Educate Staff and Security Personnel xxxiii
Introduction
Educate Staff and Security Personnel
According to National Institute of Standards and Technology (NIST) Pub-
lication SP800-12 [18], the purpose of computer security awareness, train-
ing, and education is to enhance security by:
Improving awareness of the need to protect system resources;
Developing skills and knowledge so computer users can perform their
jobs more securely; and
Building in-depth knowledge, as needed, to design, implement, or
operate security programs for organizations and systems.
Making computer system users aware of their security responsibilities
and teaching them correct practices helps users change their behavior. It
also supports individual accountability, which is one of the most important
ways to improve computer security. Without knowing the necessary secu-
rity measures (and to how to use them), users cannot be truly accountable
for their actions. The importance of this training is emphasized in the
Computer Security Act, which requires training for those involved with the
management, use, and operation of federal computer systems.
Awareness stimulates and motivates those being trained to care about
security and reminds them of important security practices. Explaining what
will happen to an organization, its mission, its customers, and its employees
when security fails often motivates people to take security more seriously.
Awareness can take on different forms for particular audiences. Appropriate
awareness for management officials might stress management’s pivotal role
in establishing organizational attitudes toward security. Appropriate aware-
ness for other groups, such as system programmers or information analysts,
should address the need for security as it relates to their job. In today’s sys-
tems environment, almost everyone in an organization may have access to
system resources, and therefore may have the potential to cause harm.
Both dissemination and enforcement of policy are critical issues that are
implemented and strengthened through training programs. Employees can-
not be expected to follow policies and procedures of which they are
unaware. In addition, enforcing penalties may be difficult if users can claim
ignorance when they are caught doing something wrong. Training employ-
ees may also be necessary to show that a standard of due care has been taken
in protecting information. Simply issuing a policy, with no follow-up to
xxxiv Educate Staff and Security Personnel
implement that policy, may not suffice. Many organizations use acknowl-
edgment statements that employees sign to indicate that they have read and
understand computer security requirements.
Awareness is used to reinforce the fact that security supports the mission
of the organization by protecting valuable resources. If employees view
security as just bothersome rules and procedures, they are more likely to
ignore security policies. In addition, they may not make needed suggestions
about improving security, nor recognize and report security threats and vul-
nerabilities. Awareness is also used to remind people of basic security prac-
tices, such as logging off a computer system or locking doors. A security
awareness program can use many teaching methods, including videotapes,
newsletters, posters, bulletin boards, flyers, demonstrations, briefings, short
reminder notices at login, talks, or lectures. Awareness is often incorporated
into basic security training and can use any method that can change
employees’ attitudes. Effective security awareness programs need to be
designed with the recognition that people tend to practice a tuning-out
process (also known as acclimation). For example, after a while, a security
poster, no matter how well designed, will be ignored; it will, in effect, sim-
ply blend into the environment. For this reason, awareness techniques
should be creative and frequently changed.
Security education is more in-depth than security training and is tar-
geted for security professionals and those whose jobs require expertise in
security. Security education is normally outside the scope of most organiza-
tion’s awareness and training programs. It is more appropriately a part of
employee career development. Security education is obtained through col-
lege or graduate classes, or through specialized training programs. Because
of this, most computer security programs focus primarily on awareness. An
effective Computer Security Awareness and Training (CSAT) program
requires proper planning, implementation, maintenance, and periodic eval-
uation. The following seven steps constitute one approach for developing a
CSAT program:
Step 1: Identify Program Scope, Goals, and Objectives
Step 2: Identify Training Staff
Step 3: Identify Target Audiences
Step 4: Motivate Management and Employees
Step 5: Administer the Program
Step 6: Maintain the Program
Step 7: Evaluate the Program
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
