Information security awareness initiatives: Current practice and the ...

More documents

Recommendations

Info

Measuring the effectiveness of awareness programmesPublic department – blocking and monitoringA government department explained why enforcingpolicy and measuring people’s behaviours are critical togood security awareness. Security of the personal datathey store and process is vital to maintaining the publictrust. The time sensitivity of this information is higherthan in most private companies. Threats to it, fromforeign governments, criminals, and journalists, arenumerous. To maintain security, the department needsa rigorous, comprehensive control and awarenessframework.One challenge they face is a high turnover of staff, 30-40% per year. With so many transient staff, maintainingeffective awareness is difficult. A key technique to dothis is the use of comprehensive induction training.This covers important topics including data privacy andinformation security. Staff have to sign to confirm theyunderstand and will abide by the department’s policies.Cost effectiveness drives the approach adopted to raiseawareness. The use of intranet sites and emails havebeen effective. These are instantly available to staff;they can convey important messages quickly and to awide audience. Surveys were used in the past to gaugeawareness; however, response was low and the resultsdid not always provide the required information.Where possible, information security requirements areautomated, i.e. built into systems. Manual spot checksare also used, targeted at high risk systems and areas.Penetration testing and social engineering are usedto assess people’s actual behaviours. In addition, toensure staff are following policy, a random sample ofusers’ emails are audited. Based on these, a ‘securityleague table’ report is sent to management. Thisencourages people to improve their areas. Wherespecific weaknesses are found, they are addressedwith targeted training.Incidents are also tracked. Due to the relatively lownumbers of events, slight increases can be easily seenand analysed. The results are used to target furtherawareness training if any trends are found. Previousanalysis showed that new joiners had lower awarenessand changes were made to induction training toaddress this. Further monitoring of the awareness isaccomplished through yearly audits for compliance withISO 27001.How do you measure the level of information security awareness in your organisation?Results of audits (by internal or external auditors)66%Number of security incidents due to human behaviourThe root causes of the most serious incidents54%58%Proportion of security incidents due to human behaviourNumber of staff successfully completing awareness trainingcoursesResults of staff security surveysResults of scans for viruses and unauthorised softwareQualitative feedback from focus groups or staffCost of security incidents reported due to human behaviourProportion of downtime due to human behaviourTesting whether staff follow correct proceduresNumber of visitors to security intranet websiteResults of periodic self-assessments by managementProportion of purchases that have been made with security inmindDistribution of security policy or leaflets6%4%37%36%34%31%28%27%27%25%22%19%18 ENISA – Information security awareness initiatives:
Given the ease with which process improvement measurescan be captured, the number of respondents using them islow. Ideally, respondents would like to be able to measureactual changes in staff behaviours resulting from theawareness activities. As a consequence, relatively fewrespondents find input metrics (e.g. number of visitors tointranet site, number of leaflets distributed) helpful. Themost used measures of this type are the number of staffreceiving training and qualitative feedback from staff on theprogramme; roughly a third of respondents used each ofthese metrics.There is little consensus among respondents on the mosteffective measures. This is clearly an area where goodpractice is evolving.Even the most popular metrics had been found wantingin some organisations. For example, many respondentshave abandoned security incident statistics as a measureof security awareness. One reason is that there are manyother factors driving the number of security incidents.Another is that the volume is (mercifully) low and hencespiky in nature; this makes trend analysis difficult.Overall, there was a good correlation between the metricsthat were highlighted as most effective and the mostpopular metrics in actual use across all respondents. As agroup, they seem to have learned a lot over the years; theirpast experience of what works well has shaped what theydo today. Most respondents acknowledge that they arecontinuing to improve their approach, but there is much tolearn from what they do today.Generally the results did not show significant differencesbetween the sectors of respondents. This indicates thatwhat people have found to be effective across industriesis broadly similar. Although one particular item of note wasthat financial services organisations were less likely to usemetrics related to the costs of incidents than government,retail, telecommunication and utilities.Many respondents have encountered problems in thepast, putting effective quantitative measures in place. Itis important that the method any organisation uses toproduce and collect awareness indicators addresses thesecommon issues. The main concerns raised by respondentsin this study include:• Quality and comparability issues. A particular issuehere is with staff surveys, where the exacting wordingand the placement of the question in the survey canaffect the answers given. Often staff tell surveys whatthey think management want to hear, not necessarilywhat they really think. Compliance returns from seniormanagement (e.g. self assessments) can also bemisleading; the people signing the returns are oftendivorced from the detail of their operations and so reportwhat they are told by their teams;• Relevance. It is important not to take the wronginference from measures. For example, an increase invirus infection rates may indicate a problem with staffawareness, but it could equally be an issue with the antivirussoftware. A rise in security incidents could indicatea problem with awareness (more actual breaches),What metrics have proved effective at measuring the success of information security awareness activities?Number of security incidents due to human behaviour-416Audit findings6Results of staff surveys-45Tests of whether staff follow correct procedures-15Number of staff completing training5Qualitative feedback from staff3Cost of Security incidents due to human behaviour-12Number of visitors to Security Intranet site-12Proportion of downtime due to human behaviour2Results of scans for viruses and unauthorised software-21Number of policies/Leaflets distributedReturn on investment-2-2Most effectiveLeast effectiveCurrent practice and the measurement of success 19
Page 1 and 2: Information security awareness init
Page 3 and 4: ExecutivesummaryThis report analyse
Page 5 and 6: Importanceof informationsecurityawa
Page 7 and 8: How important or unimportant is it
Page 9 and 10: International financial services gr
Page 13 and 14: There appear to be certain basic di
Page 15 and 16: seemingly insurmountable barriers a
Page 17 and 18: The advantage of process improvemen
Page 19: four approaches. Blending different
Page 23 and 24: Legal NoticeNotice must be taken th

Information security awareness initiatives: Current practice and the ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?