Lesson 3: Security Education

Previous page
Table of content
Next page

Lesson 3: Security Education

To establish, maintain, and improve organizational security, you must have a security education program for informing and involving people in the security program. Education also seeks to achieve user buy-in or support for the program. Without user support, your security program cannot be truly effective. A security education program typically involves three stages: security awareness, security training, and ongoing education. In this lesson you learn about the critical elements that are part of a successful security education program.

Your risk assessment can help you determine which topics merit the most attention in your security education program.

After this lesson, you will be able to

  • Establish an effective security communication program

  • Create a security awareness program

  • Define parameters for an effective security training program

  • Facilitate ongoing security education

Estimated lesson time: 15 minutes

Communication

Communication is the first and most essential part of providing a security education program to the people in your organization. Support for the organizational security program must be clearly communicated and demonstrated by upper management. Further, supervisors and managers throughout the organization must communicate and demonstrate support for the organizational security program.

The person primarily responsible for the organizational security program (often called the security officer) must be visible and available to people in the organization. The security officer should ensure there are open lines of communication concerning organizational security. People in the organization should be able to freely ask questions about the security program. One way to facilitate this process is to have an internal Frequently Asked Questions (FAQ) board, which might even allow people to ask questions anonymously with the answers posted to the board.

Suspected or known security violation reporting should also be as open as possible. Some organizations develop anonymous submission programs that allow people to report security violations, express security concerns, or suggest improvements.

User Awareness

Once you are sure the communication lines are open between those in charge of the security program and the rest of the organization, you can begin a security awareness program. Security awareness is not security training. Security training, covered in the following section, is a formal process in which participants take a more active role. Security awareness is essentially a marketing campaign designed to focus attention on the security program. A good security awareness program can bring a change in attitudes about security and set the stage for future security training.

Awareness programs usually deal with simple messages or quick concepts. For example, a part of your security awareness program might be as simple as delivering a message that reads, "Security is everyone's responsibility." You can think of the security awareness program as an advertisement for the organizational security program.

The methods you use to deliver your advertisements should be ongoing, creative, and motivational. Repeating the same message exactly the same way tends to cause people to selectively ignore it. To increase the success of your awareness program, use multiple methods to deliver your messages. Here are some ideas:

  • Logon access banners.

    These banners are displayed when the user logs on.

  • Audio/video.

    These awareness materials are delivered on video, audio, computer-based, or Web-based formats.

  • Posters or flyers.

    These can contain simple tips for complying with security policy and best practices, such as how to create strong passwords.

  • Promotional or specialty trinkets.

    Part of your security awareness program could include giveaways or prizes that have security slogans on them.

  • Newsletters, magazines, and briefings.

    Notes, tips, and articles are other methods for distributing a security awareness message.

Security awareness is presented at an informational level. The focus is on describing what security has to do with the individual and the organization. The learning objective at this stage is recognition and retention. As shown in the list, the delivery methods involve media such as videos, newsletters, and posters. Evaluations at the awareness stage might involve games such as crossword puzzles, word searches, and anagrams. You might even assess the success of your awareness program by using simple true false or multiple-choice evaluations. Retention of information presented in awareness is often short term.

Training

As previously mentioned, security training is a more involved process in which participants engage in learning. The most effective security training is directly related to the participant's job and allows for hands-on experience. Of course, time and cost are also factors in determining how much training to do and how to most effectively present it. For example, assume everyone in your organization is expected to be able to send encrypted e-mail. However, only the records and accounting departments ever really need to do so. You might decide to provide hands-on classroom training to the records and accounting departments. For the other departments you might just perform a demonstration during a departmental meeting and issue general instructions on using secure e-mail in the organizational newsletter.

Security training is also presented at a knowledge level. The focus is on explaining how to implement security. Delivery methods typically involve lectures, demonstrations, case studies, and hands-on practice. Evaluations at this stage might employ multiple-choice questions and practical scenarios requiring recognition and hands-on problem resolution. Retention of this information is intermediate and could be long term, depending on how much of it is transferable to the person's job functions.

Education

As mentioned at the beginning of this lesson, education is the overall program of informing and involving people in the security program. Education is also considered a learning stage beyond training and awareness. People immersed in security education seek understanding and are often self-motivated. They want to learn the "why" of security concepts. For example, they might want to know why the organization decided to dictate six-character, mixed-case, alphanumeric passwords as a minimum.

People at the education stage of learning are likely to attend seminars, engage in discussions, and perform practical research. Retention of topics is usually long term due to the high involvement level of the participants. Evaluations of security education might involve essays, job performance reviews, and professional certification.

Online Resources

Throughout this book links to additional information are provided as online resources. In this section the focus is specifically on resources that can be used to supplement your security education program. The following list provides Web links to obtain additional information or support with your security education program:

  • The NIST Computer Security Resource Center (CSRC) maintains a list of awareness, training, and education resources at http://csrc.nist.gov/ATE.

  • NIST Special Publication 800-16, titled "Information Technology Security Training Requirements: A Role- and Performace-Based Model," is available at http://csrc.nist.gov/publications/nistpubs.

  • The NIST Computer User's Guide to the Protection of Information Resources is available at http://csrc.nist.gov/publications/nistpubs/500-171/sp500-171.txt.

  • The NIST Executive Guide to the Protection of Information Resources is available at http://csrc.nist.gov/publications/nistpubs/500-169/sp500-169.txt.

  • The NIST Management Guide to the Protection of Information Resources is available at http://csrc.nist.gov/publications/nistpubs/500-170/sp500-170.txt.

  • The National Oceanic and Atmospheric Administration (NOAA) Computer Users' Guide for Protecting Information Resources is available at http://www.csp.noaa.gov/Users-Guide-2002.

  • The Security Awareness Corporation sells a variety of materials such as posters, screen savers, tutorials, and pamphlets, to help promote security awareness. They also have some free customizable materials available at a href="http://www.securityawareness.com" target="_window2">http://www.securityawareness.com.

  • Native Intelligence, Inc. offers a variety of security awareness program materials at http://nativeintelligence.com/awareness.

Exercise: Stages and Delivery Types

Match the numbered security education program stages in the left column to the appropriate lettered delivery types in the right column.

  1. Awareness

  2. Training

  3. Education

  1. Research projects

  2. Demonstrations

  3. Logon banners

  4. Discussions

  5. Hands-on activities

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. Which stage of the security education program is mostly marketing?

  2. At which stage of the security education program are individuals most likely to be self-motivated?

  3. Security training is most effective when it is __________________?

Lesson Summary

  • Communication lines must be open for a security program to be successful. Support from top executives and the security administrator should be quite evident throughout the organization. Organizational members should be encouraged to ask questions, express concerns, and report violations.

  • Security awareness is largely a marketing effort to promote the organization's security program. This effort can be undertaken with logon banners, trinkets with messages, motivational slogans, and a variety of other attention-catching methods.

  • Security training seeks to increase involvement and teach people how to accomplish tasks. Security training is most effective when it is hands-on and directly related to the participant's job.

  • Security education is an ongoing effort. As organizational members move into discussing, researching, and fully participating, they are embracing the education stage.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
A Practitioners Guide to Software Test Design
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
MySQL Cookbook
Ruby Cookbook (Cookbooks (OReilly))
Sap Bw: a Step By Step Guide for Bw 2.0
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy