Ch 17: Human Resources Security

Security awareness, training, and education programs provide four major benefits to organizations:

• improving employee behavior

• increasing the ability to hold employees accountable for their actions

• Mitigating liability of the organizations for an employee’s behavior

• complying with regulations and contractual obligations

______ behavior is a critical concern in ensuring the security of computer systems and info assets.

Employee

What are the principal problems associated with employee behavior?

• social engineering and phishing attacks

• compromised/weak credentials

• errors and omissions

• fraud and actions by disgruntled employees

Security awareness, training, and education programs can assist in reducing incidences by increasing employees’ knowledge of their ______.

accountability

Ongoing security awareness, training, and education programs are also important in limiting an organization’s ________.

liability

Security awareness, training, and education programs may be needed to comply with…

regulations & contractual obligations

There is a need for a continuum of learning programs that starts with ____, builds to ____, and evolves into ____.

awareness, training, education

What are the four layers of the Learning Continuum?

• security awareness

• cybersecurity basics & literacy

• role-based security training

• security education & certification

security awareness

set of activities that explains & promotes security, established accountability, and informs the workforce of security news

cybersecurity basics & literacy

develop secure practices in the use of IT sources

role-based security training

provides knowledge & skills specific to an individual’s roles & responsibilities relative to information systems

security education & certification

integrates all security skills & competences of various functional specialties into a common body of knowledge

A successful IT security training program consists of:

1. developing IT security policy that reflects business needs given known risks

2. informing users of their IT security responsibilities

3. establishing processes for monitoring & reviewing the program

T/F: Although all employees have security responsibilities, not all employees must have suitable security awareness training.

False; all employees must have

The overall objective of the organization should be to develop a security awareness program that

permeates to all levels of the organization and is successful in promoting an effective security culture

What are specific goals for a security awareness program?

• providing a focal point and a driving force for a range of awareness, training, and educational activities related to information security

• communicating important recommended guidelines or practices

• providing general & specific info abt inforation security risks & controls

• motivating individuals to adopt recommended guidelines / practices

• being driven by risk considerations

• Providing employees with an understanding of the different types of inappropriate behavior and how to avoid

• creating a stronger culture of security

• helping enhance the consistency & effectiveness of existing info security controls and stimulating adoption of cost-effective controls

• help minimize the # and extent of breaches, reducing costs

What are the two options for the awareness program designer?

• use in-house materials

• use externally obtained materials

T/F: A well designed awareness training program might have materials from only one source

False; both sources

What are effective in-house materials?

• brochures, leaflets, fact sheets

• security handbook

• regular e-mail or newsletter

• distance learning

• workshop & training sessions

• formal classes

• video

• website