SANS Information Security Awareness Roadmap

3.5.1 Overview

The roadmap defined by SANS for information security awareness provides the same end-result as the ENISA information security awareness framework, namely the design, development and implementation of an information security awareness program. A roadmap is defined as sequential steps to be completed to obtain a result (Merriam-Webster 2014b). A framework is defined as “a set of ideas or facts that provide support for something” (Merriam-Webster 2014a), and hence the implementation of a process should result in a predictable outcome. The outcome from a “framework” and a “roadmap”

subsequently produces both a predictable result.

The SANS roadmap is depicted in Figure 3-6 and graphically illustrates the progression from having no awareness program to sustaining the awareness program within the organisation. The roadmap follows five sequential stages: Stage 1 (No awareness program), Stage 2 (Compliance Focus), Stage 3 (Promote Awareness and Change), Stage 4 (Long Term Sustainment) and Stage 5 (Metric Framework). Most organisations develop policies that employees need to follow to ensure that the organisation complies with adopted standards. Policies could, for example, address the number of leave days an employee can use within a year, define the duties and responsibilities of an employee or adherence to work schedules. The company's policies would be used as a guideline to design and develop the information security awareness program. In other words, the content of the policy, which drives compliance in the company, would be reflected by the information security awareness program. The key decisions to be made during this step are the identification of the compliance standards as described, the decision to develop or procure the information security awareness training material and track the progress of the participants.

Figure 3-6: SANS Information Security Awareness Roadmap (SANS 2010)

No awareness program (Stage 1)

• Program does not exist

Compliance Focus (Stage 2)

• Designed primarily to meet specific compliance or audit requirements

Promote Awareness and Change (Stage 3)

• Program identifies the training topics that have the greatest

• Content is communicated in an engaging and positive manner that encourages behavior change

Long Term Sustainment (Stage 4)

• Processes and resources in place for a long-term life cycle

• Established part of the organization's culture

Metrics Framwork (Stage 5)

• Track progress and measure impact.

As part of the SANS roadmap, supporting documents are provided to guide the information security awareness developers at each stage. The documents for each stage are listed in Table 3-1. programs exists. The information security awareness program is initiated by the documents named in “Stage02”. Some of the documents that form part of the SANS roadmap are discussed next.

The supporting document, “Stage02-01-ComplianceRequirements.docx”, would be used to describe the compliance requirements and could be used to justify the information security awareness program to various stakeholders. It is imperative to have stakeholder buy-in for the program, as it will have a financial impact on the bottom-line of the company and could also affect the productivity of the participants. “Stage03-08-ExecutionPlan.docx”, describes the purpose, scope, policy and enforcement of the information security awareness program. These documents are freely available and can be downloaded¹.

The next step is the design and development of training topics to form part of the information security awareness program. The selection of the training topics would be conducted as part of the design and development phase. These training topics could be communicated to the participants of the information security awareness program through various channels, including screensavers, posters, computer based training (CBT), in-person training, games or group discussions. The objectives of the information security awareness program would be achieved when the behaviour of the participants changes due to the positive impact of the knowledge captured within the topics. Some examples of positive change could be observed when the participants of the information security

1http://www.securingthehuman.org/media/resources/planning/STH-RESOURCE-AwarenessPlanningKit.zip

awareness program log out of their computer workstations when they leave the office, or use complex passwords after attending the training.

The involvement of stakeholders would also be required at this step. They provide the required funding and also assist in other processes required to make the information security awareness program successful. For example, staff would be required to attend the training. The supporting documents at this step capture stakeholder information, present the need for the information security awareness program, contain a preliminary risk survey to provide a high level picture of the current risk in the company, as well as showing the need for an information security awareness program, and finally provide a project charter describing funding, scope, objectives, milestones, assumptions and constraints. The project charter also encapsulates the final decision to support the awareness program and approve the project. The deployment and execution steps of the information security awareness program can only be completed with formal approval.

The next step assures the long-term sustainability of the information security awareness program. This can only be achieved when information security becomes part of the organisation’s culture and if participants repeatedly attend awareness programs. The advantages of this are two-fold:

Ensure knowledge is current to mitigate the latest threats when encountered.

Knowledge is retained longer when the participant is repeatedly exposed to the same information.

An iterative process needs to be followed to obtain feedback from stakeholders (including the review of participants’ feedback), as well as assessing all the topics for relevance (due to the rapid growth of technology over time). It would also be important to review the awareness levels of the employees of the organisation. The supporting documents list the status of each topic and provides ownership and action information. Action information defines the changes to be implemented: for example, updating content on a topic due to the change in technology.

The final step is to have a platform in place for collecting information which continuously measures the information security awareness levels in the company. This could help identify potential areas of concern and measure the effectiveness of the deployed information security awareness program. The measuring platform collects data from

various metrics and examples of information security awareness metrics are listed in Table 3-2.

Table 3-2: Example of Information Security Awareness Metric Table

Metric Name What is

Weekly Security Team Weekly newsletter is distributed to

The supporting documents list a metric matrix (“Stage05-01-MetricsMatrix.xlsx”) which could be used within a company, but it needs to be customised to the company’s environment.

3.5.2 Evaluation Result of SANS Information Security Awareness Framework

The SANS information security awareness roadmap provides a high-level description of what is required in each step with additional supporting documents to record information such as approved decisions with each milestone. The supporting documents are customisable for different environments and are merely a guideline of what needs to be achieved at each milestone or stage.

An advantage of using this roadmap is that the design and development of the awareness program are based on information security awareness standards and use metrics to measure the effectiveness of the information security awareness program. This provides a detailed view of the information security awareness levels within the organisation. The implementation of metrics as part of the SANS information security awareness roadmap could be adapted and applied within a customised information security awareness program.

A potential drawback of the SANS roadmap is the possible decrease of effectiveness in an agile environment. In other words, some information security awareness programs do not need to have formal platforms to approve decisions. Such organisational structures are flat and do not have many management layers which aid with prompt decision making. Highly structured environments require stakeholder buy-in and formal approvals via formal documents, including project charters. This could delay the implementation of the program within the organisation. However the SANS roadmap implementation time is shorter than the ENISA information security awareness framework.

In the next section the NIST framework is discussed.

3.6 National Institute of Standards and Technology (NIST) Security