SlideShare une entreprise Scribd logo

Improving the effectiveness of information security learning programs

M
Mansoor Faridi, CISA
1  sur  15
Télécharger pour lire hors ligne
Improving Delivery Effectiveness of Information Security Learning Continuum Improving Delivery Effectiveness of Information Security Learning Continuum Mansoor Faridi Fort Hays State University July 28, 2015 Author Note Mansoor Faridi, Department of Informatics, Fort Hays State University. Mansoor Faridi is a graduate student at Fort Hays State University specializing in Information Assurance Management. He lives in Toronto and can be contacted at [m_faridi@mail.fhsu.edu].
Improving Delivery Effectiveness of Information Security Learning Continuum ii Table of Contents Abstract .......................................................................................................................................1 Introduction ..................................................................................................................................2 Components of Information Security Learning Continuum ........................................................3 Awareness …………………………………………………………………....................3 Education ………………………………………………………………………. ............3 Training ………………………………………………………………………................4 Critical Success Factors ...............................................................................................................5 People ……………………………………………………………...................................6 Process ……………………………………………………………. ................................7 Technology ……………………………………………………………. .........................7 Improving Effectiveness ...............................................................................................................7 Baselining Pre-training Results ........................................................................................8 Continuous Improvement .................................................................................................9 Rebaselining Post-training Results ..................................................................................9 Shortcomings and Best Practices .....................................................................................9 Conclusion ................................................................................................................................10 References ..................................................................................................................................11
Improving Delivery Effectiveness of Information Security Learning Continuum 1 Abstract Users in all organizations globally are either the strongest or the weakest link, when it comes to ensuring confidentiality, integrity, and availability of critical data. Various organizations design, develop, and implement information security learning programs, however, effectiveness of their implementation levels vary owing to a variety of factors. This research paper proposes a model to improve delivery effectiveness of information security learning continuum. The research is aimed at identification, analysis, and evaluation of the essential ingredients required by this learning model, such as, a detailed methodology, critical success factors, and organizational best practices. The success of this model lies by being dynamic in nature; its continuous feedback collection mechanism is aimed at finding efficiencies, and incorporating those efficiencies (on a continuing basis), to ultimately improve the delivery of organizational learning activities. Among the numerous best practices, developing and quantifying metrics is paramount to the success delivery of the information security learning program, and continuous improvements (based on the collected feedback) to the continuum is the key to successful program delivery. Keywords: information security awareness, information security governance, information security education, continuous improvement
Improving Delivery Effectiveness of Information Security Learning Continuum 2 Improving Delivery Effectiveness of Information Security Learning Continuum Mansoor Faridi Fort Hays State University Introduction This research paper proposes a model to improve delivery effectiveness of information security learning continuum. The research is aimed at identification, analysis, and evaluation of the essential ingredients required by this learning model, such as, a detailed methodology, critical success factors, and organizational best practices. The success of this model lies by being dynamic in nature; its continuous feedback collection mechanism is aimed at finding efficiencies, and incorporating those efficiencies (on a continuing basis), to ultimately improve the delivery of organizational learning activities. Components of Information Security Learning Continuum section describes the three essential components of information security learning continuum, including awareness, education, and training. Critical Success Factors section established people, process, and technology and their overlap to produce the sweet-spot which helps establish critical success factors for improving the delivery effectiveness of information security learning continuum. Improving Effectiveness section delves into the details for improving the effectiveness of information security learning continuum through baselining, engaging in continuous improvement activities (based on the results of which), and rebaselining the learning program. It concludes by presenting a list of shortcomings and best practices to address those shortcomings. Conclusion section presents a summarized conclusion of this report while highlighting the importance and relevance of this topic.
Improving Delivery Effectiveness of Information Security Learning Continuum 3 Components of Information Security Learning Continuum Information Security (or InfoSec) is the practice of ensuring confidentiality, integrity, and availability of data from unauthorized access. In order to improve the effectiveness of an organization’s information security, the quality of education, awareness, and learning activities should be designed and developed with due care to improve its delivery effectiveness. In most organizations, Information Security learning activities comprise of awareness, education, and training in some shape or form. All three elements entail both formal and informal activities that are discussed below in more detail. It is important that all three stages are designed and developed by a qualified professional with an intimate familiarity with the nuances of adult education. Most common dominant learning styles (visual vs. auditory) should be kept in view when designing the learning activities. In addition, it has been proven that adults learn more effectively by performing (and discovering) the task at hand in social settings, hence these known trends need to be incorporated for fun learning experience (Michigan, 2015). Awareness This component is the most important of all (others being Education and Training), as this is the starting point where users attention is focused on security issues, their acknowledgement of security issues. At this stage, users are normally the recipients of information, and do not actively participate (NIST, 1998, p.15). Aids used in awareness campaigns depend on the scope, breadth, and budget; however, the common items include newsletters, posters, brochures, flyers, videos, promotional slogans, trinkets, mouse-pads, etc. An effective awareness campaign will stress the ever-changing threat landscape, identify threat- vectors, and demand timely adjustments to the awareness contents being delivered Education
Improving Delivery Effectiveness of Information Security Learning Continuum 4 After awareness comes Education. At this stage, users are aware about the security issues that exist and are looking forward to educate themselves. This stage integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge. It also adds a multi-disciplinary study of concepts, issues, and principles (technological and social).This stage strives to produce users capable of recognizing the threats and being proactive in their response (NIST, 1998, p.16). An important characteristic of education is that users must understand why information security is important for the organization (Schlienger & Teufel, 2003). Training This is the third and final stage in the learning life cycle. By this time, the users have been educated on the security issues and now they are ready to get trained on how to behave securely in the information security context. This level strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, auditing). Training of special security tools (or features) within applications must be also be offered (NIST, 1998; Schlienger & Teufel, 2003). Another important aspect of these learning programs is the adoption of a multi-level approach vis-à-vis test design. For example, users should only be asked to recall, recognize, and/or understand information security concepts at this initial level (or Primary State). For example, confidentiality, integrity, availability, and non-repudiation. The next intermediate level (or Secondary State) of learning should test users’ ability to apply the learned concepts to real-life situations, to enhance their understanding of the issues at hand. For example, identity and access management workflows, data retention issues, evolving threat vectors, need for data quarantine and sanitization, etc.
Improving Delivery Effectiveness of Information Security Learning Continuum 5 The advanced level (or Target State) of testing should encourage users to synthesize learning in order to analyze and interpret real-life information security situations, and draw meaningful conclusions. This also helps users become proactive participants by supporting organizational security initiatives, and raise flag in case of any abnormal online activity. Users having attained the Target State will seek knowledge proactively. This target level of expertise goes way beyond exploring basic information security concepts, and should be the ultimate sweet-spot that trainers should aim for when designing test exercises. Critical Success Factors The integration of people, process, and technology entities form an important troika; an overlap of which leads to the creation of critical success factors (See Figure 1 below). All three elements entail both formal and informal activities necessary for effective implementation of the learning program. Each entity represents various essential components, discussed below in more detail. Figure 1. Troika – People, Process, Technology
Improving Delivery Effectiveness of Information Security Learning Continuum 6 People First and foremost, effective implementation of information security learning program requires executive sponsorship to set the ‘tone-from-top’, which helps secure the required resources, and highlights the importance of this important initiative. Executive sponsors can also influence their counterparts in ensuring that the message is received positively across the organization. While Executive sponsorship is a must-have, however, the delegation of sponsorship at a local level (e.g. local Business Unit Champion) does wonders. It is important that this local sponsor be at the management level with a good amount of influence. Secondly, users are always deemed to be the weakest link. However, it is important for individual users to buy-in to the idea, realize the importance of this mission-critical initiative, and be able to view themselves as an empowered user that makes a significant difference, protecting the organization’s critical assets, on a daily basis. Users should be sent short quizzes over time. The responses, both correct and incorrect, are a gold-mine of information to identify users' understanding of various information security issues, and to reinforce concepts which most users failed to fully comprehend. Unannounced drills, such as, planned fishing attacks in coordination with IT should be executed (and data collected) to determine level of readiness and by analyzing the number of users who fell prey to such attacks. This data will help remediate the understanding of information security concepts, and reinforce those concepts as well. Finally, subject matter experts (SMEs) delivering the program play an important role in delivering relevant, appropriate, and engaging contents, to produce a well-informed class of
Improving Delivery Effectiveness of Information Security Learning Continuum 7 users. It is paramount to select SMEs with the right qualifications, most importantly with superior communications skills to deliver an effective learning experience. Process This entails formalization of policies, procedures, and standards, while defining metrics, measurements and feedback mechanism in order to integrate the overall learning program. An important aspect of this component is the sharing of knowledge and information via an internally shared repository. Various aspects defined here will be discussed in further detail in later sections. Technology Various technologies can be leveraged, suiting the size of organization. A small organization may want to measure and report manually, whereas, an enterprise-level organization may choose to automate the entire process, end-to-end. Regardless of the size, organizations should have tools to record, measure, and report on metrics, such as, non-compliances, course completion statistics, and continuous monitoring (e.g. accessing in-appropriate web-sites) of users' online activities. Technology should also be leveraged to solicit user-feedback on various issues, and to share knowledge and information via online spaces (e.g. Wikis, SharePoint, intranet, etc.). With the aid of Active Directory authentication, technology should also help with Role-based Access (RBAC) Controls, segregation of duties, least privilege, need to know, limited time access to only let authorized users in. Improving Effectiveness Figure 2 (below) represents information security learning continuum, which conceptualizes a proposed model to baseline, monitor, improve, and re-baseline the program on a
Improving Delivery Effectiveness of Information Security Learning Continuum 8 continuing basis. According to this model, a gap assessment should be performed to compare current state with desired future state. This target setting promotes competition, while serving as a roadmap towards the final destination (i.e. Target state). This model also requires quantification of the time horizon to set milestones and deliverable, and metric definition to baseline against. Figure 2. Information security learning continuum Baselining (Pre-training Results) Next step is to consolidate and baseline in-scope organizational metrics. To perform this, current measurements need to be recorded. This starting point serves as an indicator throughout the learning continuum vis-à-vis organization current state, and the remaining ‘distance’ to the target state. It is recommended that half-way through the journey, feedback is formally solicited from all stakeholders, in addition to the measurements obtained for the pre-defined metrics. This step helps in determining if any changes/modifications are warranted to any part of the process and/or the overall learning program.
Improving Delivery Effectiveness of Information Security Learning Continuum 9 It is recommended that, half-way through the journey, user-feedback is formally solicited from all stakeholders, in addition to the measurements obtained for the pre-defined metrics (Greaux, 2013). This step helps in determining if any changes/modifications are warranted to any part of the process. Some of the suggested metrics are as follows: Table 1. Metrics and their rationale Metric Data Collected & Reviewed Use engagement Successfully reaching out to all uses and the rate of completion of all education, training, and awareness activities as they are rolled out during the course of a year. Quality of responses It is important to identify wrong responses for all learning activities, and then draw out trends for subsequent analysis. This enables developers identify user strengths, and also identify areas that require further emphasis to readily address knowledge gaps. Security breaches (internal) Internal security breaches should be recorded for later root cause analysis. This will serve as an input when designing learning activities. Periodic testing Data from testing activities (e.g. internally generated fishing emails) should be analyzed to gauge users’ knowledge level vis-à-vis InfoSec issues. Continuous Improvement After baselining, the program needs the continuously monitored and improved. Input can be in the form of automated monitoring, user feedback, process change requests, etc. Refer to Figure 2 for mechanisms in place vis-à-vis feedback, process change requests, etc. Re-baselining (Post-Training Results) After formal training delivery, measurements need to be taken again, which should be compared against the initial readings taken when baselining. The delta between the two will help determine the level of implementation effectiveness of the overall program, while identifying specific opportunities for improvements. Shortcomings and Best Practices Following table (Table 2) lists some reasons why information security controls fail (SANS, 2015; Thacker, 2013; Winkler & Manke, 2013) and the best practices that can be developed and implemented to address these shortcomings.
Improving Delivery Effectiveness of Information Security Learning Continuum 10 Table 2. Reasons for shortcomings and best practices Reasons Shortcomings and Best Practices Lack of user awareness Shortcoming: Simple ‘box-checking’ without understanding the concepts hinders the spirit of defenses. Best practice: Different learning activities can help raise user’s awareness level. Lack of engagement Shortcoming: Users are provided with literature, but not tested formally. Best practice: Users should complete mandatory learning activities to ascertain their knowledge levels via testing activities. Operating without metrics Shortcoming: In the absence of metrics (quantification), it is impossible to determine if learning activities are being rolled out, completed, shortcomings being identified, and addressed. Best Practice: Designing and implement appropriate metrics to quantify activities. Misplaced accountabilities Shortcoming: Business often relinquishes data protection aspects to their IT function, including governance and oversight. Best Practice: Data owners (business) need to be continuously involved in all aspects of data protection, in conjunction with IT. They need to take the ownership of their data, and clearly understand IT function as mere custodian of their data. Conclusion This research paper proposes a model to improve delivery effectiveness of information security learning continuum. It presents three essential components of information security learning continuum, including awareness, education, and training. The troika of people, process, and technology is established as the required component to improve delivery effectiveness of information security learning continuum. This is achieved by baselining, continuous improvement, and rebaselining the learning program. Finally, some shortcomings that hinder the successful implementation are highlighted and suggested best practices are listed to address those shortcomings. With proper awareness, users can be the strongest defense, supporting the overall delivery effectiveness of information security learning continuum; leading the paradigm shift from static to dynamic mode of learning.
Improving Delivery Effectiveness of Information Security Learning Continuum 11 References Ashford, W. (February 13, 2015). Data breaches up by 49% in 2014. ComputerWeekly.com. Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches -up-49-in-2014-exposing-more-than-a-billion-records Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_ Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf Council of Europe. (2015). Standards: the convention and its protocol. Retrieved from http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/ wiki/Cyberwarfare_in_the_United_States Defence IQ. (2010, May 26). CIA, US military step up cyber space security strategies. Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military- step-up-cyber-space-security-strat/ Feldman, N. (2015). Brainy quote. Retrieved from http://www.brainyquote.com/ quotes/keywords/cyber.html Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf Greaux, S. (October 15, 2013). Use metrics to measure and improve security awareness. PHISHME. Retrieved from http://phishme.com/use-metrics-measure-improve- effectiveness-security-awareness/
Improving Delivery Effectiveness of Information Security Learning Continuum 12 Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011). The law of cyber-attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1-76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5 IMPACT. (2015). Mission & vision. Retrieved from http://www.impact- alliance.org/ aboutus/mission-&-vision.html InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from http://resources.infosecinstitute.com/2013-impact-cybercrime/ INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/ Cybercrime/Cybercrime Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/ conferences/cyberwar/papers/reading/Kanuck.pdf McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime- summary.pdf Michigan State University. (2015). Design for adult learning, Teaching and Learning Theory, Feedback. Retrieved from http://learndat.tech.msu.edu/teach/teaching_styles OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/ cyber/en/Pages/default.aspx Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27. Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2
Improving Delivery Effectiveness of Information Security Learning Continuum 13 Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from http://hackmageddon.com/category/security/cyber-attacks-statistics/ SANS. (2015). Resources: measuring results. Retrieved from http://www.securingthehuman.org/resources/metrics Schjolberg, S. (2007). Terrorism in cyberspace - myth or reality?. Retrieved from http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes- cybercrime-laws-so-difficult-to-enforce/ Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211- 268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford-law- policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf Thacker, N. (2013). Top 10 reasons information security defences fail. TRUSTMARQUE. Retrieved from http://www.trustmarque.com/top-10-reasons-information-security- defences-fail/ Wegener, H. (2014). Regulating cyber behaviour: Some Initial Reflections on Codes of Conduct and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/ publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014 Winkler, I., Manke, S. (July 10, 2013). 7 reasons for security awareness of failure. CSOONLINE. Retrieved from http://www.csoonline.com/article/2133697/metrics- budgets/7-reasons-for-security-awareness-failure.html

Recommandé

Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...IOSR Journals
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Issues on Management and Governance of Data Security In HEIs
Issues on Management and Governance of Data Security In HEIsIssues on Management and Governance of Data Security In HEIs
Issues on Management and Governance of Data Security In HEIsijtsrd
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Building Tech Capacity through Assessing Capability
Building Tech Capacity through Assessing CapabilityBuilding Tech Capacity through Assessing Capability
Building Tech Capacity through Assessing CapabilityBruce Mims
 

Recommandé

Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...IOSR Journals
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Issues on Management and Governance of Data Security In HEIs
Issues on Management and Governance of Data Security In HEIsIssues on Management and Governance of Data Security In HEIs
Issues on Management and Governance of Data Security In HEIsijtsrd
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Building Tech Capacity through Assessing Capability
Building Tech Capacity through Assessing CapabilityBuilding Tech Capacity through Assessing Capability
Building Tech Capacity through Assessing CapabilityBruce Mims
 
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTSMANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTScsandit
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521Merlin Florrence
 
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...kikiahadiyat
 
Personnel security
Personnel securityPersonnel security
Personnel securityPLN9 Security Services Pvt. Ltd.
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
07. Палітыка беларусізацыі
07. Палітыка беларусізацыі07. Палітыка беларусізацыі
07. Палітыка беларусізацыіAnastasiyaF
 
Detection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted FingerprintsDetection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted Fingerprintsnexgentechnology
 
Ozone Gaming Presentation - VIE
Ozone Gaming Presentation - VIEOzone Gaming Presentation - VIE
Ozone Gaming Presentation - VIEDuc Vo
 
221 ___-1-
221 ___-1-221 ___-1-
221 ___-1-Nour Elbader
 
RANDYLEE RICE April 8
RANDYLEE RICE April 8RANDYLEE RICE April 8
RANDYLEE RICE April 8Randylee Rice
 
nơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công tynơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công tyfreeman833
 
Abhishek_Solanki
Abhishek_SolankiAbhishek_Solanki
Abhishek_SolankiAbhishek Solanki
 
Минский экспериментально фурнитурный завод
Минский экспериментально фурнитурный заводМинский экспериментально фурнитурный завод
Минский экспериментально фурнитурный заводkatya85
 
CB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINALCB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINALPranav Ghai
 
Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.unequaledkismet13
 
Goetz History Thesis Final
Goetz History Thesis FinalGoetz History Thesis Final
Goetz History Thesis FinalMario Goetz
 
TalkToStrangers
TalkToStrangersTalkToStrangers
TalkToStrangersPaul Bernard
 
Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.BuyAndSellABusiness.com
 
El manejo de word
El manejo de wordEl manejo de word
El manejo de wordshendry jaramillo
 
Moore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LRMoore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LRRebekah E. Moore, PhD
 
Oates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptxOates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptxScott Oates
 

Contenu connexe

Tendances

MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTSMANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTScsandit
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521Merlin Florrence
 
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...kikiahadiyat
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 

Tendances (6)

MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTSMANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTS
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
 
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
 
Personnel security
Personnel securityPersonnel security
Personnel security
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 

En vedette

07. Палітыка беларусізацыі
07. Палітыка беларусізацыі07. Палітыка беларусізацыі
07. Палітыка беларусізацыіAnastasiyaF
 
Detection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted FingerprintsDetection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted Fingerprintsnexgentechnology
 
Ozone Gaming Presentation - VIE
Ozone Gaming Presentation - VIEOzone Gaming Presentation - VIE
Ozone Gaming Presentation - VIEDuc Vo
 
RANDYLEE RICE April 8
RANDYLEE RICE April 8RANDYLEE RICE April 8
RANDYLEE RICE April 8Randylee Rice
 
nơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công tynơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công tyfreeman833
 
Минский экспериментально фурнитурный завод
Минский экспериментально фурнитурный заводМинский экспериментально фурнитурный завод
Минский экспериментально фурнитурный заводkatya85
 
CB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINALCB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINALPranav Ghai
 
Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.unequaledkismet13
 
Goetz History Thesis Final
Goetz History Thesis FinalGoetz History Thesis Final
Goetz History Thesis FinalMario Goetz
 
Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.BuyAndSellABusiness.com
 
Moore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LRMoore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LRRebekah E. Moore, PhD
 
Oates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptxOates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptxScott Oates
 
Saxen van coller on wild photography
Saxen van coller on wild photographySaxen van coller on wild photography
Saxen van coller on wild photographySaxen Van Coller
 

En vedette (17)

07. Палітыка беларусізацыі
07. Палітыка беларусізацыі07. Палітыка беларусізацыі
07. Палітыка беларусізацыі
 
Detection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted FingerprintsDetection and Rectification of Distorted Fingerprints
Detection and Rectification of Distorted Fingerprints
 
Ozone Gaming Presentation - VIE
Ozone Gaming Presentation - VIEOzone Gaming Presentation - VIE
Ozone Gaming Presentation - VIE
 
221 ___-1-
221 ___-1-221 ___-1-
221 ___-1-
 
RANDYLEE RICE April 8
RANDYLEE RICE April 8RANDYLEE RICE April 8
RANDYLEE RICE April 8
 
nơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công tynơi nào thiết kế phim quảng cáo công ty
nơi nào thiết kế phim quảng cáo công ty
 
Abhishek_Solanki
Abhishek_SolankiAbhishek_Solanki
Abhishek_Solanki
 
Минский экспериментально фурнитурный завод
Минский экспериментально фурнитурный заводМинский экспериментально фурнитурный завод
Минский экспериментально фурнитурный завод
 
CB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINALCB_Presentation_OperatingLeases_FINAL
CB_Presentation_OperatingLeases_FINAL
 
Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.Drugs, pregnancy, and lactation: ondansetron--troubling data.
Drugs, pregnancy, and lactation: ondansetron--troubling data.
 
Goetz History Thesis Final
Goetz History Thesis FinalGoetz History Thesis Final
Goetz History Thesis Final
 
TalkToStrangers
TalkToStrangersTalkToStrangers
TalkToStrangers
 
Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.Buying or Selling a Small Business? What You Need to Know.
Buying or Selling a Small Business? What You Need to Know.
 
El manejo de word
El manejo de wordEl manejo de word
El manejo de word
 
Moore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LRMoore, Rebekah E_Public Work Sample_LR
Moore, Rebekah E_Public Work Sample_LR
 
Oates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptxOates 501(c)(3) press.pptx
Oates 501(c)(3) press.pptx
 
Saxen van coller on wild photography
Saxen van coller on wild photographySaxen van coller on wild photography
Saxen van coller on wild photography
 

Similaire à Improving the effectiveness of information security learning programs

Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
The Three Dimensions of Security
The Three Dimensions of SecurityThe Three Dimensions of Security
The Three Dimensions of SecurityCSCJournals
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
DHS National Summit Full CHAIR Geoff Shively
DHS National Summit Full CHAIR Geoff ShivelyDHS National Summit Full CHAIR Geoff Shively
DHS National Summit Full CHAIR Geoff ShivelyCurious Geoff (Shively)
 
Towards a Structured Information Security Awareness Programme
Towards a Structured Information Security Awareness ProgrammeTowards a Structured Information Security Awareness Programme
Towards a Structured Information Security Awareness Programmetulipbiru64
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Angie Miller
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Informationjtfoster
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesMansoor Faridi, CISA
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 

Similaire à Improving the effectiveness of information security learning programs (20)

Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
The Three Dimensions of Security
The Three Dimensions of SecurityThe Three Dimensions of Security
The Three Dimensions of Security
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Awareness is only the first step
Awareness is only the first stepAwareness is only the first step
Awareness is only the first step
 
DHS National Summit Full CHAIR Geoff Shively
DHS National Summit Full CHAIR Geoff ShivelyDHS National Summit Full CHAIR Geoff Shively
DHS National Summit Full CHAIR Geoff Shively
 
PACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and TrainingPACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and Training
 
Towards a Structured Information Security Awareness Programme
Towards a Structured Information Security Awareness ProgrammeTowards a Structured Information Security Awareness Programme
Towards a Structured Information Security Awareness Programme
 
information security management
information security managementinformation security management
information security management
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
 
The 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global InformationThe 2011 (ISC)2 Global Information
The 2011 (ISC)2 Global Information
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 

Improving the effectiveness of information security learning programs

  • 1. Improving Delivery Effectiveness of Information Security Learning Continuum Improving Delivery Effectiveness of Information Security Learning Continuum Mansoor Faridi Fort Hays State University July 28, 2015 Author Note Mansoor Faridi, Department of Informatics, Fort Hays State University. Mansoor Faridi is a graduate student at Fort Hays State University specializing in Information Assurance Management. He lives in Toronto and can be contacted at [m_faridi@mail.fhsu.edu].
  • 2. Improving Delivery Effectiveness of Information Security Learning Continuum ii Table of Contents Abstract .......................................................................................................................................1 Introduction ..................................................................................................................................2 Components of Information Security Learning Continuum ........................................................3 Awareness …………………………………………………………………....................3 Education ………………………………………………………………………. ............3 Training ………………………………………………………………………................4 Critical Success Factors ...............................................................................................................5 People ……………………………………………………………...................................6 Process ……………………………………………………………. ................................7 Technology ……………………………………………………………. .........................7 Improving Effectiveness ...............................................................................................................7 Baselining Pre-training Results ........................................................................................8 Continuous Improvement .................................................................................................9 Rebaselining Post-training Results ..................................................................................9 Shortcomings and Best Practices .....................................................................................9 Conclusion ................................................................................................................................10 References ..................................................................................................................................11
  • 3. Improving Delivery Effectiveness of Information Security Learning Continuum 1 Abstract Users in all organizations globally are either the strongest or the weakest link, when it comes to ensuring confidentiality, integrity, and availability of critical data. Various organizations design, develop, and implement information security learning programs, however, effectiveness of their implementation levels vary owing to a variety of factors. This research paper proposes a model to improve delivery effectiveness of information security learning continuum. The research is aimed at identification, analysis, and evaluation of the essential ingredients required by this learning model, such as, a detailed methodology, critical success factors, and organizational best practices. The success of this model lies by being dynamic in nature; its continuous feedback collection mechanism is aimed at finding efficiencies, and incorporating those efficiencies (on a continuing basis), to ultimately improve the delivery of organizational learning activities. Among the numerous best practices, developing and quantifying metrics is paramount to the success delivery of the information security learning program, and continuous improvements (based on the collected feedback) to the continuum is the key to successful program delivery. Keywords: information security awareness, information security governance, information security education, continuous improvement
  • 4. Improving Delivery Effectiveness of Information Security Learning Continuum 2 Improving Delivery Effectiveness of Information Security Learning Continuum Mansoor Faridi Fort Hays State University Introduction This research paper proposes a model to improve delivery effectiveness of information security learning continuum. The research is aimed at identification, analysis, and evaluation of the essential ingredients required by this learning model, such as, a detailed methodology, critical success factors, and organizational best practices. The success of this model lies by being dynamic in nature; its continuous feedback collection mechanism is aimed at finding efficiencies, and incorporating those efficiencies (on a continuing basis), to ultimately improve the delivery of organizational learning activities. Components of Information Security Learning Continuum section describes the three essential components of information security learning continuum, including awareness, education, and training. Critical Success Factors section established people, process, and technology and their overlap to produce the sweet-spot which helps establish critical success factors for improving the delivery effectiveness of information security learning continuum. Improving Effectiveness section delves into the details for improving the effectiveness of information security learning continuum through baselining, engaging in continuous improvement activities (based on the results of which), and rebaselining the learning program. It concludes by presenting a list of shortcomings and best practices to address those shortcomings. Conclusion section presents a summarized conclusion of this report while highlighting the importance and relevance of this topic.
  • 5. Improving Delivery Effectiveness of Information Security Learning Continuum 3 Components of Information Security Learning Continuum Information Security (or InfoSec) is the practice of ensuring confidentiality, integrity, and availability of data from unauthorized access. In order to improve the effectiveness of an organization’s information security, the quality of education, awareness, and learning activities should be designed and developed with due care to improve its delivery effectiveness. In most organizations, Information Security learning activities comprise of awareness, education, and training in some shape or form. All three elements entail both formal and informal activities that are discussed below in more detail. It is important that all three stages are designed and developed by a qualified professional with an intimate familiarity with the nuances of adult education. Most common dominant learning styles (visual vs. auditory) should be kept in view when designing the learning activities. In addition, it has been proven that adults learn more effectively by performing (and discovering) the task at hand in social settings, hence these known trends need to be incorporated for fun learning experience (Michigan, 2015). Awareness This component is the most important of all (others being Education and Training), as this is the starting point where users attention is focused on security issues, their acknowledgement of security issues. At this stage, users are normally the recipients of information, and do not actively participate (NIST, 1998, p.15). Aids used in awareness campaigns depend on the scope, breadth, and budget; however, the common items include newsletters, posters, brochures, flyers, videos, promotional slogans, trinkets, mouse-pads, etc. An effective awareness campaign will stress the ever-changing threat landscape, identify threat- vectors, and demand timely adjustments to the awareness contents being delivered Education
  • 6. Improving Delivery Effectiveness of Information Security Learning Continuum 4 After awareness comes Education. At this stage, users are aware about the security issues that exist and are looking forward to educate themselves. This stage integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge. It also adds a multi-disciplinary study of concepts, issues, and principles (technological and social).This stage strives to produce users capable of recognizing the threats and being proactive in their response (NIST, 1998, p.16). An important characteristic of education is that users must understand why information security is important for the organization (Schlienger & Teufel, 2003). Training This is the third and final stage in the learning life cycle. By this time, the users have been educated on the security issues and now they are ready to get trained on how to behave securely in the information security context. This level strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, auditing). Training of special security tools (or features) within applications must be also be offered (NIST, 1998; Schlienger & Teufel, 2003). Another important aspect of these learning programs is the adoption of a multi-level approach vis-à-vis test design. For example, users should only be asked to recall, recognize, and/or understand information security concepts at this initial level (or Primary State). For example, confidentiality, integrity, availability, and non-repudiation. The next intermediate level (or Secondary State) of learning should test users’ ability to apply the learned concepts to real-life situations, to enhance their understanding of the issues at hand. For example, identity and access management workflows, data retention issues, evolving threat vectors, need for data quarantine and sanitization, etc.
  • 7. Improving Delivery Effectiveness of Information Security Learning Continuum 5 The advanced level (or Target State) of testing should encourage users to synthesize learning in order to analyze and interpret real-life information security situations, and draw meaningful conclusions. This also helps users become proactive participants by supporting organizational security initiatives, and raise flag in case of any abnormal online activity. Users having attained the Target State will seek knowledge proactively. This target level of expertise goes way beyond exploring basic information security concepts, and should be the ultimate sweet-spot that trainers should aim for when designing test exercises. Critical Success Factors The integration of people, process, and technology entities form an important troika; an overlap of which leads to the creation of critical success factors (See Figure 1 below). All three elements entail both formal and informal activities necessary for effective implementation of the learning program. Each entity represents various essential components, discussed below in more detail. Figure 1. Troika – People, Process, Technology
  • 8. Improving Delivery Effectiveness of Information Security Learning Continuum 6 People First and foremost, effective implementation of information security learning program requires executive sponsorship to set the ‘tone-from-top’, which helps secure the required resources, and highlights the importance of this important initiative. Executive sponsors can also influence their counterparts in ensuring that the message is received positively across the organization. While Executive sponsorship is a must-have, however, the delegation of sponsorship at a local level (e.g. local Business Unit Champion) does wonders. It is important that this local sponsor be at the management level with a good amount of influence. Secondly, users are always deemed to be the weakest link. However, it is important for individual users to buy-in to the idea, realize the importance of this mission-critical initiative, and be able to view themselves as an empowered user that makes a significant difference, protecting the organization’s critical assets, on a daily basis. Users should be sent short quizzes over time. The responses, both correct and incorrect, are a gold-mine of information to identify users' understanding of various information security issues, and to reinforce concepts which most users failed to fully comprehend. Unannounced drills, such as, planned fishing attacks in coordination with IT should be executed (and data collected) to determine level of readiness and by analyzing the number of users who fell prey to such attacks. This data will help remediate the understanding of information security concepts, and reinforce those concepts as well. Finally, subject matter experts (SMEs) delivering the program play an important role in delivering relevant, appropriate, and engaging contents, to produce a well-informed class of
  • 9. Improving Delivery Effectiveness of Information Security Learning Continuum 7 users. It is paramount to select SMEs with the right qualifications, most importantly with superior communications skills to deliver an effective learning experience. Process This entails formalization of policies, procedures, and standards, while defining metrics, measurements and feedback mechanism in order to integrate the overall learning program. An important aspect of this component is the sharing of knowledge and information via an internally shared repository. Various aspects defined here will be discussed in further detail in later sections. Technology Various technologies can be leveraged, suiting the size of organization. A small organization may want to measure and report manually, whereas, an enterprise-level organization may choose to automate the entire process, end-to-end. Regardless of the size, organizations should have tools to record, measure, and report on metrics, such as, non-compliances, course completion statistics, and continuous monitoring (e.g. accessing in-appropriate web-sites) of users' online activities. Technology should also be leveraged to solicit user-feedback on various issues, and to share knowledge and information via online spaces (e.g. Wikis, SharePoint, intranet, etc.). With the aid of Active Directory authentication, technology should also help with Role-based Access (RBAC) Controls, segregation of duties, least privilege, need to know, limited time access to only let authorized users in. Improving Effectiveness Figure 2 (below) represents information security learning continuum, which conceptualizes a proposed model to baseline, monitor, improve, and re-baseline the program on a
  • 10. Improving Delivery Effectiveness of Information Security Learning Continuum 8 continuing basis. According to this model, a gap assessment should be performed to compare current state with desired future state. This target setting promotes competition, while serving as a roadmap towards the final destination (i.e. Target state). This model also requires quantification of the time horizon to set milestones and deliverable, and metric definition to baseline against. Figure 2. Information security learning continuum Baselining (Pre-training Results) Next step is to consolidate and baseline in-scope organizational metrics. To perform this, current measurements need to be recorded. This starting point serves as an indicator throughout the learning continuum vis-à-vis organization current state, and the remaining ‘distance’ to the target state. It is recommended that half-way through the journey, feedback is formally solicited from all stakeholders, in addition to the measurements obtained for the pre-defined metrics. This step helps in determining if any changes/modifications are warranted to any part of the process and/or the overall learning program.
  • 11. Improving Delivery Effectiveness of Information Security Learning Continuum 9 It is recommended that, half-way through the journey, user-feedback is formally solicited from all stakeholders, in addition to the measurements obtained for the pre-defined metrics (Greaux, 2013). This step helps in determining if any changes/modifications are warranted to any part of the process. Some of the suggested metrics are as follows: Table 1. Metrics and their rationale Metric Data Collected & Reviewed Use engagement Successfully reaching out to all uses and the rate of completion of all education, training, and awareness activities as they are rolled out during the course of a year. Quality of responses It is important to identify wrong responses for all learning activities, and then draw out trends for subsequent analysis. This enables developers identify user strengths, and also identify areas that require further emphasis to readily address knowledge gaps. Security breaches (internal) Internal security breaches should be recorded for later root cause analysis. This will serve as an input when designing learning activities. Periodic testing Data from testing activities (e.g. internally generated fishing emails) should be analyzed to gauge users’ knowledge level vis-à-vis InfoSec issues. Continuous Improvement After baselining, the program needs the continuously monitored and improved. Input can be in the form of automated monitoring, user feedback, process change requests, etc. Refer to Figure 2 for mechanisms in place vis-à-vis feedback, process change requests, etc. Re-baselining (Post-Training Results) After formal training delivery, measurements need to be taken again, which should be compared against the initial readings taken when baselining. The delta between the two will help determine the level of implementation effectiveness of the overall program, while identifying specific opportunities for improvements. Shortcomings and Best Practices Following table (Table 2) lists some reasons why information security controls fail (SANS, 2015; Thacker, 2013; Winkler & Manke, 2013) and the best practices that can be developed and implemented to address these shortcomings.
  • 12. Improving Delivery Effectiveness of Information Security Learning Continuum 10 Table 2. Reasons for shortcomings and best practices Reasons Shortcomings and Best Practices Lack of user awareness Shortcoming: Simple ‘box-checking’ without understanding the concepts hinders the spirit of defenses. Best practice: Different learning activities can help raise user’s awareness level. Lack of engagement Shortcoming: Users are provided with literature, but not tested formally. Best practice: Users should complete mandatory learning activities to ascertain their knowledge levels via testing activities. Operating without metrics Shortcoming: In the absence of metrics (quantification), it is impossible to determine if learning activities are being rolled out, completed, shortcomings being identified, and addressed. Best Practice: Designing and implement appropriate metrics to quantify activities. Misplaced accountabilities Shortcoming: Business often relinquishes data protection aspects to their IT function, including governance and oversight. Best Practice: Data owners (business) need to be continuously involved in all aspects of data protection, in conjunction with IT. They need to take the ownership of their data, and clearly understand IT function as mere custodian of their data. Conclusion This research paper proposes a model to improve delivery effectiveness of information security learning continuum. It presents three essential components of information security learning continuum, including awareness, education, and training. The troika of people, process, and technology is established as the required component to improve delivery effectiveness of information security learning continuum. This is achieved by baselining, continuous improvement, and rebaselining the learning program. Finally, some shortcomings that hinder the successful implementation are highlighted and suggested best practices are listed to address those shortcomings. With proper awareness, users can be the strongest defense, supporting the overall delivery effectiveness of information security learning continuum; leading the paradigm shift from static to dynamic mode of learning.
  • 13. Improving Delivery Effectiveness of Information Security Learning Continuum 11 References Ashford, W. (February 13, 2015). Data breaches up by 49% in 2014. ComputerWeekly.com. Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches -up-49-in-2014-exposing-more-than-a-billion-records Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_ Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf Council of Europe. (2015). Standards: the convention and its protocol. Retrieved from http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/ wiki/Cyberwarfare_in_the_United_States Defence IQ. (2010, May 26). CIA, US military step up cyber space security strategies. Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military- step-up-cyber-space-security-strat/ Feldman, N. (2015). Brainy quote. Retrieved from http://www.brainyquote.com/ quotes/keywords/cyber.html Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf Greaux, S. (October 15, 2013). Use metrics to measure and improve security awareness. PHISHME. Retrieved from http://phishme.com/use-metrics-measure-improve- effectiveness-security-awareness/
  • 14. Improving Delivery Effectiveness of Information Security Learning Continuum 12 Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011). The law of cyber-attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1-76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5 IMPACT. (2015). Mission & vision. Retrieved from http://www.impact- alliance.org/ aboutus/mission-&-vision.html InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from http://resources.infosecinstitute.com/2013-impact-cybercrime/ INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/ Cybercrime/Cybercrime Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/ conferences/cyberwar/papers/reading/Kanuck.pdf McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime- summary.pdf Michigan State University. (2015). Design for adult learning, Teaching and Learning Theory, Feedback. Retrieved from http://learndat.tech.msu.edu/teach/teaching_styles OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/ cyber/en/Pages/default.aspx Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27. Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2
  • 15. Improving Delivery Effectiveness of Information Security Learning Continuum 13 Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from http://hackmageddon.com/category/security/cyber-attacks-statistics/ SANS. (2015). Resources: measuring results. Retrieved from http://www.securingthehuman.org/resources/metrics Schjolberg, S. (2007). Terrorism in cyberspace - myth or reality?. Retrieved from http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes- cybercrime-laws-so-difficult-to-enforce/ Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211- 268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford-law- policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf Thacker, N. (2013). Top 10 reasons information security defences fail. TRUSTMARQUE. Retrieved from http://www.trustmarque.com/top-10-reasons-information-security- defences-fail/ Wegener, H. (2014). Regulating cyber behaviour: Some Initial Reflections on Codes of Conduct and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/ publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014 Winkler, I., Manke, S. (July 10, 2013). 7 reasons for security awareness of failure. CSOONLINE. Retrieved from http://www.csoonline.com/article/2133697/metrics- budgets/7-reasons-for-security-awareness-failure.html