LukaszBoral.com - papers

Developing a Security Awareness Program in an IT-structured organization

 

Set of Guidelines, Characteristics and Requirements for Security Awareness Programs inside any Organization

 

©2006 Luk Boral, Syracuse University

 

 


Table of Contents

 

Executive Summary.. 2

Introduction.. 3

Business Process and Problem Background.. 4

Vulnerabilities and Threats . 5

Different Approaches of coming up with a Security Awareness Program... 7

(1) European Network and Information Security Agency’s Perspective 7

(a) Plan and Assess Phase.. 7

(b) Execute and Manage Phase.. 9

(c) Evaluate and Adjust Phase.. 10

(2) Program of the National Institute of Standards and Technology by the U.S. Department of Commerce 10

Awareness is Not Training!. 11

Education vs. Training.. 12

Three Models of Security Awareness Programs. 12

(3) Opinion of a specialist: “Building a Security Awareness Program - Addressing the Threat from Within” (2005) by G.T. Rasmussen 13

Summary.. 14

Conclusion.. 15

Appendix. 18


Executive Summary

This paper is a broad analysis of three different approaches to build a Security Awareness Program (SAP). The ultimate goal is to present a process of choosing the right structures and methods of creating a SAP and through this process create a set of rules and activities that will be necessary in a SAP for an average company.

In order to come up with a guide for developing a Security Awareness Program, there will be analyzed different perspective of creating it by looking at few different approaches to the same problem. Three different documents, “How to Raise Information Security Awareness” by the European Network and Information Security Agency (ENISA, 2006), governmental security regulations given by the National Institute of Standards and Technology by the U.S. Department of Commerce (Wilson & Hash, 2003) and “Building a Security Awareness Program - Addressing the Threat from Within” (2005), Gideon T. Rasmussen will be base for taking best guidelines and characteristics of a successful SAP. 

In the final this paper provides a set of solutions that bring value to the company by providing a general guideline for a successful Security Awareness Program.
Text Box: “Institute periodic employee security awareness training for all employees; A culture of security awareness must be instilled in the organization so that all employees understand the need for policies, procedures, and technical controls. The first line of defense from insider threats is the employees themselves. All employees in an organization must understand that security policies and procedures exist, that there is a good reason for why they exist, that they must be enforced, and that there can be serious consequences for infractions.” 

(Practice # 1 from the “Best Practices for Preventing Insider Attacks” published in Common Sense Guide to Prevention and Detection of Insider Threats by D.Cappelli, Andrew Moore and Timothy Shimeall, US-CERT – government organization)

 

 

 

 

 

 

 

 

 

 

Introduction

The ultimate goal of the present paper is to provide an analysis of different programs and present a process of choosing the right structures and methods of creating a Security Awareness Program (SAP) and through this process create a set of rules and activities that will be necessary in a SAP for an average company. This paper looks for solutions that will bring value to the company by providing a general, not limited just to the IT employees, Security Awareness Program.

In order to come up with a guide for developing a Security Awareness Program, there will be analyzed different perspective of creating it by looking at few different approaches to the same problem. European Network and Information Security Agency (ENISA, 2006) proposed in its newest publication “How to Raise Information Security Awareness” a set of procedures and policies that should be abided by the European Union State Members in order to guarantee one stable body. The other perspective is taken from the governmental security regulations given by the National Institute of Standards and Technology by the U.S. Department of Commerce (Wilson & Hash, 2003). This strict approach will be used to back up the data retrieved from the organizational objective of the European Union. To add a more lenient perspective there will be also used some personal opinions of specialists in the field. Very strong reference was provided by Gideon T. Rasmussen who in his publication, “Building a Security Awareness Program - Addressing the Threat from Within” (2005), provided a short, but very helpful method of a clear global Awareness Program within the company.

          Examples provided will have a goal of presenting different approaches and methods for creating a Security Awareness Program, but importantly completing each other and creating a general picture of all the characteristics of a successful SAP. Additionally, a short analysis of possible constraints and limitations will be provided.

 

Business Process and Problem Background

The Information Age is a time when organizations are networked with wires, different communication channels, through the Internet and many sophisticated information systems. The modern company keeps internal records, sensitive personal data about employees, financial operations and business information all in the same network (Stanton, Stam, Mastrangelo and Jolton, 2004) and therefore, it requires intervention of Security Officers.

Results of the FBI and the Computer Security Institute Report (Sieberg, 2002) show that 78 percent of employers found Internet abuses present in their companies, and the same CSI Report states that those abuses led to 50 million dollars loss in harmed companies. This paper will touch on these issues as well as talk about other facts making the internal Information Security Program a very important part of the organizational community.

The importance of this Program translates, furthermore, into the need for the general awareness of the security policies and ways to avoid and mitigate information breach risks. The focal point of this paper will be to draw a plan for developing a Security Awareness Program for technical employees. Since the significance of internal security will be proved in following chapters, there is a natural need for creating this Program and making, especially the non-technical employees, aware of the security requirements and potential risks of information breach.

Historically, policies were implemented in organizations as guides for how to make decisions and what to base them on. Policies were defined as a set of rules and regulations that defined their business processes in regards to values and ethics. Companies established policies to define their mission statement, their theory of business and help create and maintain a healthy and cohesive environment. With the technology development, companies had more to worry about. Now, not only fair competition and avoidance of client mistreatments were the goals of policies. Companies started to be obligated to look for solutions to numerous security threats, both inside and outside the company. Today, it is the company’s responsibility to ensure internal strength and security through employees’ awareness and readiness to protect the organizational data. Employees nowadays are exposed to sensitive information regarding the company itself as well all of their clients. Therefore, it’s the company duty to make sure that this data is used properly and does not harm any of the stakeholders.

 

Text Box:  

 
Table 1: Security Threats and Solutions inside the Organization – based on “Analysis of end user security behavior” (2004) by Stanton, Stam, Mastrangelo and Jolton
Vulnerabilities and Threats [1]

          Table 1 presents set of threats inside a company. There are four types of vulnerabilities and threats coming from the employee. (Stanton, Stam, Mastrangelo and Jolton, 2004) They are divided into the ones that are caused by naiveness, lack of awareness or no previous training (Naïve Mistakes and Dangerous Tinkering) and those which are done for purpose to get a specific outcome such as personal benefit or company’s failure (Detrimental Misuse and Intentional Destruction).

          Paper of Stanton et al describes in details all the characteristics of these threats. Naïve mistakes are mostly caused by lack of any awareness about the possible harm that may be caused by specific employee’s behaviors, such as setting up an easy-to-guess password or making it available to other people than the employee itself. Dangerous tinkering is very similar, but it requires way more technical expertise. A perfect example could be setting up a wireless network that unintentionally would become available to outside users. Detrimental Misuse and Intentional Destruction are, on the other hand, both intentional and are done nevertheless the awareness of rules and regulations. The first one does not require technical skills and an example could be using the organizational email to send SPAM or use it for harmful purposes. The second one requires both, technical skills and intension to harm the system, and this could be setting up a Denial of Access or stealing restricted files.

          This proves that the Threat Agents may be people of very different backgrounds and skills. Threats coming from both technical and non-technical employees are evenly dangerous and may cause similarly damaging consequences.

As Table 1 shows, there are two direct solutions to these threats and they are Basic Hygiene and Aware Assurance. Basic Hygiene is mostly concerned about basic policies and the ability to abide them by all the employees. Aware Assurance requires again more technical skills and is connected to the ability of discovering vulnerabilities and threats based on the knowledge of the policies. Both methods are very effective if the policies are strong and well written. That proves the importance of a Security Awareness Program (SAP) and emphasizes its ability to mitigate security risks within the organization. SAP should contain both methods of limiting the threats and give instruction on how to keep these methods alive in a day-to-day work environment.

Lipson & Fisher highlighted that creating an immune system is quite impossible, because the competitiveness and complexity of industries requires from organizations an easy and rapid access to all of the stakeholders. These stakeholders, furthermore, can be trusted partners one day and may become the closest competitors the next time. Defining trust is a very difficult thing to do since the relationships are so unstable and ambiguous. Looking further, “trust is especially difficult to establish in the presence of unknown users from unknown sources outside one's own administrative control.” (Fisher and Lipson 1999, pp.34)

Successful defense against any form of threats, therefore, highly depends on the establishment of good policies and ensuring that all of the employees are well educated and trained to follow them and be aware of their meaning and consequences. The guide for employees’ awareness, their education and training is well known as the Security Awareness Program (SAP), and the goal of the following chapters is to find out the patterns throughout different SAPs and to look for the best set of characteristics of such a program.

 

 


Different Approaches of coming up with a Security Awareness Program

 

(1) European Network and Information Security Agency’s Perspective [2]

            This paper focuses on private Internet users and Small and Medium sized Enterprises (SME). For the purpose of the present paper, the part about SME has been evaluated.

            Security Awareness Program (SAP) includes participation of all the levels of employees of the company: the Director, IT Management, Business Management and regular employees. ENISA proposes three phases of coming up with a SAP:

                      Plan and Assess

                      Execute and Manage

                      Evaluate and Adjust

(The last two phases might be repeated if changes in SAP needed)

 

(a) Plan and Assess Phase

The first phase is rather introductory and includes all of the projections, designs and plans that need to be done prior to any implementation. There are between 15 and 20 points that are recommended to be taken in consideration when creating a SAP, but this paper shall include the major ones and will focus on the ones that are most critical to the entire project.

Significance of any SAP is to understand the Theory of Business (TOB) of the company, its mission and objectives. Clear perspective on the company will help understanding the most sensitive information held by the organization, threats to this information and ways to mitigate risks of an information breach. It is highly important that all of the stakeholders, from the bottom to the top of the management ladder understand what needs to be done and what will be done. As the ENISA’s guide states, “It is important to develop an understanding of stakeholder values and issues to address and keep everyone involved for the programme’s duration. If a programme does not have the necessary support from those providing resources and those who will be using the outputs, it is unlikely to succeed. Therefore, the creation of a coalition of interest and support for the programme is very important.” [3]

The next step is to prepare a cost benefit projection. It is important to identify the benefits of the SAP as well as the expenses connected to it. Since SAPs are most of the time addressing new solutions and causing changes within the companies, they bring natural fear and resistance. Therefore, besides employees’ clear understanding of what will be done, it is necessary to provide them ways to educate themselves about the new program and train before the new situation occurs.

            When all of that “surrounding” is clearly established, then the organization can start formalizing the project. It is significant to have the objectives and instructions stated very clearly and preferably using an easy-to-understand and non-technical language. SAPs are very often directed not only to the IT-skilled employees, but most of all to those who are not very technically skilled and they need to understand the policies most of all. SAP needs therefore consist of very precise instructions and rules.

            Before any work can be done, the work plan needs to be written and an implementation team needs to be established. They will have to identify all of the activities, milestones, timescale and needed resources. Again, as with the planning activities, there is needed a full cooperation and acceptance from all of the stakeholders.

            The SAP should be constructed based on the analysis of the target groups, vulnerabilities of the system and the sensitivity of data being exposed. ENISA identified four steps in this process:

          Identification of the Target Group

          Understanding the Situation

          Assessing the Level of Awareness

          Determining Desired Behaviors

This thorough analysis allows the SAP team to create a set of rules that will benefit the organization most. It will also help to implement the SAP within the entire organization. Different target groups may require different approaches and communication channels; therefore this analysis is needed to help to reach all of the departments and levels of management. ENISA proposes to run various metrics to make sure that SAP will be understood and available to all of the different target groups. Those metrics include surveys with questions over how many employees know about current policies, how many abides them, how many took part in improving them and what are the constraints limiting them to abide all of the policies that they know of, but do not follow.

            Based on the responses, certain changes should be made and planning should be adjusted, so the SAP provides a cohesive reaction of the company. According to ENISA there are multiple channels of propagating the new SAP and they need to be picked at the end of Phase 1. The following ones are the major channels that should work most effectively based on the target group the SAP is trying to reach:

          Brochure or magazine

          Comic

          Distance Learning (online or computer terminals)

          Education Packs and Teaching Materials

          Email

          Special Events (fairs, meetings, seminars)

          Leaflets or Fact Sheet

          eNewsletter

          Newspaper

          Phone

          Poster

          Radio

          Screensavers

          Text messages

          Special Training

          Television

          Video (DVD)

          Website

With having the goals and objectives in place, threats and vulnerabilities identified, limitations and constraints uncovered, target groups chosen and surveyed, communication channels established and the project team ready to start, we can go to the second Phase – Execution and Management.

 

(b) Execute and Manage Phase

          Second Phase of the SAP implementation is very straight-forward and consists of quite obvious stages such as confirming the plans, reviewing them along with the work plan, launching the SAP, delivering it through the communication channels and lastly, reporting and documenting.

 

(c) Evaluate and Adjust Phase

          ENISA states, ”When new technology is implemented, it often requires a behaviour change or new level of user understanding” [4] The internal communication, therefore, plays a significant role here and puts a pressure on the SAP implementation team to inform all of the employees about any changes made and about policies that will be required from them.

          ENISA emphasizes also that there needs to be a clear statement about consequences of not following rules of the new SAP. Employees need to know how serious threats are caused by not following all of the policies and be trained on how to react when they witness any deviations from those policies.

          The evaluation phase is mostly concerned about the proper way of implementing all of the policies and using the correct communication channels to propagate the new message. This phase, furthermore, checks on all of the stakeholders if they are satisfied with the new SAP and what could be the eventual reasons for their dissatisfaction. It is significant that everyone feels responsible for the security of the corporation and understands the basic rules of security hygiene in the work environment.

 

ENISA is very much concerned about the proper way of planning, executing and reviewing the SAP. They identified the main reasons for failures of different SAPs and that is why the step-by-step process of SAP implementation has been introduced. They did not touch on the main rules or most seen patterns in the policy establishment, but rather spend a lot of time on showing how important is the internal cohesiveness, support and understanding of the security bases, and how SAP can be a tool for an internal strength of the company.

 

(2) Program of the National Institute of Standards and Technology by the U.S. Department of Commerce [5]

Guidelines included in the document titled “Building an Information Technology Security Awareness and Training Program” are aimed towards federal agencies. It is a set of rules and regulations that are required from these agencies, but are also recommended to non-governmental organizations.

The beginning phases model is very similar to the one proposed by ENISA (previous chapter). Wilson and Hash list the key factors of a SAP which are: understanding the company’s mission, company’s assets and threats to them, responsibilities of the IT department and the state of the current policies.

Wilson and Hash, furthermore, divided the process of creating a SAP into three parts that are identical to what was proposed by ENISA:

          Designing

          Developing

          Implementing

In this example, the review part along with the evaluation has been hidden in the design and implementation parts. Because of mirror-similarities between those two guidelines, analysis of the three steps would be somewhat redundant and therefore, the present paper will focus more on what Wilson and Hash chose to emphasize as characteristics of a good SAP and ways to create a successful one.

 

Awareness is Not Training!

          Very important thing to understand when designing an Awareness Program is that, “Awareness is not training; the purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.” (Wilson and Hash, 2003, pp.8-9)

          Re-evaluating this statement, it is important to recognize that a successful SAP should:

          Recognize IT security concerns and teach how to respond to threats

          Reach with its content preferably all of company’s employees; and to do, it needs to be presented through various communication channels

 

Education vs. Training

          Education is very tightly connected to awareness. It is concerned about knowledge and the ability to use this knowledge in order to recognize threats, avoid risks and react accordingly when appropriate.

          Training, on the other hand focuses on skills and abilities. According to Wilson and Hash, “Training strives to produce relevant and needed security skills and competencies”. (Wilson and Hash, 2003, pp.9)

          Both of these methods of raising security in the company are expected from an organization and will benefit them as well. While interested in the SAPs, however, one needs to understand the difference between those two. Education is the main objective of a SAP, because it is concern about raising the awareness of all of the employees rather than raising their technical skills.

 

Three Models of Security Awareness Programs

          Wilson and Hash recognized three different models which represent three different approaches to a design and implementation of a SAP. They are divided based on roles assigned within the company. Wilson and Hash distinguished:

          Centralized Program Management Model – there is a Central Authority that has a total control over the entire SAP; its budget, planning, implementation, scheduling and all directives come from the Central Authority.

          Partially Decentralized Program Management Model – Central Authority still has control over the budget, design and planning, but the implementation becomes a responsibility of line managers of certain departments.

          Fully Decentralized Program Management Model – Central Authority gives only a broad and global opinion on how the policies should be constructed, what is the main objective of the SAP and when should it be implemented, but the individual organization units are responsible for the planning, designing and implementation. Central Authority plays a role of a global supervisor by giving globally distributed directives.

These three models present different approaches to the role distribution within the organization and they can be chosen accordingly to the size of the company, diversification of departments, availability of resources and number of employees with different functions.

 

          All of these three “lessons” complete the major requirements of a successful SAP and create a picture of how it should look like and how it should be done. Wilson and Hash created strong definition on the theories about SAP. They also proposed a list of different topics that can be covered inside a SAP (see Appendix).

          The importance of Wilson and Hash’s document is, moreover, that SAP is very much dependent on the Theory of Business of each company and it needs to be tightly adjusted to the way the organization operates and makes business.

         

(3) Opinion of a specialist: “Building a Security Awareness Program - Addressing the Threat from Within” (2005) by G.T. Rasmussen [6]

          Gideon T. Rasmussen talks about the SAPs in a very easy-to-understand way, using common sense wording and very convincing arguments. He believes that the SAP itself should be identical: easy, clear and widely distributed. According to his personal experiences new security tips should be distributed by email every other week and should be also discussed in regular luncheons.

          Rasmussen confirms many of the statements used in this paper previously that it is recommended that each departments and each site has representatives in creating and/or updating SAP. It is needed, so the new rules do not limit the productivity and general Text Box: “Gideon T. Rasmussen is an information security professional with 10 years of experience in fortune 50 and military organizations. His management experience includes responsibility for security throughout an organization, IT operations management, and the construction and hardening of B2B web sites. Gideon is currently employed as a Vice President of a large financial institution. Past positions include Director of Technical Operations, Infrastructure Security Manager and Information Systems Security Officer. Gideon has audited entire organizations, IT departments, large corporate data centers, hosting providers and secure operations centers.

Gideon researches trends in the security industry and develops strategies to combat emerging threats. Throughout his career Gideon has worked in high pressure environments, requiring multitasking abilities. These real world challenges lead him to develop a flexible system of information security management. He has also authored many information security articles and is an active participant in the information security community. Gideon is a veteran of the United States Air Force and currently holds the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and NSA INFOSEC Assessment Methodology (IAM).”

From Personal Bio available at http://www.gideonrasmussen.com 
efficiency of the entire company.

 

 

 

 

 

 

 

         

 

 

 

Gideon Rasmussen listed the following main topics that each SAP should touch on:

         Viruses and Trojan Horses

         Passwords – sensitivity and importance of keeping them private

         Workstation security – locking computers

         Continuity and Consistency

         Destruction of sensitive materials

         Photography – restrictions and limitations

         Systematic removal of accesses – limiting access when not needed

         Laptops – special security on mobile devices and remote access

         “Don't be afraid to say no” – awareness of what is good and what bad, and ability to stand for the right

         Piggybacking and tailgating – dangers connected to losing own privacy

         Social engineers – possible manipulations and ways of avoiding fake requests; the ability to “trust responsibly”

         Operations security

         Backup your data

         Security incidents – giving constant examples of failures as well as giving a good example that other can follow

He elaborates in his papers how important is to make the problem of security an every-day discussion and part of every-day work. Since it is a very complex problem that needs to be understood by all of the employees, it is critical to have the SAP in place, but also to feed employees with its content as well as be creative about implementing new policies. Variety of communication channels should help Security Officers in reaching the audience in the most effective ways. SAP cannot interrogate in any of the day-to-day work activities and that is what makes the Security Personnel one of the most creative ones in the entire organization.

 

Summary

Three different documents that are aimed to different audiences share a common pattern, but have different approaches included. These differences perfectly match and complete each other, and through the analysis create a general guideline for a successful SAP. Table 2 presents a chart summarizing the most important concepts of each document and brings them together to create a set of guidelines for a fully successful SAP.

Table 2: Summary of all the characteristics of a successful Security Awareness Program

 

 

Conclusion

          Security Awareness Program (SAP) is a very complex and sophisticated project and it requires strict guidelines in order to be successful. The general security inside the organization can be improved by implementing characteristics listed in the summary.

          Discipline and awareness of all of the stakeholders becomes critical and is a direct factor of the success or failure of any of the SAPs.

          Recommended guidelines will lead to a successful SAP and this program will improve the overall security within the organization. Successful SAP makes employees aware of the security threats, informs them about ways of avoiding risks and creates integrity between them which limits, furthermore, the possibility of internal breaches. Aware Assurance and Basic Hygiene[7], which were mentioned in the introduction state for a hard wall for any security threats to the organization. A successful SAP contains these two methods of limiting security risks.

Security Awareness Program that is properly implemented and successfully enforced and followed fulfills the requirement stated by Stanton et al in his paper to stop wrong end-user behaviors. SAP limits the risk of unintentional mistakes and naïve behaviors that may lead to serious security breaches.

Since “The first line of defense from insider threats is the employees themselves” (Cappelli, Moore and Shimeall, 2005), SAPs play an extremely important role in making the company more secure and immune to external and internal attacks.

 

 

References

 

Cappelli, D., Moore, A., and Shimeall, T. “Common Sense Guide to Prevention and Detection of Insider Threats”. US-CERT. 2005. Available at: http://www.us-cert.gov/reading_room/prevent_detect_insiderthreat0504.pdf

 

ENISA. A User’s Guide: How to Raise Information Security Awareness. European Network and Information Security Agency Press, 2006.

 

Fisher, D.A and Lipson, H.F. "Emergent Algorithms – A New Method for Enhancing Survivability in Unbounded Systems". Proceedings of the 32 "d Annual Hawaii International Conference on System Sciences, Maui, Hawaii, January 5-8, 1999 (HICSS-32), IEEE Computer Society, 1999. Available at: http://www.cert.org/archive/html/emergent-algor.html

 

Loch, Karen D. “Threats to Information Systems: Today’s Reality, Yesterday’s Understanding”. MIS Quarterly Vol. 16, No. 2 (June 1992), p. 173-177.

 

Rasmussen, Gideon. “Building a Security Awareness Program - Addressing the Threat from Within”. 2005. Personal Web Page. Retrieved October 14, 2006 from http://www.gideonrasmussen.com/article-01.html

 

Sieberg, Daniel. “FBI: Cybercrime rising”. April 8, 2002. CNN.com. Retrieved October 15, 2006 from http://archives.cnn.com/2002/TECH/internet/04/07/cybercrime.survey/

 

Stanton, Jeffrey M., Stam, Kathryn R., Mastrangelo, Paul and Jolton, Jeffrey. “Analysis of End User Security Behavior”. July 12, 2004. Computers & Security. Elsevier, 2004.

 

Wilson, Mark and Hash, Joan. “Building an Information Technology Security Awareness and Training Program”. October 2003. National Institute of Standards and Technologies. U.S. Department of Commerce. Washington D.C.: U.S. Government Printing Office, 2003.

 

 


Appendix

 

This list of topics that might be covered in a Security Awareness Program (SAP) in any kind of a company is provided by Wilson and Hash: [8]

 

          Password usage and management – including creation, frequency of changes, and protection

          Protection from viruses, worms, Trojan horses, and other malicious code – scanning, updating definitions

          Policy – implications of noncompliance

          Unknown e-mail/attachments

          Web usage – allowed versus prohibited; monitoring of user activity

          Spam

          Data backup and storage – centralized or decentralized approach

          Social engineering

          Incident response – contact whom? “What do I do?”

          Shoulder surfing

          Changes in system environment – increases in risks to systems and data (e.g., water, fire, dust or dirt, physical access)

          Inventory and property transfer – identify responsible organization and user responsibilities (e.g., media sanitization)

          Personal use and gain issues – systems at work and home

          Handheld device security issues – address both physical and wireless security issues

          Use of encryption and the transmission of sensitive/confidential information over the Internet – address agency policy, procedures, and technical contact for assistance

          Laptop security while on travel – address both physical and information security issues

          Personally owned systems and software at work – state whether allowed or not (e.g., copyrights)

          Timely application of system patches – part of configuration management

          Software license restriction issues – address when copies are allowed and not allowed

          Supported/allowed software on organization systems – part of configuration management

          Access control issues – address least privilege and separation of duties

          Individual accountability – explain what this means in the organization

          Use of acknowledgement statements – passwords, access to systems and data, personal use and gain

          Visitor control and physical access to spaces – discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity

          Desktop security – discuss use of screensavers, restricting visitors’ view of information on screen (preventing/limiting “shoulder surfing”), battery backup devices, allowed access to systems

          Protect information subject to confidentiality concerns – in systems, archived, on backup media, in hardcopy form, and until destroyed

          E-mail list etiquette – attached files and other rules.

 

 



[1] Stanton, Jeffrey M., Stam, Kathryn R., Mastrangelo, Paul and Jolton, Jeffrey. “Analysis of End User Security Behavior”. July 12, 2004. Computers & Security. Elsevier, 2004.

 

[2] ENISA. A User’s Guide: How to Raise Information Security Awareness. European Network and Information Security Agency Press, 2006.

 

[3] Ibid. Pp. 16.

[4] Ibid. Pp. 47.

[5] Wilson, Mark and Hash, Joan. “Building an Information Technology Security Awareness and Training Program”. October 2003. National Institute of Standards and Technologies. U.S. Department of Commerce. Washington D.C.: U.S. Government Printing Office, 2003.

 

[6] Rasmussen, Gideon. “Building a Security Awareness Program - Addressing the Threat from Within”. 2005. Personal Web Page. Retrieved October 14, 2006 from http://www.gideonrasmussen.com/article-01.html

 

[7] Stanton, Jeffrey M., Stam, Kathryn R., Mastrangelo, Paul and Jolton, Jeffrey. “Analysis of End User Security Behavior”. July 12, 2004. Computers & Security. Elsevier, 2004.

[8] Wilson, Mark and Hash, Joan. “Building an Information Technology Security Awareness and Training Program”. October 2003. National Institute of Standards and Technologies. U.S. Department of Commerce. Washington D.C.: U.S. Government Printing Office, 2003.