Information Security Awareness, Training and Motivation — Native Intelligence, Inc.

Security Awareness: A Sound Business StrategyImage of three organizations, each giving their reasons for why a security awareness program is a sound business strategy: to gain a competitive advantage, to reduce unpredictable costs and expenses, to comply with laws and regulations.

Why Awareness Is Important

The behavior of employees with access to data affects information systems and assets. Employee and contractor behavior is the primary source of costly data breaches. It's also the best way to prevent loss.

Picture of toasterSecurity can't be guaranteed. As Clint Eastwood once said, "If you want a guarantee, buy a toaster."  The only secure system is one that's unplugged, turned off, and in a locked room.

Since it's not practical to leave our systems turned off, we need to understand the risks to our systems and prepare ourselves to defend them.  Preparation begins with understanding — and that's where awareness comes in.

With all the news stories about hackers, botnets, and breaches involving personal information, it's easy for the security message to sound over-used and tired.  It's easy for people to say, "It won't happen here." Yet, studies and surveys repeatedly show that: the human factor (what employees do or don't do) is the biggest threat to information systems and assets.

The best way to achieve a significant and lasting improvement in information security is not by throwing more technical solutions at the problem — it's by raising awareness and training and educating everyone who interacts with computer networks, systems, and information in the basics of information security.

Awareness Isn't Just a Good Idea, It's the Law

Laws requiring security and privacy awareness or training programs apply to:

  • The Federal Government (Federal Information System Security Managers' Act)
  • The health care industry (Health Insurance Portability and Accountability Act)
  • Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)
  • Publicly-traded companies (Sarbanes-Oxley Act)

The user's going to pick dancing pigs over security every time. - Bruce SchneierThe Federal Information System Security Managers' Act (FISMA) requires government agencies to report on their security awareness and training efforts annually.

NIST SP 800-53, Recommended Security Controls for Federal Information Systems, addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is "security awareness training."

National Institute of Standards and Technology (NIST) SP 800-53 also says that the awareness program must comply with:  5 Code of Federal Regulations (C.F.R.) Part 930.301 and NIST SP 800-50, Building an Information Technology Security Awareness and Training Program.

5 C.F.R. Part 930.301 states that everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

  1. All users — security basics
  2. Executives — security basics and policy level training in security planning and management
  3. Program and functional managers — security basics and management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.
  4. Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) — security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.
  5. IT function management and operations personnel — security basics; management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.

The NIST Guide for Developing Security Plans for Information Technology Systems states that plans should include the:

  • Type and frequency of application-specific training provided to employees and contractors,
  • Type and frequency of general support system training provided to employees and contractors, and
  • Procedures for assuring that employees and contractors are adequately trained.

OMB Circular A-130, Appendix III, requires that system users receive security awareness instruction prior to being granted access to the system, and it requires periodic refresher training for continued access.

The NIST Computer Security Handbook cites the importance of managers to understand security consequences and costs so that they can factor security into their decisions.