Archive for October, 2008

Concerns about Information Security Training and Awareness – Part 4

I need to air out one last thing about information security training and awareness. Typically, a security training and awareness course is taught, attendees listen, take notes, fill out course evaluations, and then leave. Unbelievably, a measurement of the amount of learning or skill development on the part of the attendees is seldom taken. I’ll confess that not too long ago, I taught a course on Windows security without arranging for any kind of post-hoc measurement of the amount of learning achieved, so I cannot with good conscience say that I have done better. But how can an information security practice possibly claim to have given effective training when there are no indicators other than glowing reports of success by instructors and testimonials on the part of attendees? Read more…

Categories: Uncategorized Tags:

Concerns about Information Security Training and Awareness – Part 3

October 23rd, 2008 No comments

OK, OK, security awareness training and awareness for senior management is an almost impossible endeavor, but that does not mean that the same obstacles are present in security training and awareness for the rest of an organization. As I have said before, I’ve had my share of experience with security training and awareness, and have accumulated several important “lessons learned” concerning successes and failures, including:

  1. Successfully conveying perceived purpose to the target audience is all important. Making whatever skills to be taught or message to be presented relevant to this audience is the difference between being able to engage and motivate them to learn or not being able to do so. Conveying perceived purpose is difficult, however, because many users use computers purely out of necessity and do not necessarily think that being unable to use their computers temporarily because of a security-related problem is such a bad thing. This is where HR can help considerably. If compliance with information security policy, standards and procedures is included among employee performance review criteria, employees are much more likely to realize that information security is important and thus are likely to be more open and receptive to security training and awareness efforts.
  2. Training and awareness must be tailored to different groups within an organization. “One size fits all” definitely does not apply to security training and awareness. Training and awareness for casual PC users needs to be radically different from training and awareness for system administrators; the same principle applies to expert system administrators versus novice system administrators. Tailoring security awareness and training to different groups is truly one of the greatest challenges for information security professionals, especially considering that training and awareness budgets are usually rather limited.
  3. Those who are trained must be held accountable. I am confident that in and of itself having a group of people come into a room and hear a presentation on information security does little good. At a minimum, requiring attendees to take a test afterwards or show hands-on that they have learned to follow a mandatory security procedure is necessary. Those who do not pass the test or practicum need to receive more training before they once again attempt to pass.
  4. Skip the theory and get down to the practical. Too often information security training and awareness consists of communicating many security platitudes, but nobody but these professionals really care about these platitudes. Those who receive security training and awareness need to learn practical things such as how to create a strong password, why it is important to avoid opening attachments and how to disconnect a network cable from a network interface card if there is reason to believe that a computer has been compromised.
  5. Training must be recurrent. We often require that all employees and contractors receive security training once every year, but psychologists say most concepts that we learn are forgotten within the matter of hours (sometime minutes) after we are exposed to them. Following up, say with a brief individual distance learning session, two or three weeks after a group training session is imperative.

These prescriptions are by no means any kind of “silver bullet.” At the same time, however, paying attention to them could very well make your security training and awareness effort go much better than ever before.

Categories: Uncategorized Tags:

Concerns about Information Security Training and Awareness – Part 2

I’ll continue from where I left off in my last blog entry.  I’ve pointed out some problems and dilemmas associated with information security training and awareness. What are some possible solutions?

First and foremost, senior management must understand what information security training and awareness is and why it is so potentially valuable to the organization’s business. I have a strong suspicion that even some of the top information security professionals overlook the necessity of getting senior management buy-in for training and awareness. Don’t get me wrong—information security professionals have a difficult enough time trying to win senior management support for their information security programs—trying to obtain their support for parts of and initiatives within these programs is, I am sure, even more difficult. But unless senior management really understands what security training and awareness can potentially accomplish at the cost of relatively few resources, the chances of a training and awareness effort being effective diminish considerably. Read more…

Categories: Uncategorized Tags:

Concerns about Information Security Training and Awareness – Part 1

Someone does not have to be in the field of information very long before becoming acquainted with the long-held belief that information security training and awareness provides one of the best returns on investment of any control measures. Empirical data support this belief. To counter personnel-related security vulnerabilities from 1994 through 2002, the US Military Regional Computer Emergency Response Team (RCERT) in Europe initiated a security training and awareness effort in which users were instructed on the value of computing assets as well as the security-related risks and appropriate procedures. One important finding from the study was that training significantly reduced the time between the discovery of vulnerabilities and when they were fixed. Read more…

Categories: Uncategorized Tags:

Reflections on California Law SB1386

California’s SB1386 statute requires (among other things) that commercial organizations promptly notify potential victims of data security breaches if such individuals are California residents. It is hard to believe that this legislation has now been in effect for over five years. What impact has the legislation had? How could its provisions be improved? What is likely to happen next?

Assessing the impact of SB1386 is not at all difficult. Simply put, this legislation has been groundbreaking; it has served as a catalyst for similar legislation in over 40 states within the US. A number of states have passed legislation that has improved on the various weaknesses and omissions within SB1386. The result has been good for the US public; prompt notification of individuals potentially affected by a data security breach ostensibly lowers the likelihood that personal and financial data will be misused by computer criminals. At the same time, however, SB1386 has not generated sufficient momentum for national data security breach notification legislation. Numerous attempts to get the US Congress to pass data security breach notification legislation have failed; opposition has primarily come from Congresspersons who are concerned that prompt notification will cause businesses to incur additional financial expenses. Read more…

Categories: Uncategorized Tags:

Legislation Would Limit DHS’s Right to Seize Laptops

In a reaction to the US Department of Homeland Security’s recent assertion that it has the right to seize laptop computers at any US border, three US Congresspersons have introduced legislation designed to limit DHS’s power. Senators Maria Cantwell and Russ Feingold and Representative Adam Smith, all of whom are democrats, initiated legislation named the Travelers Privacy Protection Act. The DHS currently lets customs agents seize any laptop system for as long as they need to inspect data stored therein without having to give a rationale for doing so. The laptop’s owner is also required to surrender the password if border agents demand it. Read more…

Categories: Uncategorized Tags:

Schwarzenegger Vetoes Consumer Data Protection Act

Both the California State Senate and Assembly recently passed a bill that would have mandated that commercial organizations that conduct business within California implement controls that safeguard customer information. Additionally, the bill would have required these companies to reveal to potentially affected individuals more details concerning data security breaches in which credit and debit card information was exposed without authorization. Read more…

Categories: Uncategorized Tags:

The Identity Theft Enforcement and Restitution Act

Although identity theft has proliferated considerably over the last decade, legislation that defines this crime and prescribes punishments for it has lagged far behind. Consequently,  the likelihood that identity theft perpetrators are brought to justice has been severely reduced. Recent legislation passed by both branches of the US Congress has, however, provided some reason for optimism. Among the provisions of this legislation is one allowing identity theft victims to sue perpetrators of such crimes for restitution. This legislation abolishes the requirement that a successful identity theft attempt must amount to at least USD 5,000 in damages before criminal charges can be filed against perpetrators. Furthermore, under the provisions of this legislation, installing spyware or malicious code on more than 10 computing systems constitutes a felony. Finally, in sharp contrast to provisions in previous identity theft legislation, identity theft that does not cross interstate boundaries can now under the provisions of this legislation nevertheless be pursued by federal agents. This legislation now needs only be signed by the President before it becomes law. Read more…

Categories: Uncategorized Tags: