Session 113 20. June 2005
#113 Keeping Information Security
Awareness Training Fresh
Peter R. Bitterli, CISAPrincipal, Bitterli Consulting AG
http://[email protected]
Please observe the copyright: You are allowed to use and further distribute this presentation only with this copyright
notice attached. If you use parts of this documentation in presentations or other diagrams you have to refer to the
source. Any commercial use of this presentation is only allowed with written consent of the author.
Session 113 20. June 2005
AbstractKeeping information security awareness training fresh
This session will provide insight into the tricks of running a
successful information security awareness campaign. It will
explain both a scientific and pragmatic means of analyzing the
need for improvement and will help the information security
manager recognize the importance of structuring the
campaign for different target audiences (e.g., managers,
employees, IT staff) and their specific cultural and
professional backgrounds. The session will show typical
unwanted behaviour of the target audiences and some of their
special characteristics that can help in convincing them of
something they may not initially be keen to implement …
Session 113 20. June 2005
Learning ObjectivesThe participants will learn about
Developing and running an international
awareness campaign
Analyzing the needs for a campaign and its
specific goals and objectives
The advantages and disadvantages of
typical campaign components (e.g.,
brochures, training, video, e-learning)
Taking advantage of successful marketing
and sales techniques
Measuring the success of campaign elements
Session 113 20. June 2005
ContentKeeping information security awareness training fresh
Why is it so difficult to sell security?
The basics of selling security
Target audience analysis
More scientific approaches
How to use awareness “tools”
Awareness video (Swiss Re)
Wrap-up
Session 113 20. June 2005
Need for a formal ProgramSecurity awareness is a combination of culture and behaviour
It is a fact that the attitude and behaviour
of staff have a high impact on the quality
and security of any type of services
It is therefore inevitable to prompt all
persons involved to be careful when
creating, processing, using or handling
information and information systems
Session 113 20. June 2005
Target of any CampaignOnly a longer lasting program will raise awareness to the necessary level
time
contact
pers
on
al co
mm
itm
en
t
high
low
awareness
understanding
positive image
adoption
acceptance
internalization
Level 1
Level 3
Level 2
The overall target of any
awareness campaign should be
to convey the correct security
and quality aware behaviour so
that a high level of personal
commitment can be achieved.
Session 113 20. June 2005
Level 1:
Basic Understanding
The goal of level 1 is to introduce a basic
understanding
why quality and security are needed
for the necessity to personally contribute
through correct behaviour
Level 1 typically addresses all employees
(users of IT) and all levels of management
Session 113 20. June 2005
Level 2:
Quality & Security Thinking
The attitude of every member of staff must
be changed sustainable. To do this, we must
show them how they as affected person can
contribute to a high level of quality and
security
Level 2 typically also addresses more
specific target groups (e.g. software
developers, system administrators, business
managers responsible for internal controls)
Session 113 20. June 2005
Level 2:
Quality & Security Thinking
Level 2 can only be reached with the
support of management and through the
integrations of quality and security into
their daily tasks, e.g.
Fixed item on agenda of regular meetings
Integration into strategy and planning processes
Integration into objectives for subordinates
Monitoring and compliance reviews of policies
…
Session 113 20. June 2005
Level 3:
Towards Internalization
Only where quality and security are
considered “automatically”, an adequate
level of security will be reached
Level 3 means that any person involved
considers quality and security aspects with
every action or decision
Session 113 20. June 2005
Level 3:
Towards Internalization
An “internalization” will only be reached,
where the following requirements can be
met:
Binding and understandable regulations for
quality and security
Incentives for correct conduct
Sanctions for non-compliance, based on concise
criteria
Ongoing comparison between different areas
using benchmarking
…
Session 113 20. June 2005
Selling Security is difficultSome of the most common reasons for failure of awareness campaigns
Unsuccessful track record
Failure to fulfil management’s expectations
Lack of organisational understanding by
security staff
Failure in coordination between the control
functions
Evolving organisation structures
Lack of coordinated security sales program
…
Session 113 20. June 2005
Business ObjectivesHow to sell (IT) security
Know your organisation’s primary business
objectives
Familiarise with industry / business
operations:
Annual reports
Organisational charts
Strategic plans
Interviews of business managers
Analyse business needs and what could
threaten the objectives being met
Session 113 20. June 2005
Sales StrategyHow to sell (IT) security
Sell to more than one level of management
Sell the security professional (yourself) first
Avoid negative security messages
Know sales techniques
General marketing techniques
Variety of approaches available
Don’t forget:
Personal presentations
One-to-one selling
…
Session 113 20. June 2005
Selling to Managers (I)How to sell (IT) security
Security Policy, Baseline Control,
Guidelines
Present and discuss; ask for feedback
Let the managers explain them to subordinates
Awareness materials
Present and discuss; ask for accompanying letter
Have them talk about this during meetings
Distribute articles about security
With a commenting letter
In person (“have you seen this?)
Session 113 20. June 2005
Selling to Managers (II)How to sell (IT) security
Report on security matters
In person once every month
Fixed item on agenda for meetings
Encourage managers to attend
Meetings, seminars, conferences on security
Be prepared before facing management
Anticipate questions and objections (FAQ)
Ask them for a decision
Handout material
Follow-up visit
Session 113 20. June 2005
More Marketing AspectsHow to sell (IT) security
Make people want to be secure
Display high-level support
Encourage people to be alert
Point out the risks
Be simple but comprehensive
Be targeted and never assume knowledge
Be entertaining and amusing
Be two-way
Session 113 20. June 2005
Select your Target Groups (I)Whom do you want to address with your awareness campaign?
Users
“Normal”
With access to sensitive
data
Home office
Travelling users
With laptop, PDA,
agenda, handy
Temps
New joiners
…
Management
Your boss
Business managers
Executive management
Control related
Legal
Compliance
Human Resources
Controlling
Data Protection Officer
Session 113 20. June 2005
Select your Target Groups (II)Whom do you want to address with your awareness campaign?
IT
Manager(s)
Developers
Operations
Administrators
Help Desk
External
Clients
Business partners
Audit committee
Outsourcing providers
Session 113 20. June 2005
Analyse your “Target Groups”Know your “enemy” if you want to be successful
For every target group collect:
Description
Major (security) concerns of target
group members
Unwanted behaviour
Expected behaviour
Possible delivery mechanisms
(marketing ideas)
You will find examples on the following
slides for three of the many target
groups: managers, users, IT staff
Session 113 20. June 2005
Target Group: Management (I)Typical example of the results of target group analysis
Description
Persons responsible for
a department
a (large) team
a specific area/topic
(e.g. Data Protection
Officer, Compliance)
Hierarchically senior
Better paid
(Often) better educated
Career oriented
Major (security) concerns
Unavailability of data and
computing resources
Unauthorised access to
data (e.g. sensitive or
confidential data)
Too high a level of access
for temps etc.
Internet & third party
access
Session 113 20. June 2005
Target Group: Management (II)Typical example of the results of target group analysis
Unwanted behaviour
Are not all concerned
about (IT) security
See no need to provide
resources for quality
and/or security
Do not monitor their area
of responsibility
Are often under high
pressure to perform
Keep problems to
themselves
Unwanted behaviour (cont)
Set bad examples
Pass on their passwords to
secretaries
Grant too much access to
3rd parties (consultants,
business partners)
…
Session 113 20. June 2005
Target Group: Management (III)Typical example of the results of target group analysis
Expected behaviour
Really care about security
Provide resources for
quality and/or security
Check back whether their
orders have been met
…
Possible delivery mechanisms
Security is part of
agenda in all regular
meetings
MbO and will impact bonus
standard management
trainings
Train-the-trainers
Quarterly security
management report
…
Session 113 20. June 2005
Behaviorism can helpMany different scientific approaches
Behaviorism shows,
how persons really
behave
what persons really
think
Scientific approach
Questionnaires
Interviews
Observation (video,
measuring brain
currents, …)
Supports effectiveness
Problems/concerns
Behaviour
Motivation
You know “what makes
them tick”
Supports efficiency
Focus on target
group(s)
Focus on important
issues
Session 113 20. June 2005
Behaviorism can helpTwo of the many approaches explained
4ways of Life Analysis
Grouping based on
predefined criteria
Supports focussing on
most common types,
e.g.
Hierarchists
Individualists
Risk & Security Perceptions
Grouping based on
common criteria
Supports focussing on
just a few factors
Will produce highly
valuable starting-points
for campaign
Session 113 20. June 2005
Fatalist Hierarchist
EgalitarianIndividualist
High degree ofsocial regulation
Low degree ofsocial regulation
Low degree of social contact
High degree of social contact
Views• Nature is a lottery, capricious• Outcomes are a function of chance
Preferences• Weigh gains against losses
Views• Nature is tolerant if treated with care• Outcomes can be managed to be sustainable
Preferences• Regulators/contract to facilitate commerce• Voluntary arrangements brokered by markets and
prices
Views• Nature is vulnerable• Outcomes require altruism and common effort
Preferences• Precaution (irresponsible to take action which could
harm the current or future state)
Views• Nature is resilient• Outcomes are a personal responsibility
Preferences• Personal responsibility• Free of control• Oppose top down intervention• Dislike organised societal learning
Emphasise responsibility
Emphasise impact
Emphasise risk assessment Emphasise gains and losses
4ways of life analysis Prof. DakeSystematic and scientific assessment of cultural biases
Session 113 20. June 2005
4ways of life analysis Prof. DakeUsing the results of such a scientific analysis to our advantage
Hierarchists
Emphasize importance of
technology for decision
making
Focus on rules and
expected norms of
behaviour
Message must be delivered
by, or jointly, with line
management
Individualists
Appeal to personal
responsibility
Do not emphasize strict
rules, policies and
procedures
Use other distribution
channels than organized
training
Use MbO and appraisal
processes to reward desired
behaviour
We can/should focus on most frequent types
Session 113 20. June 2005
Risk and Security PerceptionsScientific background
All persons simplify information to enable
decisions
Using questionnaires and mathematical
methods to find out how persons perceive
and simplify complex information
The different ways of combining
information can provide insights into
thinking, blind spots, …
Session 113 20. June 2005
Overall risk
Frequency
Likelihood
Stress
Accidental/deliberate
Recovery
Technology/human cause
Costs
Individual/ organizationaleffects
Effects containedwithin/outside organisation
Embarrassment
Reputation
Major/minor consequences
Risk and Security PerceptionsAssessment methodology
18 risk scenarios
(stimuli)
13 risk elements
(attributes)
7-point bipolar scale
(yardstick)
Employee uses p/w
Data entry error
Coffee damages equip
Y2k failure
Slow machines
No training
Power cut
Credit cards stole
Internet use in work
Hacker steals
Payroll data lost
Disc stolen
Computer virus
Disclose personal data
Eye strain
Software fault
Poor software
Obsolete system
Session 113 20. June 2005
Risk and Security PerceptionsPresenting the results (UK Financial Sector)
Frequency 0.803Likelihood 0.592
Recovery 0.940Reputation 0.902Consequences 0.895Effects in/out 0.867Overall risk 0.814Costs 0.711 Tech/Human causes 0.808
Technology/Human causesSeriousness
disc stolen
credit cards stolen
hacker steals
employee uses p/wdisclose personal data
data entry errorno training
poor s/w
slow machines
22
-1
computer virus
obsolete system0
1
internet use in work
1
s/w fault
1
eye strain
2
coffee damages equip
payroll data lost
3
00
y2k failure
-1-1 -2
power cut
Pro
bab
ility
Session 113 20. June 2005
Security Perceptions SurveyResults of such a survey give valuable insight (managers)
Managers concentrate for
their personal risk
evaluation on:
impact on themselves
(embarrassment) and
organization (reputation)
past events (frequency) and
not likelihood of an event
happening in future
Managers should (also)
observe:
Recoverability
Overall consequences
(impact)
Causes of possible problems
Probability not freqency
Session 113 20. June 2005
Security Perceptions SurveyResults of such a survey give valuable insight (IT staff)
IT staff think about:
whom they can blame
(human cause or technical
failure)
how to manage risks
costs alone (don’t use other
factors i.e. reputation,
embarrassment, …)
IT staff should focus more
on:
Individual and/or
organizational effects
Accidental/deliberate
causes
Embarrassment and stress
Session 113 20. June 2005
Awareness Tool Set (I)Wide range of possible marketing elements
Paper based
Articles
Brochures
Hand books
Posters, mini-posters
Stickers
Ads
Tips & tricks
…
Electronic
CBT
Videos
Intranet web site
E-learning / E-lab
Others
1-to-1 marketing
Security training
Security reps
Session 113 20. June 2005
Awareness Tool Set (II)Wide range of possible marketing elements
Useful things
Mouse mat
Screen saver
Calendar
Office material
Note pads
Post-it
Pencils
Others
Table stand
Magnetic signs
Napkins, mugs
Toilet paper
Security calculator
Security games
Other give-aways
Session 113 20. June 2005
Security BrochuresMarketing and communication elements for awareness: Example A
Advantages
Highly attractive
Can really raise
understanding for
security
Can be produced to
appeal reader
Disadvantages
Difficult to ensure, that
they are read
by everybody
completely
Tendency to contain
too much text and be
too long winded
Outdated when
printed
One-way
communication
Session 113 20. June 2005
Articles in MagazinesMarketing and communication elements for awareness: Example B
Advantages
High attentiveness
Interesting and
attractive messages
Disadvantages
Not personalised
Need to be done very
professional
Articles soon loose
attractiveness
One-way
communication
Session 113 20. June 2005
VideosMarketing and communication elements for awareness: Example C
Advantages
Simple short messages
Can be easily
integrated into other
events
Huge variety possible
Many highly
professional videos
available for sale
Disadvantages
Very expensive, esp. if
individually produced
Have a tendency to be
exaggerated
Boring for trainers
that use videos
One-way
communication
Session 113 20. June 2005
Posters, Mini-postersMarketing and communication elements for awareness: Example D
Advantages
Highly visible
Memorable
Concentration on most
important messages
Disadvantages
Distribution often
difficult or costly
Need space to hang
One-way
communication
Session 113 20. June 2005
Security TrainingsMarketing and communication elements for awareness: Example E
Advantages
Easily tailored
Personal
Participation can be
fun
Intensive knowledge
transfer
Opportunity for
questions
Highly satisfactory for
security officers
Disadvantage
Time consuming
Needs highly
sophisticated approach
Needs highly qualified
trainers
Rollout can be
organisationally
demanding
Session 113 20. June 2005
VisualisationDefine the corporate identity of the awareness campaign
Logos
define a security logo
Brand / CI
define a recognisable
brand
B/W or colour
not just a matter of cost
Photographs
of people
of “negative” scenes?
Cartoons
not at all?
for specific elements,
e.g.
e-learning
posters
in brochures?
Session 113 20. June 2005
Cross-linking Elements (II)Some successful examples
Example C (2002)
Slogan
Logo (inofficial)
Articles
Brochure
Posters
Training
End users
Laptop users
Give-aways
Example C (cont)
E-learning for IT
Regulations
Developer
Operations/Admin
E-lab
Developer
Operations/Admin
Session 113 20. June 2005
Awareness Life Cycle
unconscious incompetence
consciousincompetence
conscious competence
unconscious competence
Awareness
TrainingExperience
Complacency
Level 0
Level 1
Level 2
Level 3
Session 113 20. June 2005
The optimal CampaignMy personal experiences of the last 13 years
Do a proper project
Project leader
Steering committee
Detailed time plan
Set of deliverables
Budget for 2-3 years
Address campaign to
different target
audiences
A good campaign:
Goals defined
Target audience
analysed
Staged over a longer
period
Multi-channel
approach
Highly cross-linked