The purpose of a security awareness program is in clearly demonstrating the “who, what, and why” of the policies and standards. Reading alone is not the most effective method of absorbing information and, once read, the message of the policies and standards are easily forgotten in the stress of the working day. If an organization wishes its policies and standards to have perpetual effect, it should commit to a perpetual program of reinforcement and information — a security awareness program.
Problems with budget may stop your employee information security awareness program before it gets properly started. Those who control budgets need to show due diligence by demonstrating the effect or the potential return on investment for every dollar spent and information security awareness programs are notoriously difficult to quantify in this way. What is the return on investment? Increased employee awareness? And how does that contribute to the profitability of the enterprise? These are difficult numbers to demonstrate.
However, if we look at things that an organization would like to avoid, justifying the cost of an employee information security awareness program can get easier. Most information security programs struggle with things such as access control (password management, sharing computer sessions, etc.), e-mail practices, and virus management; so, if your Infor mation Security staff can find a way to address these issues as benefits of the information security awareness program, then you have a way to justify expense for that program.
The way to address these issues is through measurement. Information Security staff must understand what it is that they are trying to improve (and “security awareness” is too fuzzy a subject to talk about improving). If your organization is trying to improve users’ access control habits, then Information Security start must start by finding ways to measure them. These can include password cracking software such as lophtcrack or sam- pling walk-throughs where a given number of workstations are observed and a record made of how many are left unattended and logged on.
Similarly, if your organization wants to improve e-mail habits, obser- vation of e-mail traffic before any security awareness activity will be necessary. Some organizations have made use of “honeypot” e-mails — in other words, e-mails that coax users into behavior that we will later teach them to avoid practicing — to measure the effect of their information security awareness program on e-mail habits.
Audit findings and workpapers will also provide valuable measure- ments at no cost to the Information Security department.
As for the content and mechanics of the awareness program, the following general advice should prove useful.
3.3.1
Frequency
One of the main factors in the success of the employee information security awareness program will be the frequency with which the message is delivered to staff. If the message is delivered too often, it will become background noise — easily ignored. On the other hand, we want the message to be in employees’ minds as much as possible, so delivering the message too infrequently can be as damaging as delivering it too often. Information security awareness programs are basically advertising — with an educational message. The messages might begin with a PowerPoint presentation, which focuses heavily on:
Information security policies
Information ownership
Information classification
Good information security practices
Because employee information security awareness is an ongoing pro- cess, the messages will vary over the first year according to how much information security program activity has already taken place and how well the implementation of other information security program compo- nents has gone.
In the first year, you should aim to deliver the messages outlined above, plus messages on:
Information security standards
Information security monitoring
Information security performance measurement
More information security good practices
Of course, while delivering these messages, the employee information security awareness should also reinforce the original messages.
3.3.2
Media
One of the main factors in the success of the employee information security awareness program will be the composition of the media used. Each AU1957_book.fm Page 46 Friday, September 10, 2004 5:46 PM
media element has its strengths and weaknesses and so media for delivery must be carefully selected to ensure that the message of the program is communicated as effectively as possible. To rely on one medium — that is, video, posters, PowerPoint presentations, etc. — would deaden the message. Staff would become used to seeing whatever medium or media were chosen and would begin to ignore it. The key is to use a mix of media and a frequency of message delivery that achieves the level of consciousness of security issues that the organization has chosen.
We live in a video generation. News, entertainment, streaming video on the Internet, advertising, and education all come at us in video format. It makes sense then to consider custom video as a medium for delivering the employee information security awareness message — at least in part. The main “plus” of custom video, of course, is the sense of immediacy. The “minus” — equally obvious — is cost. However, there are a number of organizations that offer already-made information security awareness videos. However, most organizations still rely on presentation software such as PowerPoint. It is familiar and, if done right, can still add some “zip” to the message — the biggest “plus” of using it. Other plusses are that presentation software is easy to use and easy to modify. You should consider using PowerPoint for your initial employee information security awareness offering and should not plan to use any more PowerPoint presentations during the first year. (We have all been subjected to “death by PowerPoint,” the feeling that comes when presentations lack presence, go on too long, or are too frequent. Too many PowerPoint presentations will quickly kill audience interest in the program.)
Whether using video or presentation software, you must consider putting the definitive version of the presentation on the organization’s Web server. Note that this has the potential to create bandwidth problems and should be discussed with IT before any plans are made. However, having the definitive version of any presentation on the company’s Web server does allow universal access and provides savings from lower travel and “training the trainer” costs. Some companies — rich in bandwidth — stream the presentation to all company sites; but for those who do not have this bandwidth (or do not want to use it for this purpose), putting the definitive version on the company’s Web server is still a good idea, because it allows people to access the definitive version of the presentation at a time convenient to them.
In addition to the media outlined above, one must consider the use of booklets, brochures, newsletters, and “giveaway” items to supplement the core media of the program. Most people react well to something they can hold in their hand; and while the readership rate of booklets, etc., may be low, any number of employees who read this material enhances the effectiveness of the media already discussed.