Designing And Conducting Effective Information Security Awareness Programs

Understanding the Problem

Most of times information security awareness programs are conducted to fulfill a requirement such as of ISO 27001 or a client requirement or to meet HIPAA Act guidelines. Sad truth is even after multiple trainings and good scores in awareness tests, employees often fail to adhere to security norms which were communicated to them during training programs. Here are some of the reasons why employees listen but fail to imbibe the security awareness knowledge:

  1. All employees are considered at same level w.r.t to security knowledge. When awareness sessions are conducted for employees with good security knowledge and poor security knowledge, the session is hijacked by those with good knowledge. Employees with poor knowledge either do not ask questions for the fear sake or they lose interest.
  2. Senior employees or C-level category do not even turn up and just send a request for the presentation for self-reading.
  3. “All PPT without fun and practice makes the sessions boring”. Yes it is true. The audience gets bored if they are just made to sit through a bunch of presentations with Do’s and Don’ts.
  4. Most of the Do’s and Don’ts are covered by technology. Controls like Password complexity, Password reuse, USB usage etc. can be pretty much controlled via technology. Attendees know all such controls are being managed by IT and hence they fail to realize the risk.

Adopting a new approach for Design, Development and Delivery of InfoSec Awareness Programs:

Delivering flattened awareness program via PPT, Web and some sort of physical or online test for all employees is seldom effective. CISO’s/Management/InfoSec team need to understand that there are two specific objectives which should be met via such programs:

  1. Ensuring employees are aware of broad aspect of information security and organization policies.
  2. Ensuring information security incidents are minimized due to humans.

Considering the above two objectives and above four factors for lack of training effectiveness, here is a three pronged strategy for designing , developing and delivering effective InfoSec awareness programs:

1.Induction training :

Induction trainings should focus on wide aspect of information security laced with real life incidents pertaining to the same business domain. Some of the sites which can be used for gathering incident data are: https://www.ponemon.org, www.verizonenterprise.com, https://www.databreachtoday.com, https://www.ibm.com/security/data-breach/ etc. The real life incidents help in enforcing the need for protection and adherence to security policies. Further to involve audience, trainer can demonstrate sites such as www.haveibeenpwned.com, https://hacked-emails.com, and show breach stats from http://www.hackmageddon.com/category/security/cyber-attacks-statistics/. If time permits , trainers can also show the insecure webcams, routers etc. from Shodan ( https://www.shodan.io/explore ). Such live examples can invoke a positive reaction from attendees. Ask Google deity for a bunch of breach related case studies every time a session is planned to ensure you never run out of content.

2. Role specific Trainings:

Certain roles may require specialized training for example IT team, finance team, HR team, Sales, Web developers and C-suite etc. These roles have access to lot of sensitive information and most of employees in these functions are fairly busy. Most of the social engineering attacks are carried out on these kinds of employees. For example it’s very easy to carry out an attack on HR team by serving a malicious link on their FB status. Finance team can be tricked into opening an infected PDF file sent from a spoofed email ID of Sales guy or CEO. Anyone can fall for phishing email. InfoSec team should consider the risks these teams can face and design the awareness content suitable for such teams. Trainers can prepare awareness presentations on Spear phishing, Whaling etc. For IT team the awareness content needs to incorporate incidents due to patching, configuration errors, email spoofing, flawed deployments, poor log management practices etc.

3. Live Exercises:

This is the most difficult strategy to implement compared to first two strategies. Live exercise means testing the awareness of employees against a simulated attack or situation. Employee can be put through Phishing exercises, Physical access or theft exercises and other social engineering attacks without any prior intimation or knowledge. Such exercises need to be planned and executed with approval from the CEO or CFO or MD. Live exercises are generally conducted atleast once in a year to understand the practical approach taken by employees towards an attack and hence can serve as a true indicator of the security awareness posture of the organization.

Above described 3 strategies can lead to development of a well sustained information security culture within the organization over a period of time. However the question is how to measure the performance of awareness levels of employees. So here are some KPI’s that can be set and measured to check the performance over a period of time:

  1. Induction Program KPI: Number of employees trained in first 7 or 15 days of their joining
  2. Induction Awareness KPI: Individual scores in awareness test after induction program.
  3. Security Awareness Feedback KPI: Average of satisfaction score given by attendees. This can be anonymous feedback to take better inputs about training content and trainer.
  4. Policy Violations KPl : Attempted policy violations for example visiting a social media site or connecting a pen drive etc. by analyzing logs. Tracking can be weekly, monthly or quarterly.
  5. Annual Awareness Score of Employee: Total of scores in all tests divided by total no of tests conducted. So if a person has obtained 90% in 3 quarterly tests but did not attend the 4th test , he/she will actually be getting ([90*3]/4) 67% only as annual score.
  6. Phishing Attack KPI – Percentage of people who did not click or who clicked the link or opened the sent malicious document.

Remember that KPI’s are to ensure employees enhance their knowledge and change their attitude towards security practices. While an individual’s KPI’s can be linked to his/her KRA’s, Management should ensure individual KPI’s are not published internally or are used by anyone to carry out any personal attacks.
Hope this article will help the readers in fine tuning their awareness sessions.
You can follow me on Twitter @ISOGeek to get more updates on my thoughts about Information Security and Cybersecurity.