Information security awareness initiatives
Description
Current practice and the measurement of success
Information policy
Target audience: Specialised/Technical
Information policy
Target audience: Specialised/Technical
Sujets
Informations
| Publié par | ENISA_EUROPEAN-NETWORK-AND-INFORMATION-SECURITY-AGENCY |
| Nombre de lectures | 103 |
| Langue | English |
Extrait
Information security awareness initiatives: Current practice and the measurement of success
July 2007
Preface
The European Network and Information Security Agency (ENISA) is a European Union Agency created to advance the functioning of the Internal Market. The Agency’s mission is to achieve a high and effective level of network and information security within the European Union. ENISA commissioned PricewaterhouseCoopers LLP (PwC) to develop this report to offer a perspective on what governments and private companies are currently doing for assessing the impact and success of awareness raising activities.
This study is intended to be used by professionals within organisations and public bodies that are tasked with planning, organising, and delivering information security awareness initiatives.
The study has focused on cultural change, the ways in which sets of metrics and key performance indicators (KPIs) can pay off, and how assessing methods (qualitative and quantitative) can contribute to the development of a wider culture of security. This involved gathering information on the current practices of a number of European government departments and companies, to: Provide an outline analysis of recommended security awareness practice and metrics to measure awareness; Provide an outline of key metrics that can be used to effectively assess awareness, as well as some high level; Convey the results of the survey to assess what entities are doing with regards information security awareness; Provide case studies of good practice for awareness and measurement of effectiveness or to highlight information of benefit; and Contribute to the development of an information security culture in Member States by encouraging organisations to act responsibly and thus operate more securely.
Research carried out for ENISA by:
The research was carried out during May to July 2007 using a structured questionnaire. This was made available on a self-select basis to people responsible for information security in European government departments and companies. In total, 67 organisations headquartered in nine different European countries responded. Many of these had operations in several European countries. The size of the organisations varied from less than 50 staff to more than 10,000 staff. There was a spread of responses across all industry sectors. PwC then interviewed 12 of the 67 respondents in depth and wrote these interviews up as case studies. This report, therefore, gives an indication of what European organisations are currently doing to measure and improve information security awareness. Because of the self-select nature of this study and limited sample size, the results should not be interpreted as statistically representative of European businesses and government departments as a whole. About ENISA
ENISA is a European Union Agency created to advance the functioning of the Internal Market by advising and assisting Member States, EU bodies and the business community on how to ensure a high and effective level of network and information security. ENISA also serves as a centre of expertise for Member States and EU institutions that facilitates information exchange and cooperation. Contact details Isabella Santa e-mail: awareness@enisa.europa.eu Internet http://www.enisa.europa.eu
The member firms of the PricewaterhouseCoopers network (www.pwc.com/uk) provide industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 140,000 people in 149 countries share their thinking, experience and solutions to develop fresh perspectives and practical advice. Unless otherwise indicated, ‘PricewaterhouseCoopers’ refers to PricewaterhouseCoopers LLP a limited liability partnership incorporated in England. PricewaterhouseCoopers LLP is a member firm of PricewaterhouseCoopers International Limited.
Executive summary
This report analyses how organisations and governments within the European Union (EU) are approaching information security awareness and the measurement of effectiveness. The report covers three main areas. The first part of the study looks at the importance of information security awareness and specific topics to respondents (see pages 3 to 7). The main findings are: Information security is seen as a high or very high priority in four fifths of respondents; Much of this is driven by a need to provide assurance to customers that their sensitive data is protected. Identity theft is a significant concern; There is also widespread recognition that respondents are now heavily dependent on technology, and the Internet in particular. This leaves companies more exposed to information security threats than ever; In addition, there is increased regulatory focus on this area, both inside the EU and beyond; The consensus is that the most important topics for staff awareness are email, physical access, passwords and the Internet; and Instant messaging and clear desk policies are the least favoured topics.
The second part considers techniques to raise information security awareness (see pages 8 to 13). The main findings are:
Current practice and the measurement of success
Almost every respondent has defined their security policies, either in their staff handbook or a separate security policy. 85% of respondents have set up an intranet site that provides guidance to staff on information security matters. These techniques are seen as low cost basic disciplines. However, alone they are not effective ways to change staff behaviour; Respondents find training to be the most effective technique. 72% include security messages in induction training for new staff. Ongoing training for existing staff is much more patchy; the cost makes many respondents reluctant; Half of respondents are using computer-based training (CBT), and two thirds of these have mandated it; benefits cited are cost-effectiveness, consistency of delivery and ability to measure results; Despite the high priority given to security, many respondents find it difficult to justify significant spend on awareness programmes. Only a third of respondents build a formal business case to justify this expenditure; of these, only half attempt to quantify the benefits that their awareness programmes will achieve, and very few evaluate return on investment (ROI); and Most respondents instead think of security awareness training as something they just have to do, i.e. a compliance requirement. As such, their budget is treated as an overhead rather than an investment.
1
Executive summary
The final part reviews the mechanisms and techniques other respondents, however, have abandoned security that are used to measure information security awareness incident statistics as a measure of security awareness, initiatives (see pages 14 to 20). The main findings are: since there are many other factors involved; A wide variety of different methods are used to measureA third of respondents include questions on security the effectiveness of information security awareness awareness in staff surveys. They then measure initiatives. Organisations appear to find it very difficult to awareness levels before and after initiatives take place. put effective quantitative metrics in place; However, some respondents highlight issues with the of collecting and processing this data; and complexityThere is little consensus on the most effective measures. This is clearly an area where good practiceSome metrics are used because they provide insight is evolving; into actual behaviours (e.g. scans or tests). Others areIdeally, respondents would like to be able to measure adopted because they resonate with the senior actual changes in staff behaviours resulting from the management that sponsor awareness programmes awareness activities. As a consequence, relatively few (e.g. cost of incidents). respondents find input metrics (e.g. number of visitors Each organisation needs to find the right balance for to intranet site, number of leaflets distributed) helpful; them; there is no “one size fits all” solution. Keeping the tends to keep it cost-effective. Many simple The most popular source of information on actual approach behaviours is audit (internal or external); two thirds of currently struggle with quantifying security awareness; respondents use policy breaches highlighted in audit however, provided simple mistakes are avoided, a reports as a measure. The auditors’ objective and balanced set of key performance indicators (KPIs) and systematic approach was felt to make these reports metrics can provide real insight into the effectiveness reliable sources of information; of awareness programmes. Only with this insight are eir s thefit bentoy itivct aceanyllaer taht eno nbalMe enrs yahangto cuossg rthe otnasopinntadseimi rrnoe efceos ilei mrpxceoeap tryi eht emfm asregcourrpi incidents as a metric. The most common metrics are the number of incidents caused by human behaviour operations. and root cause analysis of the most serious incidents; Overall, an iterative approach to security awareness more than half of respondents use each of these. Many programmes appears most effective, as illustrated below:
2
Inputs: Information security policy; strategy; business case; risk assessment, budget; aims and objectives; legislation/compliance requirements Success factors: Executive sponsorship; whole business involvement; user buy-in; access to resources and time; cultural sensitivity
Techniques: Face-face training; induction training; policy; intranet sites; CBTs; tests and quizzes
Success factors: Relevance of material; ease of access and use; mandatory over voluntary; targeted risk focused training; key management involvement
Types: Security incidents/root cause; Results of audits; Survey of busi-ness; Test users' behaviours, Number of staff completing training
Success factors: Know what you can measure; relevance of measurement; regular timely assessment
ENISA – Information security awareness initiatives:
Importance of information security awareness
Organisations, whether private or public, are increasingly storing and making more information available electronically. There is a broad increase in reliance on IT systems. This is coupled with an extraordinary increase in the use of Internet services. This is becoming an increasingly important part of doing business. Lack of an Internet presence can be detrimental to organisations’ business objectives. The increasing use of IT systems to store and process information makes keeping this information secure more important. One of the key undertakings an organisation has is to ensure that staff act in an appropriate manner. This includes staff acting to keep sensitive information secure. The Information Security Forum (ISF) is one of the world’s leading independent authorities on information security. Through surveys and research, the ISF have defined information security awareness as: ‘an ongoing process of learning that is meaningful to recipients, and delivers measurable benets to the organisation from lasting behavioural change.’
Current practice and the measurement of success
This information security awareness is a major component within industry good practice for security. Several international standards refer to this as a prerequisite: ISO 27001; ;CBOTI Payment Card Industries – Data Security Standard; and ISO 9001:2000. Some of the key drivers increasing the emphasis on information security awareness are: Business requirements are changing, as use of technology (such as podcasts) evolves; regulators (e.g. the US and Singapore) areForeign expecting staff to receive awareness training; The focus on security from regulatory bodies within EU Member States is increasing. A recent example is the UK information commissioner’s comments to UK Chief Executive Officers on “unacceptable privacy breaches”; The threat from organised crime is on the rise. A recent report on Internet security highlighted high levels of malicious activity across the Internet, with increases in phishing, spam, ‘bot’ networks, Trojans, and zero-day threats. In the past, these threats were usually distinct and could be addressed separately. Attackers are now refining their methods, so attacks tend to involve multiple attack vectors. They are also consolidating
3
Importance of information security awareness
Mobile Phones and PDAs (Personal Digital Assistants e.g. The low priority given to the use of instant messaging is Blackberries) are a particular issue for financial services more of a paradox given the high importance attributed to respondents. Organisations in this sector can make and email. Both provide a mechanism for people to connect lose money in short timeframes. Information tends to be directly with external parties and to transfer information to more time critical to them and their staff. They, therefore, them. They would appear to be very similar in nature and tend to be leaders in adopting technologies that provide risk. information to staff right now. There is a clear risk of uncontrolled distribution of There are two clear topics that are of perceived least confidential information through both media. Indeed, importance to organisations. These are promotion of a it could be argued that instant messaging poses a clear desk policy and instant messaging. higher risk than the use of email, since email filters are The low priority given to awareness of clear desk policies often more sophisticated. It may simply be that some is, perhaps understandable. Many companies simply do respondents have blocked instant messaging technology not adopt o,r enforce such policies. They feel their physical from working in their organisation, so do not feel they have to make staff aware of the risks. access controls mitigate the risks sufficiently.
6
International insurer – senior management commitment makes a big difference
An insurance company explained why information security is important to their business. They collect, store, and process significant amounts of financial, medical, and personal information. This information is their number one asset; confidentiality breaches could put their reputation at risk, as well as exposing them to harmful litigation. Unfortunately, the threats (such as identity theft and scams) are rising; this makes staff awareness vital. The main challenge has been to develop an approach that is suitable for over 10,000 employees speaking many different languages. To counteract this, the company engaged an external provider to help them build suitable training plans and materials. To create the greatest impact with staff, training materials were translated into the local mother tongues of the countries concerned. There is a continual programme to adjust and promote the key messages. The objectives of this are to try to change people’s behaviour and perception of risk. Numerous techniques are used to reach the audience, since different people learn by different mechanisms. The most effective technique has been face-to-face time with staff through workshops and training sessions. Being able to put a face to a name or function is more personable and people are more receptive to messages being face-to-face. The training is mandatory. Senior management actively support the awareness schemes, making sure training events are at convenient times for the business and promoting them to staff. There is good attendance at sessions since missing the events results
in escalation to the employee’s manager. This senior management support across the business has proved to be critical to the success of the awareness programme. Other non-interactive mechanisms, such as intranet articles, emails, posters and publications, are used to reinforce important messages. However, it has proved difficult to gauge how many people have read or understood the messages and people can easily ignore them. So, they are used as a complement to, rather than a substitute for, classroom training. The main measure of the impact of the awareness training is feedback and questionnaires completed on or shortly after training sessions. This feedback gives a good insight into the impact of the training on the individual. Generally this has been positive, with the vast majority saying that they have learned something new and will try to change their behaviours. Other ways to test awareness, such as checking the strength of passwords or mocking up social engineering type situations to gauge responses, have been considered. However, these are not used, due to concerns about dependence on other variables (such as the mood of the person), privacy and entrapment. The company is now focused on ensuring that training continues to engage people; e-learning modules are being developed to add variety. A continual process is underway to enhance the relevance of the material to staff, so they can see the benefits and understand the risks more clearly.
ENISA – Information security awareness initiatives:
International financial services group – changing times drive changing needs
A large international financial services group explained why a new approach to information security awareness has been implemented. The firm’s objective is for customers and staff to view the firm as the safest place to do business. The firm believes good security is good business. Given its size and the diversity of its operations, the firm and its customers are subject to continually changing threats. Fraudsters have always targeted banks, but the increasing use of the Internet has changed the nature of these fraud risks; keeping losses to customers and the firm under control is a strong driver for security. There also appears to be a shift in the regulatory and cultural environment. Countries outside the EU (such as the US and Singapore) already have more prescriptive requirements for information security training. The climate within the EU appears to be changing. Information security and privacy are becoming more important on people’s agendas. In this changing environment, the bank wants to make sure it is ahead of the curve. This has driven some changes to their global awareness strategy over the last year. Corporate information security policy has been altered and awareness and training are now mandatory. Job descriptions and individuals’ objectives are being tailored to include information security responsibilities. A challenge is the size and scope of the different divisions of the company. A centralised team is now in place to co-ordinate the awareness and training strategy and set training standards for information security awareness across the firm. Individual business units are then responsible for implementing the policy and standards in their local operations. The firm has found that the most important thing is to have a structured approach, and not just do things in an ad-hoc fashion. In this vein, the firm uses a variety of techniques
Current practice and the measurement of success
to keep the messages and media channels fresh, including a security web portal. Keeping the material relevant and up-to-date has helped the effectiveness of the message. Currently, there is not much face-to-face training, although there are plans to include more of this later in the programme. This will be initially targeted at the key influencers and managers, so that it has the biggest impact on the culture. If management buy into the importance of security awareness, they will drive and promote it within their business units. While some business units use computer-based training (CBT), they are not as widespread as was initially planned. There were plans for a centralised global CBT system. However, due to the diversity of the business and the cost of updating material, this was not implemented. Other techniques they have found to be ineffective are “free stationery”; pens, pencils, etc. Despite the very structured and clearly defined approach adopted, quantitative assessment of the impact and effectiveness has proved problematic. An information security specific self assessment used to be carried out regularly to gauge the level of awareness with staff. However, this was discontinued since it required a large amount of resources to co-ordinate and analyse, and it was found that some of the results were misleading. People will answer surveys with the answers that they think you want to hear and not what is actually going on. The survey suggested staff knew procedures well; however, the results of internal and external audits showed that this was not always correct. The firm is now focusing on measuring and reporting on training, as well as watching the results of internal and external audits closely. Now that information security awareness and training requirements are set in policy, the central team can review audits and compliance measures to monitor the levels of awareness and the effectiveness of training.
7
Approaches to raise awareness
The foundation for any framework for information security awareness is a formal security policy. Without an outline ‘law’ covering the use of systems and information, enforcing good behaviour is very hard. Good practice standards place a strong emphasis on having an organisation-wide security policy. For example, ISO 27001 suggests that organisations implement training and awareness programmes. There is a requirement of management to ensure that people working for them apply security according to polices. To accomplish this they are required to provide appropriate awareness training and regular updates in organisational policies and procedures, as relevant for the job function of all employees of the organisation and, where relevant, contractors and third party users. Incidentally, many standards also suggest or require that a company’s security policy should also include user awareness training. Recent surveys suggest that the number of companies with a formal security policy in place has never been higher. Among our respondents, 88% have a specific security policy, and a further 76% refer to security requirements in their staff handbook. A key component of any information security policy and awareness training is to analyse the threats and risks that
8
the business faces. This analysis should drive the areas that the policy and training need to cover. Every organisation faces changing environments, threats and risks. To be effective, any awareness initiatives should be supported by senior management. Ideally, it should have board or executive level endorsement, to enhance the importance of the topic with staff. If senior management do not treat awareness as important, it is unlikely that training will be successful. Most standards recommend that a formalised approach is adopted to information security awareness. A virtuous circle involves three reinforcing elements: 1. Requirements analysis: Management need to identify what topics staff need to understand. Users should be made aware of the sections of the security policy that are relevant (to their job function). Many standards suggest topics to consider, such as spyware, virus outbreaks and strong passwords. 2. Training tailored to role: Both contractors and employees should receive training, appropriately geared towards their role. They should also be regularly updated with any relevant changes to the security policies or procedures. Training needs to address how staff can implement security in their day-to-day procedures.
ENISA – Information security awareness initiatives:
3. Ongoing review: The awareness programme’s content should be revisited and revised periodically. The effectiveness of the awareness programme on the intended participants should be reviewed regularly. Any appropriate changes to the original security policy should be reflected in the corresponding information security awareness training programmes. Recent security surveys (such as the UK DTI information security breaches survey) indicate that: The vast majority of businesses take some steps to make their staff aware of their security responsibilities. Companies are doing more to educate their staff than in the past. Most large businesses include security responsibilities in their staff handbook and train new employees in security; Almost every company with a security policy takes steps to educate its employees about their security responsibilities; and
The higher the priority that information security is to senior management, the more likely the company is to educate its staff. For example, only half of those for whom security is not a priority at all have taken any steps to raise awareness. This study shows a consistent pattern. All the respondents use some techniques to make their staff aware of their security responsibilities. As with much else in business, having an approved budget is vital to achieving an effective awareness programme. It takes both time from staff and money to create appropriate materials. This is an investment in the future of the business; it should be approved by senior management. Despite the high priority given to security, many respondents find it difficult to justify significant spend on awareness programmes. Only a third of respondents build a formal business case to justify this expenditure;
International airline – engaging with the right people is critical An airline explained why information security is a very relevant and interesting to the target individuals as high priority to their senior management. The terrorist possible (e.g. including sessions on home computer threat continues to be severe. This makes it particularly security) can help overcome the perennial challenge of important that staff pay attention to physical security. getting time in people’s diaries. In addition, the airline captures and stores large email mess ave been the lea quantities of personal and financial information (such Posters and ages hset as immigration data and credit card details). This data effective at raising awareness. With both of thes , there is a tendency to overburden people with information, is frequently transferred between countries, so data which they do not fully take in. Also, these media are protection and privacy are big concerns. not interactive and tend not to provoke much thought in One big challenge is the number and diversity of staff the reader. employed – over ten thousand people spread across When it comes to measuring the effectiveness of the many countries, both within the EU and worldwide. A surve s have wide range of different techniques are used to reach awareness programme, quizzes and y in different types of end user. For each department, tphreo vreesd utlot s bbee tfhoer e maonsdt aefftfeerc ttirvaei ntiencgh ngiivqeuse sa. tCruoem parg risk assessment is used to understand the type of information at risk, the nature of past incidents and the rthefel eecftfieocnt iovfe npeesosp loef’ st huen tdrearisntinagn.d iQnugi za nred shpeolnpsse gs aaulgseo best way to communicate with staff. This then drives e c areas. This has a tailored training approach. Giving the same training eofntaebnl ehidg hmliagnhat gweemaeknnte tsos feisn ein-t usnpe ctirfiaining messages or to cabin crew and to a database administrator, for roduce t eted example, just does not work. pargsessions to natdsd resos rtaendy hwaesaknesses. Face-to-face sessions with staff have been by far the Touhte t on ubme baenr uofn rseelicaubrlitey imnectirdice. Peroepple tend to t thiunrnk ethd at, most effective technique, producing the greatest impact as people become more aware, there will be fewer tornai naiwnag rseensessiso nasn dh abveeh abveieonu ru. sBeodt.h Hwaovriknsgh ao ppse rasnodn to incidents (i.e. awareness prevents breaches). However, talk to and an interactive forum for discussion can h lp the airline’s actual experience was that greater to make people realise what they can and should bee awareness resulted in a rise in reported incidents. In doing. other words, the first benefit awareness brings is an improvement in the reporting of breaches. The downside of face-to-face training is that it can be Recently, the airline has started to create formal time intensive and costly to deliver. Targeting face- annual business cases for their security awareness to-face training on the areas at greatest risk, coupled programme. At this time d with the provision of computer-based training for lower , the b eonfefits are notnvqeusatnmtiefinet. risk areas, helps address this. Making the training as and there is no formal tracking return on i
Current practice and the measurement of success
9
© 2010-2024 YouScribe