290 likes | 471 Views
The Human Firewall Creating a security aware workforce. Andrew Breakwell Business Development Director Compliance Division. APPLIED INFORMATION SERVICES. Agenda. Establishing the Need Common pitfalls Planning Delivery Evaluation and Metrics. Corporate overview.
E N D
The Human Firewall Creating a security aware workforce Andrew BreakwellBusiness Development DirectorCompliance Division APPLIED INFORMATION SERVICES
Agenda • Establishing the Need • Common pitfalls • Planning • Delivery • Evaluation and Metrics
Corporate overview • Governance, Risk and Compliance (GRC) specialists for more than 16 years • Focus on improving staff awareness, knowledge and understanding • Providers of: • Information newsfeeds and alerts • Learning content and services • Risk management and auditing systems • Part of SAI Global, ASX quoted, c950 employees • Offices in Europe, North America and Australasia • Global client base – specialists in large scale, international deployments • 4,000,000+ end users, resources in 20+ languages
Establishing the Need “Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.” ISO 17799 News
Establishing the Need Deloitte 2007 Global Security Survey ‘79 percent of participants cite the human factor as the root cause of information security failures’ CSI Computer Crime and Security Survey 2007 ‘The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year’ ENISA: IS Awareness Initiatives – Current practice and the measurements of success 2007 ‘… information security is seen as a high or very high priority in four fifths of respondents.’ ‘War stories’
Common pitfalls • Lack of senior management support • Adopting a ‘one size fits all’ approach – mismatch between content and target audience • Not connecting the program to a Needs Assessment • Objectives and outcomes poorly defined • Training ‘fatigue’ • Poor communication and planning • Developing a limited program based on specific budget target (not the one you want) • Lack of in-house expertise – not involving other experts • Assuming it’s a one-time initiative – not an ongoing process • Lack of evaluation and measurement • BORING…! Lack of engaging and relevant content
Planning • Needs assessment
Planning Needs Assessment • WHO gets the training • WHAT training they get • HOW the training is delivered • WHERE the training takes place • WHEN the training takes place • Over the short, medium and long term • Aligned with corporate goals and objectives • Clear business case for all elements • Clearly defined measurement criteria - benchmarking
Planning • Needs assessment • Identify audience – not a ‘one size fits all’ approach
Planning Identify audience • Full time/Part time? • New hires, trainees? • Senior management or management-role? • Specific departments or job ‘families’ (e.g. HR, IT, Security)? • Based on job or role (e.g. employees handling large amounts of data, remote workers)? • Specific technology users (e.g. employees with laptops)? • Specific location (e.g. country or region, manufacturing site, branch offices)? • PLUS customers, suppliers?
Planning • Needs assessment • Identify audience – not a ‘one size fits all’ approach • Set objectives and timescales • Collaborate • Communicate and market • What’s available? • Establish the team – identify project owner • Identify resource and budget needs • Express funding needs • Assign a Program Manager
Delivery Develop course content • Core training • Senior management training
Delivery Core training – to include content for senior managers • E-learning for IT users • Reduced delivery costs • Reduced training time • Flexibility and convenience • Engaging and interactive • Self-paced and non-threatening • Consistent content and delivery • Ease of updating • Accurate measurement and control • Tailored content – ‘off-the-shelf’ or bespoke • Workshops • PowerPoints • Handouts • Trainers Notes • ‘Train the Trainer’ sessions
Delivery E-learning – engaging content
Delivery Develop course content • Core training • Senior management training • New starter training • Refresher training • Specialist training • Assessment testing
Delivery Assessment testing
Delivery Develop course content • Core training • Senior management training • New starter training • Refresher training • Specialist training • Assessment testing • Ongoing awareness activity
Delivery Ongoing awareness activity Video ‘Moments’ Marketing materials Interactive e-mails Cartoons Giveaways Posters Newsletters
Delivery • Develop course content • Confirm technology requirements and test • Establish tracking and reporting criteria • Plan and communicate implementation timetable • Schedule launch and pre-launch activity • Ensure clear ownership of project • Analyse effectiveness of training using metrics
Evaluation and metrics • Benchmarking prior to training • Completion rates (against previous training?) • Total target audience • By sector • By job role • Three further levels • Reaction level – measuring ‘attitudes’ i.e. through evaluation questionnaires, structured interviews etc • Immediate level – measuring users’ ‘knowledge’ i.e. through pre- and post-training assessment tests • Functional level – measuring ‘behavioural’ change i.e. through observation of business processes and indicators, i.e. helpdesk calls, security breaches and incidents • Return on investment
The Human Firewall Creating a security aware workforce Andrew BreakwellBusiness Development DirectorCompliance Division APPLIED INFORMATION SERVICES