In my company, we kicked off the Information Security campaign about 4 years ago, and this was focused very heavily on IT staff and processes (insurance industry). At that time we had very few security skills in house, so we brought in an external trainer to deliver the Security Awareness training. We worked with the trainer to develop the course content, the baseline they had was good, but we wanted to added ten topics unique to our environment. This allowed us to get 100% completion for IT staff training on the basics of Information Security -a jump-start if you will. Cost was about $15,000 and covered all 80 staff members
We set about to develop our own IT security staffing resources, and this grew to become a two person team, InfoSec officer (manager/director level) and a Security Engineer. These two staffers then developed an online security awareness program this is required annual training for all IT staff members.
Our HR department had a tool set for delivering training (slide shows, animations, and final exam). They also had a scheduler / tracking tool that would notify each user of their required training and keep bugging them until it was completed. So we leveraged the tools that HR had, and used these to deliver our training. This is now part of our annual training cycle and also required training for all new hires.
We have an annual review cycle for all of our IT policies and procedures- and we also review and update our Security Awareness training material in this Security Awarenessme process.
This solved for the IT side of the company. For the rest of the company, HR and Legal created an Acceptable Use policy. IT had input into that policy and we worked with them on the “how and why” stuff. The HR dept is then responsible for ensuring that all employees (IT and everyone else) completes that training. They use the Security Awarenessme tool set for developing and delivering this training as we do for the IT only training.
My approach is “Awareness is not Behavior”. Increased “awareness” does not mean that actual “security practices” have improved.
To reflect my thoughts, I have started writing a methodology - HIM-IS (Human Impact Management for Information Security). You can get it at http://www.himis.org . It is under creative commons - no derivis.
HIM-IS uses,
1) 4 models. They are,
a. ESP (Expected Security Practices Model) (Practice is my convenient way of denoting “Awareness + Behavior” Together). ESP links to information security requirements of the business
b. Visibility model - How visible is your awareness campaign, Is the mesSecurity Awarenessge reaching everyone? What are the channels of delivery (paper, email, web etc.)
c. Clarity model - How clear is the mesSecurity Awarenessge, How many users’ told you that the campaign is good
d. Enforcement/ Motivation model - How will you motivate or enforce behavior change corresponding to the awareness
2) These 4 models, combine to create a roadmap for an “Information Security Awareness and Behavior management framework” . The steps are (rough..)
a. Target group identification
b. Defining (ESP - Expected Security Practices) -
c. Do a baseline assessment using the ESP as the reference (an awareness and behavior assessment survey)
d. Determine weak areas to be improved based on assessment results
i. What and how much increase in awareness do I want?
1. Determine subjects of awareness
2. Determine content type
ii. What and how much increase in behavior do I want?
1. Determine behavior corresponding to awareness
2. Determine the way you will “MOTIVATE and ENFORCE” Behavior
e. Deliver the awareness campaign
f. Implement the enforcement strategy
g. Re-measure at the end of pre-defined time period
