that is to be delivered,be sure to employ the KISS (Keep It Simple,Sweetie) practice. You will have otheropportunities to present material to the usercommunity. Do not try to present all theinformation security goals and objectives inone session. Remember that you have onlyabout 30 minutes of attendee attention.

Inform the audience but try to stay awayfrom commandments or directives. Discussthe goals and objectives using real-worldscenarios. Use anecdotes to reinforce theconcept that problems can happen here andthat they do happen. A good story will beremembered long after the session hasended. Quoting policies, procedures, stan-dards, or guidelines will turn off the audi-ence quickly. Policies and procedures areboring; if employees want more informa-tion, give them a reference card to help themfind the resource.


M A Y / J U N E 2 0 0 5

43

44

A video provides an “expert” on the subject.

Try to avoid telling employees thatsomething is being implemented to “be incompliance with audit requirements.” Thisis, at best, a cop-out and fails to explain inbusiness terms why something is needed.The awareness session presents manage-ment’s beliefs and objectives for the use andprotection of the organization’s informationresources.

Methods to Convey the MessageHow do people learn, and where do peopleobtain their information? If you can answerthese questions, then your awareness pro-gram will have a better chance of success.Depending on what needs to be accom-plished in the learning process, the mannerin which the message is to be conveyed maybe different. If we were implementing atraining program, we would be able to selectfrom three basic methods of training:

1. Buy a book and read about the subject.2. Watch a video on the subject.3. Ask someone to demonstrate the process.

For most employees, the third method ispreferred for training. Most people like thehands-on approach and want to have some-one there to answer questions.

With an awareness program, the processis a little different. In awareness, we want toraise consciousness about an issue. Aware-ness is to stimulate and motivate the audi-ence about an issue or objective. It will benecessary to tap into the method most usedby our audience to receive information.According to USA Today, over 90 percentof people obtain their news and informationfrom television and radio. To make anawareness program work, it will be neces-sary to use this delivery model.

Knowing how people learn will helpimplement an effective security awarenessprogram. Neural-linguistic programming isstudy of how people learn. This process hasidentified three basic ways in which peoplelearn:

1. Auditory. These people must hear some-thing in order to grasp it.

2. Mechanical. This learning-type must write down the element to be learned. Those taking notes during meetings are typically mechanical learners.

3. Visual. This type of learner, of which 90 percent of our audience is, need to see a picture or diagram to understand what is being discussed. People who learn via this method normally have whiteboards in their offices and use them often.

Because so many of our employees usethe television as their primary source forgathering information, it is important to usevideos and other visual stimuli to reinforcethe message. Visual models can includeposters, pictures, and videos. The use ofvideos serves several purposes.

With the advent of the news magazineformat being so popular in television today,our employees have become conditioned toaccept the information presented as factual.This allows us to use the media to presentthem with the messages we consider impor-tant. Because the audience accepts materialpresented in this format, the use of videosallows use to bring in an “informed” out-sider to present the message. Many times,our message fails because the audienceknows the messenger. Being a fellowworker, our creditability might be ques-tioned. A video provides an “expert” on thesubject.

There are a number of organizations thatoffer computer and information securityvideos. As discussed above, consider hav-ing a senior executive videotape a messagethat can be run at the beginning of theawareness session. However, be very care-ful when considering developing your own20-minute security video. Costs for creatinga quality in-house video of 20 minutes canexceed $100,000.

An effective awareness program will alsotake advantage of brochures, newsletters, orbooklets. In all cases, the effectiveness ofthe medium will depend on how well it iscreated and how succinct the message is.One major problem with newsletters is find-ing enough material to complete the pages



each time you want to go to press. One wayto present a quality newsletter is to look forvendors that provide such services. Typi-cally, the vendor supplies the textual mate-rial for the newsletter and the company canput its logo and masthead on the newsletterwith space for a small column of specificinformation.

Many organizations are decentralizingthe information security responsibility andrequiring each business unit to establish aninformation security coordinator. One of thetasks of this individual is to present theawareness sessions to their specific organi-zation. An effective method of conveying aconsistent message using this format is to“train the trainers.”

The security awareness presentation istypically created by the central informationsecurity group, and then regional trainingsessions are held to present the message andtools to the unit coordinators. During thishalf-day session, the key concepts are rein-forced and the coordinators work with thesecurity team to customize the session fortheir needs. This method helps ensure thatthe message presented meets the overallneed of the organization and that the busi-ness units feel that the message is directedtoward their requirements.

PRESENTATION KEYSWhile every organization has its own styleand method for training, it might help toreview some important issues when creat-ing an awareness program. When creatingthe awareness program, remember that the

topic of information security is very broad.Try not to get overwhelmed with the pros-pect of providing information on every facetof the information security program in onemeeting. You must adhere to the old adageof “How do you eat an elephant? One bite ata time.”

Prioritize the message to the user com-munity. This will require that there be a riskassessment performed on the informationsecurity infrastructure that will provide theorganization with a prioritized list of secu-rity issues. Select the most pressing issuefrom this list or a topic that the InformationSecurity Steering Committee has identifiedas vital.

The information security awareness pro-gram is a continuous process and there willbe many opportunities to present the secu-rity messages. Identify where to begin,present the message, reinforce the message,and then build up to the next objective.Keep the awareness sessions as brief as pos-sible. It is normally recommended to keepthe sessions to no more than 50 minutes.There are a number of reasons for under anhour: biology (you can only hold coffee forso long), attention spans, and productivityissues.

Start your session with an attention-grab-bing piece such as the chief executive’svideo message or even an ice-breaker “per-sonality test.” One that I use is quite simpleto start some sessions; see Table 1.

Tailor the presentation to the vocabularyand skill set of the audience. Know who youare talking to and provide them with infor-mation they can use and understand. This

TABLE 1 Personality Test

Instructions:

Using word association techniques, write down the first response that comes into you head when you hear each of the following words:

Term Meaning

Dog How you view your own personalityCat How you view your partner’s personalityRat How you view your boss’ personalityOcean How you view your own lifeCoffee How you view your LOVE life


M A Y / J U N E 2 0 0 5

45

46

presentation should not to have the appear-ance of a doctorial dissertation.

The awareness session must take intoaccount the audience and the culture of theorganization. Understand their needs, theirknowledge, and their jobs. Knowing whatthe attendees do for a living will assist thepresenter in striking a relationship withthem.

Stress the positive and business side ofsecurity. As discussed in selling security,you will have to sell them the concept thatsecurity is good for them. I often use the fol-lowing analogy when discussing this issue.At the end of World War II, some GIs foundthat people living in areas of Europe livedfor years beyond what Americans did. Oneof the factors in this long life was their eat-ing of yogurt. So these GIs decided to intro-duce yogurt to the American culture. Onemajor problem: plain yogurt has a nastytaste. To be successful, the GIs had to find away to make it palatable to the Americantaste; so they added fruit to the bottom of thecup and Americans could then stir up theirgood-tasting yogurt.

Information security is plain yogurt. Tomost employees, it leaves a bad taste in theirmouths. You must find a way to make themessage palatable to the user community.This is done by understanding their needsand adjusting the message to meet theirissues. Reinforce the message by providingbooklets, brochures, or trinkets with themessage or slogan.

PRESENTATION FORMATWhile every presentation will be different,the following format is provided as a start-ing point for you to use to develop your ownawareness presentation.

1. Introduction. Start with an introduction of the topic and how the security pro-gram will support them in the comple-tion of their tasks and jobs. This is where the senior management video would also be presented.

2. Message. Follow the introduction with the message. Typically, this would

either be a live presentation (see “Effec-tive Communication”) or the informa-tion security video.

3. Compliance issues. Discuss any meth-ods that will be employed to monitor compliance to the security objectives and provide the audience with the ratio-nale for such compliance checking.

4. Questions and answers. Provide the audience with about ten minutes for questions and answers. Ensure that every question is recorded and that the answer is provided during the session (which is best) or where the answer will be posted. Use the Q&A from one ses-sion as input or background for your newsletter follow-up.

5. Reinforce. Give them some item that will reinforce the message to them when they are back in their work areas.

EFFECTIVE COMMUNICATIONAn effective information security programwill depend on how well the message iscommunicated to the audience. While manyof us are confident in the importance of themessage we will be presenting, often-timesthe message is missed because of other fac-tors. To be as effective as possible, it mightbe helpful to identify potential barriers toeffective communication, to include:

■ Image. Dress as the audience is dressed, only a little better. While many organiza-tions have converted to the business casual dress, when you are presenting, it is important to exhibit the proper respect and professionalism to your audience. I once worked for a company that was headquartered in the Pacific Northwest. I had just finished 22 years with a global manufacturer located in the Midwest and they had just begun business casual. I was shocked at the attire of my fellow employees. (I believe it is known as “grunge-rock chic.”) When we went to do work at the client site, I required the salesperson to inform us as to how the clients dressed. I had to make sure that we abandoned our avant-garde look and



Nothing will turn an audience off quicker than a presenter who stumbles around for materials or loses his or her place.

became more traditional. I went to a meeting one time and did not recognize my own employee, as he had “cleaned up real nice.”

■ Prepare. Nothing will turn an audience off quicker than a presenter who stum-bles around for materials or loses his or her place. Make certain that all audio-visual equipment is working properly (get there early and test everything).

■ Present. Do not read your presentation; use bullet points or brief phrases to speak from. With any luck, your audience will know how to read. Avoid reading verba-tim the presentation slides; speak to the audience as if you are having a conversa-tion with them.

■ Jargon. As information security profes-sionals, we speak a very strange lan-guage. Many of us have also come from the information systems environment and this will compound the problem. I strongly recommend that you practice the presentation in front of a select focus group.

■ Audience. Know your audience and speak to them in terms that they will understand. Each and every department has its own language; so do your home-work and learn what terms are important to them and use them correctly in your presentation.

■ TLAs. TLA is an acronym for a three let-ter acronym (TLA). The next time you attend a meeting, keep a running score of the TLAs and FLAs (four-letter acro-nyms) that bandy about. Say what you mean and keep the TLAs to a minimum and define them before using them.

■ Idioms. Be careful with language. Our organizations have many different ethnic groups and slang terms may be misun-derstood or even offensive. Be mindful of those in your audience and select your terms wisely.

■ Priorities. As security professionals, we feel that security is the organization’s most important objective. However, Pur-chasing, Accounting, Payroll, Human Resources, etc. have other priorities.

■ Schedule. Just as every department has a unique language and priorities, they also have deadlines. Schedule your presenta-tions around their busy periods. Try to become part of a regular staff meeting if possible.

■ Time. Keep the awareness sessions brief and businesslike. At Gettysburg, Edward Everett was the featured speaker and spoke for nearly two hours. President Lincoln spoke second and in less than five minutes, and the world remembers his Gettysburg Address. Remember that it is quality not quantity that will make a successful presentation.

Information security is an important partof doing business today. The message ofemployee responsibilities must be presentedto employees on a regular basis. To have achance for success, a good presenter will beclear, concise, and brief. Know your audi-ence and play to their needs and concerns.By doing your homework, the audience willbe more open to receive the message. If theyaccept the message as being meaningful,then the objectives of information securitywill become incorporated into the businessprocess.

WHEN TO DO AWARENESSAny awareness session must be scheduledaround the work patterns of the audience.Take into account the busy periods of thevarious departments and make certain thatthe sessions do not impact these peak peri-ods.

The best time to schedule an awarenesssession is in the morning on a Tuesday,Wednesday, or Thursday of a regular workweek. First thing Monday morning willimpact those getting back and starting theweek’s work; and holding a session on Fri-day afternoon will not be as productive asyou would like. The bodies may be in theroom, but the minds and souls have alreadydeparted. This timeframe will result in theonset of the “stunned owl” syndrome, a pro-cess where the words no longer go in oneear and out the other. At this point, the


M A Y / J U N E 2 0 0 5

47

48

words hit the audience in the forehead andfall to the floor.

The physiological clock of humans is atits lowest productivity level right afterlunch. If you turn out the lights to show amovie, make sure to turn up the volume soit can be heard over the snoring. Try toavoid the after-lunch time period.

Also, schedule sessions during off-shifthours. Second- and third-shift employeesshould have the opportunity to receive themessage during work hours just like thoseon day shift. I once made a presentation tothe third-shift employees after their regularshift. I was assured by their managementthat an hour of overtime was all they neededto stay awake. Well, one young lady dozedoff as soon as the lights went out and she didnot wake up until I went over to tell her thateveryone had gone home.

PRESENTATION STYLESAs discussed briefly before, each group ofemployees requires a different timeframeand approach to security awareness presen-tations. We review the requirements here.

Senior ManagementWhile most other sessions will last no morethan 50 minutes, senior management haseven less time for issues as important asinformation security. Prepare a specialbrief, concise presentation and have avail-able in-depth supporting documentation.

Unlike typically presentations, seniormanagement does not want a video and per-sonality test. They may not even want pre-sentation slides. They generally prefer thatthe presenter sits with them for a few min-utes and discusses the issues and how thesecurity program will support manage-ment’s objectives.

Quickly explain the purpose of the pro-gram, and identify any problem areas andwhat solutions you propose. Suggest tothem an action plan. Do not go to them witha problem for which you have no solution.Do not ask them to choose a solution fromseveral you present because they might dojust that and it might not be what is needed.

You are the expert here, and they areexpecting you to come to them with yourinformed opinion on how the organizationshould move forward.

Senior management is expecting a sound,rational approach to information security.They will be interested in the overall cost ofimplementing the program and how thisprogram benchmarks against others in thesame industry or business.

ManagersManagers focus on getting their job done.They will not be interested in anything thatappears to slow down their already tightschedule. To win them over, it will be nec-essary to demonstrate how the new controlswill improve performance processes. As hasbeen stressed throughout this article, thegoal of security is to assist management inmeeting business objectives or the overallmission.

Stress how the new processes will givethe employees the tools they need (such asaccess to information and systems) in atimely and efficient manner. Show them theproblem resolution process and who to callif there are any problems with implementa-tion of the new process.

Line Supervisors and EmployeesThe employees are going to be skeptical. Asdiscussed above, they have been through somany company initiatives that they havebeen trained to wait and hope the processwill pass over. The compliance checkingconcept will assist in getting the message tothem that information security is here tostay.

Identify what is expected of them andhow it will assist them in gaining access tothe information and other resources theyneed to complete their assigned tasks. Pointout that by protecting access to information,they can have a reasonable level of assur-ance (remember to avoid using absolutes)that their information assets will be pro-tected from unauthorized access, modifica-tion, disclosure, or destruction.



__________________

__________________

__________________

__________________

__________________

__________________

__________________

__________________

, NY, and TX, please add

add GST.

For organizations with an existing outdated program, the key will be convincing management that there is a need for change.

❑ 1 year (6 issues), $175

❑ Bill my purchase order # ___________________ attached

❑ Check for $ _______ enclosed, payable to Taylor & Francis

❑ Charge my: ❑ Visa ❑ Mastercard ❑ Amex

Card No. ___________________________ Exp. Date ________

Signature (required) ___________________________________

Phone your order to: 1-800-272-7737Fax: 1-800-374-3401

Mail: Taylor & Francis Group6000 Broken Sound Pkwy, Suite 300Boca Raton, FL 33487

E-mail: [email protected]

Name______________________________

Title _______________________________

Company __________________________

Street Address _____________________

City, State, ZIP _____________________

Country/Postal Code ________________

Phone _____________________________

E-mail address _____________________

Customers in CA, DC, FL, GA, IL, MA, MO, NJ, NM

applicable sales tax. Canadian customers, please

Start (or extend) my subscription to Information Systems Security

THE MESSAGEThe message to be presented will be basedon whether your organization has an effec-tive information security program in placeand how active it is. For those organizationsjust activating the program, it will be neces-sary to convince management and employ-ees of its importance. For organizationswith an existing outdated program, the keywill be convincing management that there isa need for change.

The employees need to know that infor-mation is an important enterprise asset andis the property of the organization. Allemployees have a responsibility to ensurethat this asset, like all other company assets,is properly protected and is used to supportmanagement-approved activities. Theawareness program will allow employees tobe made aware of the possible threats andwhat they can do to combat them.

The scope of the program must be madeclear to the audience. Is the program limitedto only computer-held data, or does the pro-gram reach all information, wherever it isfound and however it is generated? Theawareness process must ensure that employ-ees know the total scope program. It mustenlist their support in protecting this vitalasset because the mission and business ofthe enterprise depends on it.

SUMMARYInformation security is more than just poli-cies, procedures, standards, and guidelines.It is more than just responses to audit com-ments or industry requirements. It is a busi-ness process that requires a cultural changefor most employees.

Before anyone can be required to becompliant with a security measure, theymust first be made aware of the need and theprocess. This is an ongoing process thatbegins during new employee orientationand continues through the post-employmentexit interview. It must be conducted at leaston an annual basis and include regularreminders.

Information security awareness does notrequire huge budgets. However, it doesrequire some time and proper project man-agement. The message must be kept in frontof the user community and different vehi-cles of delivery should be used. Use yourcontacts in the industry to bring in speakersto support your program and use videoswhenever possible.

Before you can sell your security pro-gram to any of the employees, you must sellit to yourself. The awareness program mustbe the voice of reason and logic. Start smalland expand. By the time the employees real-ize there is a security program, it willalready be part of the culture.


M A Y / J U N E 2 0 0 5

49

Documents

Information Systems Security - · PDF file · 2008-08-05SECURITY MANAGEMENT PRACTICES MAY/JUNE 2005 37 Implementing an Information Security Awareness Program Thomas R. Peltier, CISSP,