Information security awareness initiatives: Current practice and the ...

More documents

Recommendations

Info

PrefaceThe European Network and Information Security Agency(ENISA) is a European Union Agency created to advancethe functioning of the Internal Market. The Agency’smission is to achieve a high and effective level of networkand information security within the European Union.ENISA commissioned PricewaterhouseCoopers LLP(PwC) to develop this report to offer a perspective onwhat governments and private companies are currentlydoing for assessing the impact and success of awarenessraising activities.This study is intended to be used by professionals withinorganisations and public bodies that are tasked withplanning, organising, and delivering information securityawareness initiatives.The study has focused on cultural change, the ways inwhich sets of metrics and key performance indicators(KPIs) can pay off, and how assessing methods(qualitative and quantitative) can contribute to thedevelopment of a wider culture of security.This involved gathering information on the currentpractices of a number of European governmentdepartments and companies, to:• Provide an outline analysis of recommendedsecurity awareness practice and metrics to measureawareness;• Provide an outline of key metrics that can be used toeffectively assess awareness, as well as some highlevel;• Convey the results of the survey to assess what entitiesare doing with regards information security awareness;• Provide case studies of good practice for awarenessand measurement of effectiveness or to highlightinformation of benefit; andThe research was carried out during May to July 2007using a structured questionnaire. This was made availableon a self-select basis to people responsible for informationsecurity in European government departments andcompanies. In total, 67 organisations headquartered innine different European countries responded. Many ofthese had operations in several European countries. Thesize of the organisations varied from less than 50 staff tomore than 10,000 staff. There was a spread of responsesacross all industry sectors. PwC then interviewed 12 ofthe 67 respondents in depth and wrote these interviewsup as case studies.This report, therefore, gives an indication of whatEuropean organisations are currently doing to measureand improve information security awareness. Becauseof the self-select nature of this study and limited samplesize, the results should not be interpreted as statisticallyrepresentative of European businesses and governmentdepartments as a whole.About ENISAENISA is a European Union Agency created to advancethe functioning of the Internal Market by advising andassisting Member States, EU bodies and the businesscommunity on how to ensure a high and effective level ofnetwork and information security. ENISA also serves as acentre of expertise for Member States and EU institutionsthat facilitates information exchange and cooperation.Contact detailsIsabella Santae-mail: awareness@enisa.europa.euInternet http://www.enisa.europa.eu• Contribute to the development of an informationsecurity culture in Member States by encouragingorganisations to act responsibly and thus operate moresecurely.Research carried out for ENISA by:The member firms of the PricewaterhouseCoopers network (www.pwc.com/uk) provide industry-focused assurance, taxand advisory services to build public trust and enhance value for its clients and their stakeholders. More than 140,000people in 149 countries share their thinking, experience and solutions to develop fresh perspectives and practical advice.Unless otherwise indicated, ‘PricewaterhouseCoopers’ refers to PricewaterhouseCoopers LLP a limited liability partnershipincorporated in England. PricewaterhouseCoopers LLP is a member firm of PricewaterhouseCoopers International Limited.
ExecutivesummaryThis report analyses how organisations and governmentswithin the European Union (EU) are approachinginformation security awareness and the measurement ofeffectiveness. The report covers three main areas.The first part of the study looks at the importance ofinformation security awareness and specific topics torespondents (see pages 3 to 7). The main findings are:• Information security is seen as a high or very highpriority in four fifths of respondents;• Much of this is driven by a need to provide assuranceto customers that their sensitive data is protected.Identity theft is a significant concern;• There is also widespread recognition that respondentsare now heavily dependent on technology, and theInternet in particular. This leaves companies moreexposed to information security threats than ever;• In addition, there is increased regulatory focus on thisarea, both inside the EU and beyond;• The consensus is that the most important topics forstaff awareness are email, physical access, passwordsand the Internet; and• Instant messaging and clear desk policies are the leastfavoured topics.The second part considers techniques to raise informationsecurity awareness (see pages 8 to 13). The main findingsare:• Almost every respondent has defined their securitypolicies, either in their staff handbook or a separatesecurity policy. 85% of respondents have set upan intranet site that provides guidance to staff oninformation security matters. These techniques areseen as low cost basic disciplines. However, alone theyare not effective ways to change staff behaviour;• Respondents find training to be the most effectivetechnique. 72% include security messages in inductiontraining for new staff. Ongoing training for existingstaff is much more patchy; the cost makes manyrespondents reluctant;• Half of respondents are using computer-based training(CBT), and two thirds of these have mandated it;benefits cited are cost-effectiveness, consistency ofdelivery and ability to measure results;• Despite the high priority given to security, manyrespondents find it difficult to justify significant spend onawareness programmes. Only a third of respondentsbuild a formal business case to justify this expenditure;of these, only half attempt to quantify the benefits thattheir awareness programmes will achieve, and very fewevaluate return on investment (ROI); and• Most respondents instead think of security awarenesstraining as something they just have to do, i.e. acompliance requirement. As such, their budget istreated as an overhead rather than an investment.Current practice and the measurement of success
Page 1: Information security awareness init
Page 5 and 6: Importanceof informationsecurityawa
Page 7 and 8: How important or unimportant is it
Page 9 and 10: International financial services gr
Page 13 and 14: There appear to be certain basic di
Page 15 and 16: seemingly insurmountable barriers a
Page 17 and 18: The advantage of process improvemen
Page 19 and 20: four approaches. Blending different
Page 21 and 22: Given the ease with which process i
Page 23 and 24: Legal NoticeNotice must be taken th

Information security awareness initiatives: Current practice and the ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?