1 / 21

The Human Firewall Creating a security aware workforce

The Human Firewall Creating a security aware workforce. Andrew Breakwell Business Development Director Compliance Division. APPLIED INFORMATION SERVICES. Agenda. Establishing the Need Common pitfalls Planning Delivery Evaluation and Metrics. Corporate overview.

jui
Download Presentation

The Human Firewall Creating a security aware workforce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Human Firewall Creating a security aware workforce Andrew BreakwellBusiness Development DirectorCompliance Division APPLIED INFORMATION SERVICES

  2. Agenda • Establishing the Need • Common pitfalls • Planning • Delivery • Evaluation and Metrics

  3. Corporate overview • Governance, Risk and Compliance (GRC) specialists for more than 16 years • Focus on improving staff awareness, knowledge and understanding • Providers of: • Information newsfeeds and alerts • Learning content and services • Risk management and auditing systems • Part of SAI Global, ASX quoted, c950 employees • Offices in Europe, North America and Australasia • Global client base – specialists in large scale, international deployments • 4,000,000+ end users, resources in 20+ languages

  4. Establishing the Need “Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.” ISO 17799 News

  5. Establishing the Need Deloitte 2007 Global Security Survey ‘79 percent of participants cite the human factor as the root cause of information security failures’ CSI Computer Crime and Security Survey 2007 ‘The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year’ ENISA: IS Awareness Initiatives – Current practice and the measurements of success 2007 ‘… information security is seen as a high or very high priority in four fifths of respondents.’ ‘War stories’

  6. Common pitfalls • Lack of senior management support • Adopting a ‘one size fits all’ approach – mismatch between content and target audience • Not connecting the program to a Needs Assessment • Objectives and outcomes poorly defined • Training ‘fatigue’ • Poor communication and planning • Developing a limited program based on specific budget target (not the one you want) • Lack of in-house expertise – not involving other experts • Assuming it’s a one-time initiative – not an ongoing process • Lack of evaluation and measurement • BORING…! Lack of engaging and relevant content

  7. Planning • Needs assessment

  8. Planning Needs Assessment • WHO gets the training • WHAT training they get • HOW the training is delivered • WHERE the training takes place • WHEN the training takes place • Over the short, medium and long term • Aligned with corporate goals and objectives • Clear business case for all elements • Clearly defined measurement criteria - benchmarking

  9. Planning • Needs assessment • Identify audience – not a ‘one size fits all’ approach

  10. Planning Identify audience • Full time/Part time? • New hires, trainees? • Senior management or management-role? • Specific departments or job ‘families’ (e.g. HR, IT, Security)? • Based on job or role (e.g. employees handling large amounts of data, remote workers)? • Specific technology users (e.g. employees with laptops)? • Specific location (e.g. country or region, manufacturing site, branch offices)? • PLUS customers, suppliers?

  11. Planning • Needs assessment • Identify audience – not a ‘one size fits all’ approach • Set objectives and timescales • Collaborate • Communicate and market • What’s available? • Establish the team – identify project owner • Identify resource and budget needs • Express funding needs • Assign a Program Manager

  12. Delivery Develop course content • Core training • Senior management training

  13. Delivery Core training – to include content for senior managers • E-learning for IT users • Reduced delivery costs • Reduced training time • Flexibility and convenience • Engaging and interactive • Self-paced and non-threatening • Consistent content and delivery • Ease of updating • Accurate measurement and control • Tailored content – ‘off-the-shelf’ or bespoke • Workshops • PowerPoints • Handouts • Trainers Notes • ‘Train the Trainer’ sessions

  14. Delivery E-learning – engaging content

  15. Delivery Develop course content • Core training • Senior management training • New starter training • Refresher training • Specialist training • Assessment testing

  16. Delivery Assessment testing

  17. Delivery Develop course content • Core training • Senior management training • New starter training • Refresher training • Specialist training • Assessment testing • Ongoing awareness activity

  18. Delivery Ongoing awareness activity Video ‘Moments’ Marketing materials Interactive e-mails Cartoons Giveaways Posters Newsletters

  19. Delivery • Develop course content • Confirm technology requirements and test • Establish tracking and reporting criteria • Plan and communicate implementation timetable • Schedule launch and pre-launch activity • Ensure clear ownership of project • Analyse effectiveness of training using metrics

  20. Evaluation and metrics • Benchmarking prior to training • Completion rates (against previous training?) • Total target audience • By sector • By job role • Three further levels • Reaction level – measuring ‘attitudes’ i.e. through evaluation questionnaires, structured interviews etc • Immediate level – measuring users’ ‘knowledge’ i.e. through pre- and post-training assessment tests • Functional level – measuring ‘behavioural’ change i.e. through observation of business processes and indicators, i.e. helpdesk calls, security breaches and incidents • Return on investment

  21. The Human Firewall Creating a security aware workforce Andrew BreakwellBusiness Development DirectorCompliance Division APPLIED INFORMATION SERVICES

More Related