xxxiv Educate Staff and Security Personnel
implement that policy, may not suffice. Many organizations use acknowl-
edgment statements that employees sign to indicate that they have read and
understand computer security requirements.
Awareness is used to reinforce the fact that security supports the mission
of the organization by protecting valuable resources. If employees view
security as just bothersome rules and procedures, they are more likely to
ignore security policies. In addition, they may not make needed suggestions
about improving security, nor recognize and report security threats and vul-
nerabilities. Awareness is also used to remind people of basic security prac-
tices, such as logging off a computer system or locking doors. A security
awareness program can use many teaching methods, including videotapes,
newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short
reminder notices at login, talks, or lectures. Awareness is often incorporated
into basic security training and can use any method that can change
employees’ attitudes. Effective security awareness programs need to be
designed with the recognition that people tend to practice a tuning-out
process (also known as acclimation). For example, after a while, a security
poster, no matter how well designed, will be ignored; it will, in effect, sim-
ply blend into the environment. For this reason, awareness techniques
should be creative and frequently changed.
Security education is more in-depth than security training and is tar-
geted for security professionals and those whose jobs require expertise in
security. Security education is normally outside the scope of most organiza-
tion’s awareness and training programs. It is more appropriately a part of
employee career development. Security education is obtained through col-
lege or graduate classes, or through specialized training programs. Because
of this, most computer security programs focus primarily on awareness. An
effective Computer Security Awareness and Training (CSAT) program
requires proper planning, implementation, maintenance, and periodic eval-
uation. The following seven steps constitute one approach for developing a
CSAT program:
Step 1: Identify Program Scope, Goals, and Objectives
Step 2: Identify Training Staff
Step 3: Identify Target Audiences
Step 4: Motivate Management and Employees
Step 5: Administer the Program
Step 6: Maintain the Program
Step 7: Evaluate the Program