Effective Security Awareness. Workshop Report

(1)

Effective Security

Awareness

Workshop Report

(2)

4. Evaluate effectiveness of campaigns

4.1 campaign effectiveness 4.2 campaign / programme 4.3 further campaigns

2. Scope and design security awareness programme

2.3 appropriate action steps 2.2 driving and resisting forces 2.1 stakeholder analysis

1. Set objective for security awareness

1.3 specific campaign goals 1.2 high-level programme objective 1.1 security awareness problems 1.4 & establish campaign metrics

3. Develop and deliver security awareness campaigns

3.3 messages 3.2 Unfreeze existing behaviour 3.1 security awareness messages 3.4 Refreeze new behaviour

Evaluate Revise Run

Identify Identify Perform Set Set Identify Define Deliver Define

(3)

Executive Summary

Data from the Forum’s Information Security Status Survey indicates that most Members believe that the effectiveness of their security awareness initiatives does not rate especially highly, and that more than four out of five feel they do not commit sufficient time and resources to their awareness activities. These concerns – combined with comments from many Member organisations that security awareness activities often fail to deliver a lasting behaviour change – were addressed during a series of eight workshops run by the Forum on the topic of Effective Security Awareness.

At the workshops, Members agreed that awareness initiatives often fail because they:

• are not managed as a formal programme of work, and lack formal objectives, a business sponsor or the necessary resources for their successful completion

• are not aimed at specific business problems, but instead from a belief that awareness needs to be raised

• do not use specialised awareness materials

• do not incorporate a mechanism for assessing security behaviour: instead looking at security knowledge.

In order to address these issues, the workshops examined a process developed by the Forum to deliver lasting behavioural change, based on the concept of effective security awareness. The process – shown in Figure 1 opposite – is derived from a proven approach that facilitates a positive change in behaviour by examining the forces driving and resisting that change. The key stages of the process are to:

• set a clear, measurable objective for security awareness activities

• create a structured programme of awareness work that includes one or more campaigns, where each campaign has a goal to change an aspect of security behaviour

• develop and deliver the awareness messages, and ensure that the desired security-positive behaviour is maintained

• measure the effectiveness of the awareness campaigns to confirm the change to security-positive behaviour, and revise and repeat the awareness campaigns if necessary.

The key findings of this project are important for anyone planning or managing information security awareness activities. They provide a unique insight into a new process for planning and implementing security-positive behaviour change.

(4)

WARNING

This document is confidential and purely for the attention

of and use by organisations that are Members of the

Information Security Forum (ISF). If you are not a Member

of the ISF or have received this document in error, please

destroy it or contact the ISF on [email protected] or

on +44 (0)20 7213 1745.

Any storage or use of this document by organisations

which are not Members of the ISF is not permitted and

strictly prohibited.

This document has been produced with care and to the best of our ability.

However, the Information Security Forum accepts no responsibility for any

problems or incidents arising from its use.

(5)

Table of contents

Page

Part

1

Introduction

This report 1

Purpose of this report 1

Who should read it 1

Part

2

Basis for this report

Background 2

Validity of the effective security awareness process 5

Part

3

Security awareness

What is security awareness?

The importance of security awareness A traditional model for security awareness Key issues

Extent of awareness activities Drivers for security awareness Objective of awareness activities Sponsorship of awareness activities Awareness topics

Effectiveness of the traditional model Commitment to delivering awareness

6 6 7 8 10 12 13 14 15 17 18

Part

4

From awareness to behaviour change

The need for a new awareness model Influencing risk perception

The impact of organisation culture Reluctance to change

Creating security-positive behaviour The importance of equilibrium

Maintaining security-positive behaviour

20 20 21 22 22 25 28

Part

5

Effective security awareness

What is effective security awareness? A new approach to security awareness

Stage One: Set objective for security awareness

Stage Two: Scope and design security awareness programme Stage Three: Develop and deliver security awareness campaigns

Stage Four: Evaluate effectiveness of campaigns Summary 30 31 32 39 48 58 63

Part

6

Conclusions and next steps

Conclusions 64

How the process addresses the key issues 64

(6)

Effe ctive security awareness

is achieved through

an ongoing process of learning

that is meaningful to recipients,

and delivers measurable benefits to the organisation

from lasting behavioural change.

The benefits of awareness activities must be quantifiable in order to determine value

for money and whether the programme itself is successful in achieving its

objectives.

Security awareness must be delivered through an ongoing, continuous programme

of wo rk, as opposed to a finite set of activities that stop and are not continued.

The awareness programme should not only result in a security-positive

change in behaviour, but that change should last longer than the programme

itself.

The key messages, tone and approach of the programme must be relevant to the audience and consistent with their values

and goals: If security is perceived as a hindrance to their own personal activities, then t he message will carry little meaning.

Effective security awareness

is achieved through

objectives.

of work, as opposed to a finite set of activities that stop and are not continued.

itself.

and goals: If security is perceived as a hindrance to their own personal activities, then the message will carry little meaning.

(7)

Part

1

Introduction

This report Many organisations run security awareness programmes in order to encourage security-positive behaviour in their employees, but which often fail to deliver any lasting benefit. This leads many organisations to query:

• whether it is possible to create a change in staff attitude to security that has sustainable, quantifiable benefits for the organisation

• what the success factors are that make for an effective security awareness programme.

In order to provide Members with a fresh perspective on this topic, the Forum ran a series of workshops on Effective Security Awareness. The definition for effective security awareness shown in Figure 2 opposite, was validated by Members at all of the workshops.

This concept of effective security awareness is explored throughout this report, and the definition is described in greater detail in Part 5, Effective security awareness.

Purpose of this report The purpose of this report is to assist Members in their goal of making effective, positive and lasting change in security behaviour through awareness. The report does this by:

• documenting Members’ experiences of security awareness and the lessons they have learnt: both from material collected from Members before the workshops and from ‘know how’ shared at the events themselves

• setting out the principles of an effective security awareness campaign: in particular, by examining closely the issues associated with getting people to change their behaviour

• providing a process for awareness that Members may wish to consider in order to become agents of positive change within their organisations.

Who should read it This report is aimed primarily at information security professionals, but is also intended for any individual within a Member organisation with an interest in or responsibility for the developme nt or delivery of security awareness programmes or materials. The reader should have some familiarity with security awareness techniques prior to reading this report.

WARNING

This report is not intended to be a full Forum report and has not involved the detailed level of analysis that would be normal for such a document.

(8)

Part

2

Basis for this report

Background In 1993, the Forum published an Implementation Guide on How to make your organisation aware of IT security . The Implementa tion Guide provides a comprehensive framework for the planning and implementation of an IT security awareness programme.

Since the publication of the Implementation Guide, both security technology and the management approach to security have changed signif icantly; for example, the Internet has become an important enterprise resource, and security standards have been developed to manage its threat to enterprise security. These new controls require end users to adopt new security behaviours which in turn require new security awareness initiatives.

The Forum therefore decided to run a series of workshops to explore how Members are addressing the subject of security awareness now, and what the critical success factors are for an effective security awareness programme.

To prepare for the workshops, the Forum drew upon a range of information sources, including:

• previous Forum reports, including Information Security Culture: A preliminary investigation and Driving Information Risk Out of the Business

• results from the Information Security Status Survey • research by the project team

• results from a questionnaire of participating Members

• presentations by Members at the workshops

• case studies of Members’ security awareness experiences. These information sources were used to define and develop the workshop contents, and are described in greater detail below and on the following pages.

Previous Forum reports The Forum has already produced several reports that are relevant to an information security awareness programme. The current workshop report complements the existing materials, details of which are shown in Table 1 opposite:

(9)

Table 1: Previous security awareness reports

Document Summary

It Could Happen to You: A Profile of Major Incidents (2000)

This report contains details of 13 information incidents that had a major impact on Member organisations. The incidents provide valuable examples for use within a security awareness programme by providing:

• a realistic view of the range of events that can compromise business information

• insights into their causes and their business impact

• practical suggestions for action to prevent recurrence of the incidents. Information Security

Culture: A preliminary investigation (2000)

This report presents the results of a preliminary investigation into the nature of an organisation’s culture and its importance in determining the level of information security in that organisation.

Driving Information Risk Out of the Business (1999)

This report presents quantified information about the business risks of breakdowns in information security. It is based on the results of the Information Security Status Survey and other quantitative research. It also presents a framework for action, designed to help Members strengthen their information security arrangements and bring risks down to an acceptable level.

The Impact of Security Management (1999)

This is one of a series of publications arising from the results of the Forum’s 1998/99 Information Security Status Survey. The report focuses on the arrangements made to promote good information security practices (eg security organisation, programmes and resources). It identifies what organisational arrangements and resources are required, measures the impact of individual programmes and outlines what indiv idual Members can do to strengthen their existing arrangements, thereby maximising the contribution they make to business success.

How to make your organisation aware of IT security (1993)

This report is aimed at all organisations that wish to start or improve their security awareness programmes. It sets out a method for developing and delivering security awareness campaigns, and provides tips on how to ensure the success of those campaigns.

The Forum’s Information Security Status Survey

This list does not cover all of the Forum’s awareness documentation; in particular, valuable material is available in The Forum’s Standard of Good Practice.

The Forum’s Information Security Status Survey (‘the Survey’) allows Members to complete a detailed questionnaire at intervals of their choosing and obtain a thorough analysis of their information security status, giving a clear picture of performance across all aspects of information security.

Security awareness is one of the sets of controls probed by the Survey. The Forum drew upon the Survey results database to determine the impact of security awareness on the overall level of security. These results are presented at relevant points within Part 5, Effective security awareness.

(10)

Research The project team calle d upon the resources of vendors, service providers and media reports in order to research the workshop contents.

To ensure that this research was valid and provided a fresh perspective on the subject, the team was joined by Dr John Maule, Director of the Centre of Decision Research and Senior Lecturer in Management Decision Making at Leeds University Business School. Dr Maule has an international reputation in research on human decision making and risk taking, focusing in particular on the mental models that underlie strategic choice, the effects of time pressure and stress, and various aspects of human risk taking, including how to communicate risk.

Dr Maule contributed to the research, and presented at five of the eight workshops.

The questionnaire Prior to the workshops, participants were asked to complete a questionnaire about their opinions of security awareness and the effectiveness of awareness in their organisations. A total of 80 individuals from 72 Member organisations completed the questionnaire, the results of which are presented at relevant points within this report.

The questionnaire, and its consolidated results, are available on the Forum’s Member Exchange (MX) System, as are copies of the presentations, workshop packs and workbooks.

Member presentations Eight Effective Security Awareness workshops were held.

Participants had the opportunity to share experiences, issues and ideas for effective security awareness. They also worked through the Effective Security Awareness process described later in this report using examples from their own organisations.

Each workshop included presentations from Members, as detailed in Table 2 opposite:

(11)

Table 2: Workshop presentations

Venue Date Presentation Topic

Copenhagen 5 September 2001 Per Verdelin, TDC Services

Melle Beverwijk, Infosecure

The Elements of an Awareness Project

Awareness Programme for Information Security Dublin 6 September 2001 Martina Costelloe, AIB

Jim Sheridan, British Airways

Security Awareness The Chameleon Programme London 10 September 2001 Steve Pomfret, Nationwide

Building Society Amanda Finch, Marks & Spencer

Security Awareness

Development of an Awareness CBT Campaign at M&SFS

Cheshire 25 September 2001 John Wall, Clerical Medical Martin Whitehead,

The Co -operative Bank

Changing Staff Attitudes Staff Awareness

London 26 September 2001 Mark Goddard, Friends Provident Adrian Wright, Reuters

Experiences From The Front Line

A CBT System for Security Awareness

Amsterdam 28 September 2001 Saïda Wulteputte, Procter & Gamble Melle Beverwijk,

Infosecure/Klaas Bruin, KLM

How We Failed and How We Plan to do Better in the Future

Awareness Programme for Information Security Johannesburg 6 November 2001 Geoff Tumber, SCMB Security Awareness

Chicago 5 December 2001 Dan Landess, State Farm Insurance

Information Security Awareness

Case studies During the research and delivery of the workshops, the project team met with Members to discuss their experiences of Information Security Awareness.

Since the topic is subjective, and experie nces vary greatly between organisations, the objective was not to provide comparisons between Members, but instead to gather useful information about their awareness activities. This report therefore contains anecdotal case studies that describe the experiences of individual Member organisations and the lessons that they have learnt through their awareness programmes.

Validity of the effective The effective security awareness process described in this report

security awareness was revised after each workshop to ensure that it provides a

process practical, usable method to develop an effective security awareness programme.

When the workshops were complete, the project team spent two days with the information security team from a Member organisation working through the process to test its validity in a real environment.

(12)

Part

3

Security awareness

What is security In 1993, the Forum published an Implementation Guide on

awareness? How to make your organisation aware of IT security. The Guide includes a framework for the planning and implementation of an IT security awareness programme, and provides a definition of security awareness as follows:

Information security awareness is the degree or extent to which every member of staff understands:

• the importance of information security

• the

organisation

• their individual security responsibilities

…and acts accordingly. the to appropriate security information of levels

The definition was validated by Members at all of the workshops, who agreed that it is still rele vant.

The key element of this definition is the final line, since awareness is itself of no value unless it results in a desired change in behaviour.

The importance of The effective management of information security requires a

security awareness combination of technical and procedural controls to protect information assets. However, these controls can be circumvented or abused by employees who disregard their organisation’s policies for security behaviour. Therefore the implementation of effective securit y controls is dependent upon creating a security-positive environment where employees understand and engage in the behaviour that is expected of them. The use of security awareness to create and maintain security-positive behaviour is a critical element in an effective information security environment. The Information Security Status Survey provides data on the value of promoting information security activities. The results of question SM2401: Is awareness of information security promoted across the enterprise? are shown in Figure 3 opposite:

(13)

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No

Did not experience major incident Experienced major incident

Figure 3: SM2401: Is awareness of information security promoted across the enterprise?

The results suggest that organisations that do not promote information security awareness are more likely to experience a major security incident than those that do promote awareness. A security-positive environment is a pre-requisite for certain other security initiatives. For example, a scheme of information classification – whereby staff can assign a label to information that will determine the security controls to be applied to it – is dependent upon all staff understanding and respecting the classification mechanism, which in turn requires staff to understand and respect information security.

The Implementation Guide How to make your organisation aware of IT security proposes a four-step model for delivering a security awareness programme. The model allows for multiple awareness campaigns, where:

• a security awareness programme is a continuous undertaking aimed at building and sustaining a security-positive environment

• a security awareness campaign is one of a number of defined activities aimed at a special audience and/or at a specific security problem: for example, informing users about the threat from viruses, and teaching them how to control that risk.

The security awareness programme is used to determine the scope of work and to define the multiple security awareness campaigns, as shown at a high level in Figure 4 overleaf:

Awareness and other security initiatives

A traditional model for security awareness

(14)

Campaigns

Determine programme scope

Design campaign 1 Design campaign 2 Design campaign 3 Programme Develop campaign 1 Develop campaign 2 Develop campaign 3 Deliver campaign 1 Deliver campaign 2 Deliver campaign 3

Figure 4: Traditional model for security awareness

The model comprises multiple campaigns forming an overall programme of work. The programme commences with a scope phase, which defines the security awareness campaigns, each of which will then have separate design, development and delivery phases. These may run sequentially or in parallel (as shown in Figure 4).

Key issues The traditional model for security awareness described in How to make your organisation aware of IT security is widely used by Members. However, organisations represented at the workshops complained that security awareness activities fail to deliver a lasting behaviour change: that is, staff adopt the desired security-positive behaviour for a short period of time, but often revert to their previous behaviour when the awareness activities have finished.

To better understand the effectiveness of the traditional approach to security awareness, 80 participants from 72 Member organisations completed a questionnaire about their activities. The following sections explore the key issues associated with the traditional approach to security awareness. These are derived from statistical evidence from the questionnaire and the Information Security Status Survey, and anecdotal feedback from workshop

(15)

Table 3: Key issues for security awareness

Item Key Issue Consequences

�

The majority of security awareness activities are not managed as a formal programme of work.

• Awareness programmes may not be correctly prioritised against other security activities

• The pace of delivery is not maintained due to a lack of formal deadlines and commitments

�

The belief that awareness needs to be raised is the most common reason for commencing a security awareness programme.

• The business case for security awareness is hard to justify because the need has not been clearly identified

• Value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined

�

Very few awareness

programmes have a formal, documented objective.

• The purpose of the awareness programme may be unclear • It may be hard to evaluate success since the desired outcome

is unknown

• It may be difficult to determine the financial value of security awareness to the organisation

• The relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities

�

The security management team sponsors the majority of awareness programmes.

• Business management are reluctant to release staff for awareness training because they have not committed to the activities

• Recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need • The programme fails to achieve a culture change because

staff do not see senior management – who may themselves have security-negative attitudes – leading that change

�

Many security awareness campaigns do not use specialised awareness materials.

• Staff do not understand what is expected of them – since the awareness message does not specify who should do what – and are therefore less likely to adopt the desired behaviour • Campaigns fail because staff have heard similar messages

before and are no longer interested

�

The majority of awareness campaigns do not incorporate a mechanism for assessing their own effectiveness, but instead measure the level of security knowledge of staff.

• Measurement of awareness proves little except that the individual has received the awareness messages: measure ment of effectiveness proves whether the message has actually changed behaviour

• Without firm evidence of effectiveness, it is difficult to justify or measure the success of awareness, and hence this can become a major obstacle to commencing an awareness programme

�

Most organisations fail to commit sufficient resources to their awareness programme.

• A security function which does not receive adequate resources for security awareness is likely to focus instead on other activities that are perceived to be more important

(16)

Extent of awareness activities

Members were asked to describe their current security awareness activities in order to understand whether they are formal campaigns or intermittent activities. The results are shown in Figure 5 below: 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0%

A formal Unstructured, A single No security programme of intermittent campaign awareness work activities activities

Activity

Figure 5: Please describe your organisation’s security awareness activities

Findings Whilst half of the respondents describe their awareness activities as a formal programme of work, it is clear that the remainder have less – or no – structure for security awareness as:

• over a third of awareness projects are run as unstructured, intermittent activities

• one in six organisations have only a single campaign or no awareness activities at all.

Thus in the absence of a formal programme of work, it is likely that most security awareness activities will suffer from a lack of formal deadlines and commitments.

These findings are reinforced by data taken from the Information Security Status Survey. Figure 6 opposite shows the result of question SM2403a: Is awareness promoted using a formal awareness programme?

(17)

Exception In all cases 1% 14% In no case 37% In most cases 26% In a few cases

In about half the 14% _cases

8%

Figure 6: SM2403a: Is awareness promoted using a formal awareness programme? It can be seen that for those cases where all, most or about half of awareness activities are managed using a formal awareness programme, 48% of all survey participating organisations promote security awareness issues through the use of formal awareness programmes. Over one half of Survey participants have little or no formal structure for their awareness activities.

Consequences If security awareness activities are not managed as a formal

programme of work, then:

• awareness programmes may not be correctly prioritised against other security activities

• the pace of delivery is not maintained due to a lack of formal deadlines and commitments.

�

Key Issue: The majority of security awareness activities are not managed as a formal programme of work.

(18)

Drivers for security awareness

Members were asked to comment on what they saw as the drivers for commencing their security awareness activities. The results are shown in Figure 7 below:

Knowledge that security awareness can contribute to overall level of security

Compliance with external standards/best practice Compliance with regulatory

requirements Management concern about

overall levels of information Audit or security review

Result of risk analysis Many minor incidents in this

organisation Major incident in this

organisation Major incident in another

organisation

Drivers

1 1.5 2 2.5 3 3.5 4 4.5

Very Low Low Medium High Very High

Scale

Figure 7: To what extent did the following events prompt the initiation of your security awareness activities?

Findings The results suggest that Members’ security awareness activities are most commonly influenced by ‘soft’ drivers: eg knowledge that awareness needs to be raised, either to comply with a standard, or because awareness is known to be a ‘good thing’. The ‘hard’ drivers – eg risk assessments or incidents – appear to have less influence on the need to run security awareness campaigns.

Consequences Commencing a security awareness campaign because of a belief

that awareness needs to be raised means that:

• the business case for security awareness is hard to justify because the need has not been clearly identified

• value from an awareness activity cannot easily be quantified when the problem it is intended to address is not defined.

�

Key Issue: The belief that awareness needs to be raised is

the most common reason for commencing a security awareness programme.

(19)

Objective of awareness activities

Members were asked to comment on the importance of their objective for security awareness activities. The results are shown in Figure 8 below:

To reduce the number of security incidents To comply with external standards/best practice To address management concern about overall levels of information security

To comply with regulatory requirements To satisfy the recommendations of a review Other Objective 1 1.5 2 2.5 3 3.5 4 4.5 5

Very Low Low Medium High Very High

Scale

Figure 8: In your opinion, how important are the following objectives of your security awareness activities?

Findings The results show a broad spread of objectives, with many

Members reporting several different objectives for security awareness. The objectives appear to be more tangible than the drivers for commencing awareness activities described in the previous section.

However, in the workshop sessions Members were asked whether they have a formal written objective for their awareness activities. The response suggests that only a small proportion – typically fewer than 10% – have a documented objective for their security awareness activities.

Consequences In those cases where security awareness activities do not have a formal, documented objective:

• the purpose of the awareness programme may be unclear

• it may be hard to evaluate success since the desired outcome is unknown

• it may be difficult to determine the financial value of security awareness to the organisation

• the relationship between various security campaigns is uncertain, and their relationship with other security activities is unknown. This may cause conflict or confusion between security activities.

�

Key Issue: Very few awareness programmes have a

(20)

Sponsorship of awareness In order to understand where the responsibility for awareness is

awareness activities. The results are shown in Figure 9 below:

activities perceived to rest, Members were asked who sponsors their

Other _{Senior business} No sponsor 9% management Human resources department 2% 33% 16% Information security management 40%

Figure 9: Who sponsors your awareness activities?

Findings The results show that:

• only one third of awareness activities are sponsored by the business management

• one project in six had no sponsor at all.

SM24: Security Awareness of The Forum’s Standard of Good Practice (‘The Standard’) states that ‘Formal awareness programmes should be… supported by top management’. Anecdotal evidence from workshop attendees suggests that successful awareness programmes often have a business sponsor or significant involvement from senior business management, and that nearly all successful programmes have some sponsor.

Consequences Without a sponsor, awareness activities are likely to suffer

problems that include:

• business management are reluctant to release staff for awareness training because they have not committed to the activities

• recipients of awareness training do not appreciate the importance of security or its relevance to their roles since their line managers have not communicated the need

• the programme fails to achieve a culture change because staff do not see senior management – who may themselves have security-negative attitudes – leading that change.

�

Key Issue: The security management team sponsors the

(21)

Awareness topics At each of the workshops, Members were asked what topics they cover using security awareness programmes. Whilst there were many variations on the content, there were in practice relatively few messages put out using awareness. The most popular topics and their associated awareness message are listed in Table 4 below:

Table 4: Most common topics for security awareness campaigns

Topic Messages

Passwords • Do not share User IDs or passwords • Use ‘strong’ passwords

• Don’t write passwords down

Viruses • Beware of viruses, particularly in e-mail attachments • Ensure that anti-virus software is installed and updated Physical security • Keep premises secure

• Adhere to clear desk and clear screen policies • Take proper care of laptop computers

E-mail and Internet use • Don’t send sensitive information over the Internet without taking suitable precautions to protect it

• Internet use must comply with corporate policies Incident response • Recognise security incidents

• Report security breaches Information handling • Classify informat ion correctly

• Pick up printouts and faxes

Members repeatedly nominated these six categories as their chosen awareness topics. They are all characterised by relating to behaviour rather than technical controls, and are reasonably simple and straightforward. However, in many cases Members were unsure how to describe the issues in detail, or how they might explain them to non-technical users.

The mechanism to deliver the message is also important. Figure 10 overleaf shows question SM2403c: Is awareness promoted using specialised awareness material (eg brochures, reference cards, posters or electronic documents over the Web?) from the Survey, which queries the use of specialised materials to promote security awareness:

(22)

Exception 2% In all cases 15% 30% In no case In most cases 28% In a few cases

11% In about half the cases 14%

Figure 10: SM2403c: Is awareness promoted using specialised awareness material (eg brochures, reference cards, posters or electronic documents over the Web)?

It can be seen that for those cases where all, most or about half of awareness activities are promoted using specialised awareness material, only just over half of awareness campaigns have specialised awareness materials.

Findings Many security awareness campaigns deliver similar, repeated

messages about desired security behaviour, and do not use specialised materials to deliver the message.

A lack of specialised awareness materials can lead to confusion about the desired message, and a perception of repetition, since staff will see similar messages being delivered in similar ways from campaign to campaign.

Consequences If an awareness campaign delivers unclear or repetitive messages, then:

• staff do not understand what is expected of them – since the awareness message does not specify who should do what – and are therefore less likely to adopt the desired be haviour

• campaigns fail because staff have heard similar messages before and are no longer interested.

�

Key Issue: Many security awareness campaigns do not

(23)

Effectiveness of the Members were asked to rate how effective they think their

traditional model awareness activities have been, as shown in Figure 11 below:

60% 50% Percentage of responses 40% 30% 20% 10% 0%

Very low Low Medium High Very high

Effectiveness

Figure 11: How effective do you think your security awareness activities have been? The graph shows a disproportionately high number of Members who believe that their awareness activities have had a ‘medium’ level of effectiveness.

Findings The results suggest that the participants’ assessment of

effectiveness may be subjective, since over half rate their effectiveness as ‘me dium’. This interpretation of the questionnaire results was substantiated by feedback from Members at the workshops.

Whilst Members may have methods for assessing the success of their security awareness activities, the majority agreed that they do not formally assess the effectiveness of their information security awareness activities.

Consequences The fact that effectiveness is generally a subjective measurement is a major weakness in a security awareness programme, as:

• measurement of awareness proves little except that the individual has received the awareness messages: measurement of effectiveness proves whether the message has actually changed behaviour

• without firm evidence of effectiveness, it is difficult to justify or measure the success of awareness, and hence this can become a major obstacle to commencing an awareness programme.

�

Key Issue: The majority of awareness campaigns do not

incorporate

effectiveness, but instead measure the level of security knowledge of staff. own their assessing for mechanism a

(24)

Commitment to delivering awareness

Members reported that they frequently experience difficulties in commencing a security awareness programme, or are hindered from completing it. Some of the reported difficulties that may affect delivery of a security awareness programme are shown in Table 5 below:

Table 5: Obstacles to security awareness

Obstacle Description

Failure to make awareness part of the security team’s own objectives and appraisals

Members reported that delivery of a security aware ness programme is often not included in the security team’s own objectives or appraisals. This results in a lack of personal commitment to the success of the programme when under pressure from other activities.

Staff return to their old ways – failure to ‘make it stick’

A common complaint from Members was that difficulty of ‘making the message stick’: staff briefly adopt the desired security behaviours, but then return to their previous ways. In consequence, security staff become dismayed from participatin g in further awareness activities.

Not enough time, money or resources

The most frequent complaint was a lack of support for security awareness, and a lack of resources or time to complete the work.

These obstacles can result in the failure of an awareness programme; but they can also prevent it from starting by leaving security staff reluctant to deal with awareness at all.

In consequence, few Members feel that they have committed sufficient time to developing and delivering awareness campaigns, as shown in Figure 12 below:

Yes 18%

No 82%

Figure 12: Do you feel that you have committed sufficient time to developing and implementing your awareness activities?

This statistic was reflected in anecdotal feedback from Members at the workshops, who agreed that they do not feel they have spent sufficient time on security awareness.

(25)

Findings Delivery of an effective security awareness programme depends upon the security management team committing to the success of the programme. Four out of five Members believe that they have not committed sufficient time to their security awareness activities.

Consequences A security function which does not receive adequate resources for security awareness is likely to focus instead on other activities that are perceived to be more important.

�

Key Issue: Most organisations fail to commit sufficient resources to their awareness programme.

(26)

Part

4

The need for a new awareness model

Influencing risk perception

From awareness to

behaviour change

Security awareness has traditionally been based around a simple model of scope, design, development and delivery of awareness campaigns, where an awareness programme may comprise two or more campaigns.

However, both the workshop research and informal discussions with Members strongly suggest that this approach is often ineffective. The challenge is to make information security awareness effective. Achieving this will require a new approach.

The purpose of an effective security awareness programme should be to create a change in behaviour , rather than just to educate staff about what the desired behaviour should be. The traditional approach for developing awareness is usually focused on influencing an individual’s perception of risk, with an assumption that if they understand the risk involved in behaving the wrong way, then they will alter their behaviour accordingly.

However, there is a large body of research that shows people, including experts, are poor at making risk judgments even when they are given appropriate statistical information. In general, they use relatively simple thinking and reasoning rules that often lead to biased judgments.

For instance, people often use a form of thinking called availability which involves judging the probability of an event occurring in the future on the basis of how easily past instances of it occurring in the past can be brought to mind. This leads individuals to overestimate the likelihood of ‘imaginable’ events and underestimate the likelihood of those events of which they have no experience.

For example, someone who has never been victim to a computer virus is likely to underestimate the likelihood of it happening and so will be less concerned when opening an e-mail attachment file. However, had that person recently lost data to a virus then this event is likely to be readily brought to mind and so opening the e-mail attachment is perceived as more risky.

Experiences of these kinds are important in determining how people judge risks and have much more influence than the statistical facts about IT security risks that are often presented in security awareness campaigns. If people are to perceive the risks accurately then it is important that awareness campaigns take

(27)

The impact of Risk perception is not the only factor that will influence an

organisation culture individual’s behaviour. Peer pressure is also extremely important, and this will be evident in the impact of the organisation’s culture on the individual’s behaviour, as shown in Figure 13 below:

Corporate Culture or Climate Perceptions of Risk Corporate Culture or Climate Perceptions of Risk Experience of Incidents Behaviour Experience of Incidents Behaviour

Figure 13: Influences on individual behaviour

If an individual has a security-positive perception of risk, then it is still likely that they will behave in a security-negative way if the organisation’s culture does not value security and their peers do not behave in the desired way. Even if awareness is used to improve that perception, the culture may rapidly degrade their behaviour once the campaign is over.

A good example of this is driving too fast, where an individual may wish to obey the speed limit but all other vehicles are overtaking. Eventually the driver feels pressured to speed up, despite having a correct perception of the increased risk of doing so.

The Forum has examined the impact of organisation culture on security in a past report, Information Security Culture: A preliminary investigation, available on MX.

The value of Effective security awareness must aim to create and maintain an

management support _{organisational culture that encourages and supports}

security-positive behaviour.

Anecdotal evidence from participating Members suggests that the organisation’s management plays a key role in determining the culture. This is particularly so for security behaviour: if senior management are seen to value and reward security-positive behaviour, then staff are increasingly likely to adopt that behaviour themselves. This is also why over one-third of programmes have a business sponsor (see Figure 9), and why that sponsor can make such a valuable contribution to the programme’s success.

(28)

Reluctance to change An additional obstacle that prevents security-positive behaviour is the natural reluctance of most people to change their existing habits. Many people naturally fear change, and will resist it even if the benefits are obvious. Therefore a security awareness programme should consider the likely reaction of people to a request to change their behaviour.

Reasons for reluctance to change may include the following:

• Self-interest: a conflict between the wishes of the individual and those of the organisation. For example, asking staff to not use the corporate e-mail for personal purposes may be in conflict with their personal goals, such as wishing to communicate with friends.

• Misunderstanding and lack of trust: many people will not understand the purpose of the awareness campaign, or even the role of the Information Security team. This may result in mistrust, and consequently people may be defensive and uncooperative.

• Different assessments of the level of risk: if an individual’s risk perception is very different from that of the security team, it may not be possible to persuade them of the actual risk level.

• Low tolerance for change: those who have either never had to change, or have just been through a period of dramatic change, may find it very difficult to accept the need to adjust their behaviour.

There is no definitive solution to any of these issues, but all must be considered when planning an awareness programme to ensure that the timing, format and contents meet with the minimum possible resistance from the recipients.

Creating security-positive A successful security awareness campaign is one that creates

behaviour desirable – security-positive – behaviour. However, the move from security awareness to security-positive behaviour requires careful management of the change in behaviour. Following a formal change management process will assist the change.

Force field analysis _{One of the earliest and most widely recognised change}

management processes is Force Field Analysis, a technique developed by Kurt Lewin (1890-1947). Lewin’s pioneering research in social sciences is invaluable for looking at planning and implementing change.

(29)

Lewin developed a technique known as Force Field Analysis for examining and changing behaviour in a given situation. Force field analysis provides a method for considering the many variables and influences that determine behaviour, and consider the implications of these for effective change in behaviour.

Lewin’s principle is that in any situation there are both driving and resisting forces that influence behaviour, and that can be used to create change.

Driving Forces Driving Forces are typically forces that push people to behave in a particular manner. They are characterised as proactive, management-initiated actions, such as issuing security policies or implementing content management controls. Most importantly, security awareness programmes are generally driving forces, since they issue messages about what people are expected to do.

Resisting Forces Resisting Forces are those forces that prevent change or hold back driving forces. Resisting forces are often derived from the prevailing organisational culture. Examples of resisting forces include the factors described on the previous page.

The relationship between driving and resisting forces is shown in Figure 14 below:

Driving Forces Resisting Forces

EQUILIBRIUM

Figure 14: Force fields

NOTE

A driving force might not be balanced by a similar resisting force; in practice, the balance may come from apparently unrelated forces that achieve the equilibrium state.

(30)

Equilibrium or the Kurt Lewin proposed that an organisation is not static, but is in ‘steady state’ fact in a continuous ‘steady state’ of change. Any alteration of the behaviour of the people in that organisation will require an alteration in the direction or rate of change of the organisation. An analogy for this is a river, in which the water is flowing continually, but achieving a visible change requires a change in the speed or direction of the flow.

The steady state is called the equilibrium, and is reached when the sum of the driving forces equals the sum of the resisting forces.

Most importantly, the equilibrium point can be raised or lowered by changes in the balance of the dr iving and resisting forces.

An example of an equilibrium situation is shown in Figure 15 below:

Driving Forces Resisting Forces

EQUILIBRIUM

Testing for weak passwords Mandatory controls in software Security policy Audit recommendations Users have to remember multiple passwords Apathy

Slow response to issue or modify user profiles Developers want superuser access

Figure 15: The equilibrium state – password security In this example the objective is to prevent use of weak passwords. The resisting forces, such as users having to remember multiple passwords, balance the driving forces, such as security policy or the recommendations of an internal audit, and so a change cannot be effected or maintained.

(31)

The importance of equilibrium

The equilibrium point determines the behaviour of individuals in a given situation. Security-negative behaviour results from the resisting forces that prevent desirable behaviour being greater than the driving forces. An example is shown in Figure 16 below:

Driving Forces Resisting Forces

EQUILIBRIUM Security policy Users have to remember multiple passwords Apathy

Slow response to issue or modify user profiles Developers want superuser access Audit

recommendations

Figure 16: Security-negative equilibrium

In this case, the driving forces are significantly less than the resisting forces, and hence the desired behaviour is not achieved. However, the typical response to this behaviour is to apply more driving force in the form of a security awareness campaign. The increased driving force has two effects:

• staff behaviour changes towards the desired behaviour whilst the driving force (the awareness programme) is applied

• staff experience increased stress as they are driven to a new behaviour whilst still being restrained by the unchanged resisting forces.

This is demonstrated in Figure 17 below:

Driving Forces Resisting Forces

EQUILIBRIUM Security policy Users have to remember multiple passwords Apathy

Slow response to issue or modify user profiles Developers want superuser access Audit recommendations Stress arising from awareness activities Awareness Activities Awareness Activities Awareness Activities

(32)

The introduction of a very large driving force – the security awareness campaign – without changing the existing resisting forces has resulted in increased stress, which is itself a powerful resisting force. Therefore staff are likely to revert to their previous behaviour when the driving force is removed.

The stress experienced during the campaign may however last, and in consequence cause a greater resisting force – such as hostility and antagonism – that may result in security-negative behaviour that is worse than that prior to the campaign.

An example of changing _{Consider a security awareness campaign that both increases the} forces _{driving force by delivering messages about desirable behaviour,}

and reduces resisting forces by making behaviour easier to adopt.

For example, introducing a policy that staff must wear their ID cards may meet with apathy and resistance because there is little incentive for staff to comply, as shown in Figure 18 below:

Driving Forces Resisting Forces

EQUILIBRIUM

Policy: Staff must wear ID cards at all times Apathy Ignorance of new policy "Nothing in it for me"

Figure 18: Introducing a new policy

If a security awareness campaign is introduced at this point, then the driving forces from that campaign will most likely be met with a resisting force in the form of stress as shown earlier in Figure 17.

(33)

However, if staff are offered cafeteria discounts for cardholders and issued with wearable cases for the cards, then the resisting forces are most likely to be diminished, since it becomes easier to carry the ID cards, and there is now a personal incentive for staff to carry the cards in the form of a cash saving.

The introduction of these new elements has diminished resisting forces, but can also increase driving forces, as shown in Figure 19:

Driving Forces Resisting Forces

EQUILIBRIUM

Policy: Staff must wear ID cards at all times Apathy Ignorance of new policy "Nothing in it for me" Cafeteria discounts for cardholders Issue wearable ID card cases Awareness campaign

Figure 19: Example of changing driving and resisting forces In this case, both the driving forces and the resisting forces have moved, and the resulting behaviour is far more likely to last, since there is now less resistance to it. The awareness campaign will be treated with less hostility or fear, since staff can see positive benefits in complying with the message.

(34)

Maintaining security- The example of asking staff to wear ID cards shows how a change

behaviour of individuals.

positive behaviour in the driving and resisting forces can be used to change the

Lewin suggested that it is not enough to adjust the forces; the state of equilibrium must be unfrozen before the change can take place, and refrozen once behaviour has moved to the desired point.

This is shown in Figure 20 below:

Refreeze desired behaviour Unfreeze existing behaviour Change to desired behaviour

Demonstrate Adjust Evaluate new the problem driving/resisting behaviour

forces

Figure 20: Achieving behaviour change

Security awareness programmes are generally good at unfreezing: the

demonstrating security vulnerabilities and their potential impacts on the organisation if exploited, can be effective techniques to shake staff out of their current behaviours. However, awareness programmes rarely incorporate mechanisms to refreeze desired behaviours.

For example, mechanisms that would refreeze desired behaviour after the introduction of staff ID cards include:

• count the number of staff attempting to enter the building without their ID cards (and even take names)

• count the number of ‘guest’ passes issued to permanent staff

• challenge staff who attempt to ‘tailgate’ (ie follow another staff member into the building when not carrying a pass)

• introduce turnstiles at key points so that staff are forced to carry ID cards. or incidents, security of evidence anecdotal of use

The most effective refreezing mechanism is assessment. If an individual knows that he/she will be constantly assessed against a certain desired behaviour, and that his/her rewards (and punishments) will be determined from that feedback, then the new desired behaviour will most likely be adopted, providing that the change has been correctly managed through the alteration of driving and resisting forces.

(35)

Measuring awareness In the traditional approach to security awareness, if any measurement is incorporated into the campaign delivery, it mostly involves measuring what has been learned by staff. For example, Computer-Based Training (CBT) normally incorporates a questionnaire at the end of the session to rate how much the participant has learnt.

This is useful for proving that staff have completed the training and achieved a satisfactory result, particularly when this is required for regulatory purposes, ie proving that staff have received data privacy training.

However, this does not necessarily mean that the participant will then behave differently, or that if they do, that the behaviour will last for an indefinite period.

Measurement of awareness proves little except that the individual has

effectiveness proves whether the message has brought about a change in behaviour. of Measurement messages. awareness the received

(36)

Part

5

Effective security awareness

What is effective security The following definition for effective security awareness was

awareness? agreed at the workshops:

Effective security awareness is achieved through an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organisation from lasting behavioural change.

This definition comprises four key elements, which are shown in Figure 21 below:

Effective security awareness

is achieved through

objectives.

of work, as opposed to a finite set of activities that stop and are not continued.

itself.

and goals: If security is perceived as a hindrance to their own personal activities, then the message will carry little meaning.

Figure 21: Elements of effective security awareness

This definition is derived from the issues that were discussed in Part 3, Security awareness. The four key elements of effective security awareness are as follows:

1. Formal programme structure: a security awareness programme is most likely to succeed if it is structured as a formal programme of work, as opposed to a series of ad hoc activities, because it will have a sustained pace of delivery that

(37)

2. Meaningful messages: the key messages, tone and approach of the programme must be relevant to the audience and consistent with their values and goals: if security is perceived as a hindrance to their own personal activities, then the message will carry little meaning.

3. Measurable benefits: an effective security awareness programme should deliver a security-positive change in behaviour. That change should in turn result in a reduction in one or more of the following:

• losses arising from security-related incidents

• cost of security management

• the orga nisation’s overall level of risk.

All of these reductions should be quantifiable and in most cases measurable as a financial benefit to the organisation. 4. Lasting change in behaviour: the purpose of an effective

security awareness programme should be to create and maintain a security-positive change in the behaviour of the recipients. If the change is not maintained, and staff revert to their previous behaviours, then the programme has not been effective.

This part of the report describes how Lewin’s theor ies of force field analysis can be used to develop an effective security awareness programme that meets the four criteria shown above.

A new approach to Lewin’s technique of force field analysis provides a valuable

security awareness model for considering the driving and resisting forces that influence behaviours, and for freezing desired behaviours once they are achieved.

This technique can be used to develop a new approach to security awareness, based upon the method described in How to make your organisation aware of IT security. The key differences between the traditional approach and the Lewin-based approach are the inclusion of:

• an objective-setting stage prior to commencing the scope and design of the programme

• force-field analysis within the scope and design stages

• a refreezing process within the build and execute stages to maintain the desired security-positive behaviour

• a change to measuring effectiveness in place of measuring the level of awareness.

(38)

This process, and how it maps to the traditional approach to security awareness, is shown in Figure 22 below:

1. Set objective for security awareness

Set clear, defined objectives and goals that address the problems of

security-negative behaviour

Scope

Plan and design the programme and campaigns so that all participants understand their roles

2. Scope and design security awareness programme OLD Design NEW APPROACH APPROACH Build 3. Develop and deliver security awareness campaigns

Create and maintain a positive change in security behaviour

Execute

4. Evaluate effectiveness of campaigns

Review, revise and repeat the activities as required

Figure 22: A new approach to security awareness

This model incorporates the original process, plus two new elements: setting an objective, and evaluating success. The objective-setting process creates an overall programme and results in high-level goals, which are used to drive the individual campaigns. The evaluation stage is critical to ensure that the awareness programme has delivered its intended benefits, and to assess changes that may be required to maintain the effectiveness of the programme.

Stage One: Set objective The first stage of the process is to set a clear objective. This is not

for security awareness necessarily as simple as may first be thought; a clear, constructive objective is often hard to identify, particularly if there is any doubt about what is to be achieved. A strong objective should be derived directly from the problems to be solved, as shown in Figure 23 below:

1. Set objective for security awareness

1.3 specific campaign goals 1.2 high-level programme objective 1.1 security awareness problems 1.4 & establish campaign metrics Set Set Identify Define

(39)

1.1 Identify security awareness problems

The first stage is to identify the problems that may be addressed by a security awareness programme. By identifying the problems, the objective can be shown to address a need within the organisation.

At the workshops Members were asked to identify the problems that they try to tackle using security awareness. Whilst it was not possible to identify one problem that was most frequently addressed by security awareness, the ten most frequently nominated problems are listed in Table 6 below:

Table 6: Common problems that are addressed by security awareness

Problem Description

Achieving a culture change Members reported that it is difficult to effect a cultural change or achieve a common value across the organisation where the culture does not value security. Cultural and departmental

variations

Differences across large, distributed organisations cause problems achieving consistency between departments and countries. Assessing and changing security can also be hindered in such situations.

Distributed security management

Organisations with a distributed or decentralised security function complained of the difficulties in developing and managing awareness when the team is spread across divisions and countries.

Legal and regulatory issues Some Member organisations consider legal and p rivacy issues to be part of the security team’s responsibilities, and these have to be included within awareness programmes. National variations in legislation may require that campaigns are restructured for each country in which they are delivered. Disregarding policy Users choose to ignore policy and disregard security requirements. Management

permit exceptions to security rules without considering the risk implications. Lack of basic awareness New members of staff often have little understanding of the organisation’s

policies or their security responsibilities.

Poor systems security A common complaint was a failure by systems development teams to comply with security development standards and hence ensure that security measures are built into applications.

Technical security issues A key technical problem that requires an awareness fix is that of viruses, since users must be taught to not bypass controls or open ‘suspect’ files. Members also complained of users breaching perimeter security by introducing new systems (eg PDAs), software and network connections.

Justifying security Even in organisations that recognise the need for security, there is often little perception of information as an asset, and it is hard to justify security budgets or activities in such cases.

Resistance to security Middle and senior management are often seen as resisting security because of a lack of interest or failure to understand their own responsibilities.

NOTE

Workshop attendees found that correctly identifying the problems within their organisation that they wish to solve using security awareness took longer than they expected. This was particularly so when trying to analyse the root causes of the problems; many complained that they could not deal with the problems due to a lack of resources.

(40)

1.2 Set high-level programme objective

The success of a security awareness programme is critically dependent upon the setting of a correct objective. A clear objective is essential to write a business case or cost/benefit analysis, and to understand whether the programme has succeeded.

However, a clear objective is often hard to set; the intangible nature of many security awareness deliverables means that it can be difficult to quantify what the programme will achieve. Few Members reported having a clear written objective for their awareness programme.

When setting an objective, ensure that it:

• clearly addresses the problems that have been identified: where possible, the problem should be defined within the objective, eg ‘to reduce the number of laptop computer thefts…’

• is aligned with the organisation’s mission statement: if it clearly supports the business’ objectives, then it will be easier to justify, eg ‘to support the mission of achieving 8% revenue growth by reducing fraud-related losses…’

• is clear, well-defined, and SMART:

•